More info:
https://bugzilla.redhat.com/show_bug.cgi?id=585394http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1172
dbus-glib was not properly enforcing the 'access' permissions on
object properties exported using its API. There were 2 specific bugs:
1) dbus-glib did not enforce the introspection read/write property
permissions, so if the GObject property definition allowed write
access (which is sometimes desirable), D-Bus clients could modify
that value even if the introspection said it was read-only
2) dbus-glib was not filtering out GObject properties that were
not listed in the introspection XML. Thus, if the GObject defined
more properties than were listed in the introspection XML (which is
also often useful, and NM uses this quite a bit) those properties
would also be exposed to D-Bus clients.
To fix this completely, you need to:
1) get dbus-glib master when the patch is commited, OR grab the
patch from https://bugzilla.redhat.com/show_bug.cgi?id=585394 and
build a new dbus-glib
2) rebuild NetworkManager against the new dbus-glib
Monitor the kernel firmware directory (set at configure-time with
--with-kernel-firmware-dir=<path>) for changes, and if there
are any, try bringing up devices that are missing firmware.
Some stuff we build (the DHCP manager) gets built independently
so that we can use it for unit tests. For that, we need to build
the logging bits separately too, since the independent DHCP
library can't use them if they are embedded in NM.
Link against libm (using the LT_LIB_M macro and the $LIBM variable) as
we are using pow() and otherwise fail to build with stricter linkers like
binutils-gold.
Automatic IPv6 configuration is handled by the kernel, but to
integrate it properly with NetworkManager, we need to watch what the
kernel does to see whether or not it was successful (so that we can
let the user know if there is no IPv6 router present, for example).
NMIP6Manager takes care of this.
rtnl_addr requires that all addresses have the "peer" attribute set in
order to be compared for equality, but this attribute is not normally
set. As a result, most addresses will not compare as equal even to
themselves, busting caching. We fix this for now by poking into the
guts of libnl if it is broken...
The old NMExportedConnection was used for both client and server-side classes,
which was a mistake and made the code very complicated to follow. Additionally,
all PolicyKit operations were synchronous, and PK operations can block for a
long time (ie for user input) before returning, so they need to be async. But
NMExportedConnection and NMSysconfigConnection didn't allow for async PK ops
at all.
Use this opportunity to clean up the mess and create GInterfaces that both
server and client objects implement, so that the connection editor and applet
can operate on generic objects like they did before (using the interfaces) but
can perform specific operations (like async PK verification of callers) depending
on whether they are local or remote or whatever.
The only thing that doesn't work yet is the system-settings service's
"auto eth" connections for ethernet devices that don't have an existing
connection. Might also have issues with unmanaged devices that can't
provide a MAC address until they are brought up, but we'll see.
Instead of requiring applets to hash passphrases, just do it in NM instead.
This should fix confusion where people don't understand that they are seeing
their hashed passphrase.
Use AC_GNU_SOURCE macro instead of setting -D_GNU_SOURCE manually.
The macro will add the _GNU_SOURCE define to config.h for systems that
have the GNU extensions.
