Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 411729 (CVE-2012-2095)

Summary: <net-misc/wicd-1.7.2.1 : "SetWiredProperty()" Privilege Escalation Vulnerability (CVE-2012-2095)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: c1pher, tomka, write2David
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/48759/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 401005, 412063    

Description Agostino Sarubbo gentoo-dev 2012-04-12 12:50:16 UTC 
From secunia security advisory at $URL:

Description
A vulnerability has been reported in Wicd, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to an input sanitisation error within the "SetWiredProperty()" method (wicd-daemon.py) when setting certain properties and can be exploited to execute arbitrary commands.

The vulnerability is reported in version 1.7.1. Prior versions may also be affected.


Solution
Update to version 1.7.2.
Comment 1 Thomas Kahle (RETIRED) gentoo-dev 2012-04-12 15:28:52 UTC 
Hmm, nls toggle was dropped and the curses gui stopped to work. 1.7.2 looks bad(tm), I'll need a bit to sort things out, sorry. Please stay tuned.
Comment 2 Thomas Kahle (RETIRED) gentoo-dev 2012-04-13 07:17:06 UTC 
*** Bug 411759 has been marked as a duplicate of this bug. ***
Comment 3 Agostino Sarubbo gentoo-dev 2012-04-13 07:43:00 UTC 
(In reply to comment #1)
> Hmm, nls toggle was dropped and the curses gui stopped to work. 1.7.2 looks
> bad(tm), I'll need a bit to sort things out, sorry. Please stay tuned.

How about make, e.g. 1.7.1_pre20120127-r1 or 1.7.1-r4 that contains the patch for wicd-daemon.py?
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2012-04-13 07:44:07 UTC 
1.7.2.1 is in cvs.  Happy Fri 13!

+  13 Apr 2012; Thomas Kahle <tomka@gentoo.org> +wicd-1.7.2.1.ebuild:
+  Security bump (bug 411729)
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2012-04-13 07:46:24 UTC 
x86, amd64: Please test and stable.
Comment 6 Agostino Sarubbo gentoo-dev 2012-04-14 11:41:31 UTC 
amd64 stable
Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-04-14 22:14:56 UTC 
x86 stable
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-04-15 04:06:53 UTC 
Thanks, folks. GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 10:34:30 UTC 
This issue was resolved and addressed in
 GLSA 201206-08 at http://security.gentoo.org/glsa/glsa-201206-08.xml
by GLSA coordinator Sean Amoss (ackle).