Comment # 5 on bug 1206757 from 
Not that much has changed since the last audit. In fact there have only
been minor version bumps, going from 1.2.6 to 1.2.16. I diffed the
changes and revisited a few interesting parts.

Changes from 1.2.6 ��������� 1.2.16:
- minor refactoring
- bug fixes
- added GTK4 support

Observations:

- The D-Bus interface is still only accessible by root. 
- IKEv1 with SHA-1 is deprecated and it may be considered questionable
  to still include as an option in a modern VPN tool. Nevertheless this
  isn't a problem of this plugin but, if anything, a problem of the
  underlying software stack.  It would be nice if the UI warned against
  outdated configurations.
- `import_from_file`: the parser has been rewritten and now utilizes an
  error-prone string handling style, but a) it's done correctly, as long
  as no subsequent maintainer screws up, b) as of now the worst than can
  happen are out-of-bounds reads in an unprivileged user context. OK.
- `export_to_file` still uses mode (masked) 666 for exported VPN
  configurations. Not super nice, but not a security vulnerability.
  The exported config does NOT include plaintext passwords. Good!

Conclusion:

NetworkManager, especially in combination with plugins like this one, is
a complex beast and oversights can't be ruled out. I did not observe any
obvious security issues. The coding style is mostly of high quality with
numerous checks for error conditions. Subprocess invocation is
implemented carefully. Its input parsers are sane too. Maybe deprecated
modes should include warnings in the UI, but that's a matter of taste,
not a bug.

I will proceed with the whitelisting.

You are receiving this mail because: