Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 258596 (CVE-2009-0489) - <net-misc/wicd-1.5.9 message interception (CVE-2009-0489)
Summary: <net-misc/wicd-1.5.9 message interception (CVE-2009-0489)
Status: RESOLVED FIXED
Alias: CVE-2009-0489
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
: 253228 258483 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-02-11 13:02 UTC by Stefan Behte (RETIRED)
Modified: 2009-04-10 13:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-02-11 13:02:07 UTC 
CVE-2009-0489 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0489):
  The DBus configuration file for Wicd before 1.5.9 allows arbitrary
  users to own org.wicd.daemon, which allows local users to receive
  messages that were intended for the Wicd daemon, possibly including
  credentials.
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-02-11 13:48:09 UTC 
*** Bug 258483 has been marked as a duplicate of this bug. ***
Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-02-11 13:49:20 UTC 
Already ready. Add arches: amd64 ppc x86

(ppc will need to do bug 258482 first)
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-11 23:17:19 UTC 
Arches, please test and mark stable:
=net-misc/wicd-1.5.9
Target keywords : "amd64 ppc x86"


ppc: please have a look at bug 258482 first!
Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-02-12 20:45:17 UTC 
*** Bug 253228 has been marked as a duplicate of this bug. ***
Comment 5 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-02-12 20:46:46 UTC 
=net-misc/wicd-1.5.9-r1 is the new target. Sorry, I overlooked the init script and it is now proper.
Comment 6 Markus Meier gentoo-dev 2009-02-15 11:04:11 UTC 
amd64/x86 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2009-02-25 16:25:47 UTC 
ppc stable
Comment 8 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-02-26 22:40:24 UTC 
All arches stable.

+  26 Feb 2009; Jeremy Olexa <darkside@gentoo.org>
+  -files/wicd-1.5.2-docs.patch, -wicd-1.5.2.ebuild, -wicd-1.5.4.ebuild,
+  -wicd-1.5.6.ebuild, -wicd-1.5.7-r1.ebuild, -wicd-1.5.8.ebuild:
+  remove old ebuilds affected by CVE-2009-0489
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-26 23:47:13 UTC 
Ready to vote, I vote NO.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-08 17:56:19 UTC 
I vote YES though.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-04-08 22:52:37 UTC 
YES, request filed
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-10 13:57:49 UTC 
GLSA 200904-12, thanks everyone.