Bug 768575

Summary: wicd repotedly logs sensitive information to log file
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dcantrell
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-11 08:31:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kurt Seifried 2011-12-17 05:58:09 UTC 
on Fedora the log is /var/log/wicd.log mode 0600 root:root so this appears to not be an issue, but somone might want to confirm.


http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652417
Package: wicd
Version: 1.7.1~b3-3
Severity: grave
Tags: security
Justification: user security hole

wicd writes sensitive information in log files (under /var/log/wicd),
such as passwords and passphrases. Users in the adm group can have
access to them, but also log files are meant to be sent in bug
reports, and if the bug reporter doesn't pay attention, there is
a huge risk to transmit such information.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages wicd depends on:
ii  wicd-daemon             1.7.1~b3-3
ii  wicd-gtk [wicd-client]  1.7.1~b3-3

wicd recommends no packages.

wicd suggests no packages.

Versions of packages wicd-gtk depends on:
ii  python         2.7.2-9
ii  python-glade2  2.24.0-2
ii  python-gtk2    2.24.0-2
ii  wicd-daemon    1.7.1~b3-3

Versions of packages wicd-gtk recommends:
ii  gksu           2.0.2-6
ii  python-notify  0.1.1-3

Versions of packages wicd-daemon depends on:
ii  adduser                         3.113
ii  dbus                            1.4.16-1
ii  debconf                         1.5.41
ii  ethtool                         1:3.1-1
ii  iproute                         20111117-1
ii  iputils-ping                    3:20101006-1+b1
ii  isc-dhcp-client [dhcp3-client]  4.1.1-P1-17
ii  lsb-base                        3.2-28
ii  net-tools                       1.60-24.1
ii  psmisc                          22.14-1
ii  python                          2.7.2-9
ii  python-dbus                     0.84.0-2
ii  python-gobject                  3.0.3-1
ii  python-wicd                     1.7.1~b3-3
ii  wireless-tools                  30~pre9-7
ii  wpasupplicant                   0.7.3-5

Versions of packages wicd-daemon recommends:
ii  wicd-gtk [wicd-client]  1.7.1~b3-3

Versions of packages wicd-daemon suggests:
ii  pm-utils  1.4.1-8

Versions of packages python-wicd depends on:
ii  python     2.7.2-9
ii  python2.6  2.6.7-4
ii  python2.7  2.7.2-8

-- debconf information:
* wicd/users: vinc17
* wicd/users: vinc17
Comment 1 Kurt Seifried 2012-01-26 00:19:05 UTC 
Fixed upstream (mask out sensitive information):

http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
Comment 2 Kurt Seifried 2012-12-11 08:31:47 UTC 

*** This bug has been marked as a duplicate of bug 785147 ***