Gentoo Bug 258596 - <net-misc/wicd-1.5.9 message interception (CVE-2009-0489)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	258596
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Stefan Behte <craig@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 258596 depends on:			Show dependency tree
Bug 258596 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2009-02-11 13:02 0000

CVE-2009-0489 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0489):
  The DBus configuration file for Wicd before 1.5.9 allows arbitrary
  users to own org.wicd.daemon, which allows local users to receive
  messages that were intended for the Wicd daemon, possibly including
  credentials.

------- Comment #1 From Jeremy Olexa (darkside) 2009-02-11 13:48:09 0000 -------

*** Bug 258483 has been marked as a duplicate of this bug. ***

------- Comment #2 From Jeremy Olexa (darkside) 2009-02-11 13:49:20 0000 -------

Already ready. Add arches: amd64 ppc x86

(ppc will need to do bug 258482 first)

------- Comment #3 From Stefan Behte 2009-02-11 23:17:19 0000 -------

Arches, please test and mark stable:
=net-misc/wicd-1.5.9
Target keywords : "amd64 ppc x86"


ppc: please have a look at bug 258482 first!

------- Comment #4 From Jeremy Olexa (darkside) 2009-02-12 20:45:17 0000 -------

*** Bug 253228 has been marked as a duplicate of this bug. ***

------- Comment #5 From Jeremy Olexa (darkside) 2009-02-12 20:46:46 0000 -------

=net-misc/wicd-1.5.9-r1 is the new target. Sorry, I overlooked the init script
and it is now proper.

------- Comment #6 From Markus Meier 2009-02-15 11:04:11 0000 -------

amd64/x86 stable

------- Comment #7 From Tobias Scherbaum 2009-02-25 16:25:47 0000 -------

ppc stable

------- Comment #8 From Jeremy Olexa (darkside) 2009-02-26 22:40:24 0000 -------

All arches stable.

+  26 Feb 2009; Jeremy Olexa <darkside@gentoo.org>
+  -files/wicd-1.5.2-docs.patch, -wicd-1.5.2.ebuild, -wicd-1.5.4.ebuild,
+  -wicd-1.5.6.ebuild, -wicd-1.5.7-r1.ebuild, -wicd-1.5.8.ebuild:
+  remove old ebuilds affected by CVE-2009-0489

------- Comment #9 From Stefan Behte 2009-02-26 23:47:13 0000 -------

Ready to vote, I vote NO.

------- Comment #10 From Tobias Heinlein 2009-04-08 17:56:19 0000 -------

I vote YES though.

------- Comment #11 From Robert Buchholz 2009-04-08 22:52:37 0000 -------

YES, request filed

------- Comment #12 From Tobias Heinlein 2009-04-10 13:57:49 0000 -------

GLSA 200904-12, thanks everyone.

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 258596

<net-misc/wicd-1.5.9 message interception (CVE-2009-0489)

Last modified: 2009-04-10 13:57:49 0000