Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 661712 (CVE-2018-10900)

Summary: <net-misc/networkmanager-vpnc-1.2.6: privilege escalation allows to execute arbitrary commands as root (CVE-2018-10900)
Product: Gentoo Security Reporter: Florian Schuhmacher <mynt1aa>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Florian Schuhmacher 2018-07-21 03:05:34 UTC
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Larry the Git Cow gentoo-dev 2018-07-24 23:50:20 UTC
The bug has been referenced in the following commit(s):

commit 3cf88f8d4ae9db896054b12a03ff17e495adbdfd
Author:     Mart Raudsepp <>
AuthorDate: 2018-07-24 23:48:52 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2018-07-24 23:49:32 +0000

    net-misc/networkmanager-vpnc: security bump to 1.2.6
    Package-Manager: Portage-2.3.43, Repoman-2.3.10

 net-misc/networkmanager-vpnc/Manifest              |  1 +
 .../networkmanager-vpnc-1.2.6.ebuild               | 49 ++++++++++++++++++++++
 2 files changed, 50 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2018-07-25 08:25:24 UTC
amd64 stable
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-28 13:45:41 UTC
x86 stable
Comment 4 Michael Boyle 2018-07-30 00:26:40 UTC
GLSA filled.
Acked-by: ChrisADR

Michael Boyle
Security Padawan.
Comment 5 Michael Boyle 2018-07-30 00:28:08 UTC
GLSA filled.
Acked-by: ChrisADR

Michael Boyle
Security Padawan.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 21:28:59 UTC
This issue was resolved and addressed in
 GLSA 201808-03 at
by GLSA coordinator Thomas Deutschmann (whissi).