Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 401005 (CVE-2012-0813)

Summary: <net-misc/wicd-1.7.1_pre20120127 writes sensitive information in log files (CVE-2012-0813)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: c1pher, tomka
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2012/01/26/13
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 411729    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2012-01-27 09:32:55 UTC
From oss-security mailing list at $URL:

wicd writes sensitive information in log files (password, passphrase...)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652417

From: Vincent Lefevre <vincent@vinc17.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wicd writes sensitive information in log files (password,
 passphrase...)
Date: Sat, 17 Dec 2011 03:27:32 +0100

Package: wicd
Version: 1.7.1~b3-3
Severity: grave
Tags: security
Justification: user security hole

wicd writes sensitive information in log files (under /var/log/wicd),
such as passwords and passphrases. Users in the adm group can have
access to them, but also log files are meant to be sent in bug
reports, and if the bug reporter doesn't pay attention, there is
a huge risk to transmit such information.

http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682

=== modified file 'wicd/configmanager.py'
--- wicd/configmanager.py       2011-12-15 18:21:53 +0000
+++ wicd/configmanager.py       2011-12-17 06:55:18 +0000
@@ -120,8 +120,13 @@
             ret = to_unicode(ret)
             if default:
                 if self.debug:
-                    print ''.join(['found ', option, ' in configuration ',
-                                   str(ret)])
+                    # mask out sensitive information
+                    if option in ['apsk', 'password', 'identity',
'private_key', \
+                                  'private_key_passwd', 'key',
'passphrase']:
+                        print ''.join(['found ', option, ' in
configuration *****'])
+                    else:
+                        print ''.join(['found ', option, ' in
configuration ',
+                                       str(ret)])
         else:
             if default != "__None__":
                 print 'did not find %s in configuration, setting
default %s' % (option, str(default))
Comment 1 Thomas Kahle (RETIRED) gentoo-dev 2012-01-27 10:06:58 UTC
Bumped to a recent snapshot including the patch:

+*wicd-1.7.1_pre20120127 (27 Jan 2012)
+
+  27 Jan 2012; Thomas Kahle <tomka@gentoo.org> +wicd-1.7.1_pre20120127.ebuild:
+  bump to fix bug 401005


Shall we stable this one?
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-27 10:13:51 UTC
(In reply to comment #1)
> Shall we stable this one?

Sure.

Arches, please test and mark stable:
=net-misc/wicd-1.7.1_pre20120127
Target keywords : "amd64 ppc ppc64 x86"
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-01-27 13:11:08 UTC
x86: is ok
Comment 4 Agostino Sarubbo gentoo-dev 2012-01-27 13:39:20 UTC
amd64 stable
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-29 12:23:42 UTC
x86 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:21:05 UTC
ppc done
Comment 7 Agostino Sarubbo gentoo-dev 2012-04-12 12:54:46 UTC
@ppc64 

no need to spend your time to stabilize a vulnerable version. You will continue in bug 411729
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-04-15 04:07:35 UTC
GLSA vote: yes.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-15 09:14:43 UTC
GLSA vote: yes. Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 10:34:23 UTC
This issue was resolved and addressed in
 GLSA 201206-08 at http://security.gentoo.org/glsa/glsa-201206-08.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 21:25:04 UTC
CVE-2012-0813 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0813):
  Wicd before 1.7.1 saves sensitive information in log files in /var/log/wicd,
  which allows context-dependent attackers to obtain passwords and other
  sensitive information.