Bug 785147 (CVE-2012-0813)

Summary: CVE-2012-0813 wicd: Sensitive information disclosure via log file entries
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dcantrell
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-27 18:27:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 785149, 785150    
Bug Blocks:    

Description Jan Lieskovsky 2012-01-27 12:57:04 UTC 
A sensitive information disclosure flaw was found in the way wicd, wireless and wired network connection manager, performed management of sensitive information, to be stored in log files. Fields like 'password', 'identity', 'private_key', 'private_key_passwd' etc., were not excluded from being logged into /var/log/wicd log file, which could allow local attacker, with the privileges of the 'adm' group to view content of these entities in plain text, leading to information disclosure.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652417
[2] https://bugs.gentoo.org/show_bug.cgi?id=401005
[3] http://www.openwall.com/lists/oss-security/2012/01/26/13
    (CVE request)
[4] http://www.openwall.com/lists/oss-security/2012/01/26/14
    (CVE assignment)

Upstream (experimental branch) patch:
[5] http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
Comment 1 Jan Lieskovsky 2012-01-27 13:00:14 UTC 
This issue affects the version of the wicd package, as shipped with Fedora EPEL 6. Please schedule an update.

--

This issue affects the versions of the wicd package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-01-27 13:01:27 UTC 
Created wicd tracking bugs for this issue

Affects: fedora-all [bug 785149]
Affects: epel-6 [bug 785150]
Comment 3 David Cantrell 2012-01-27 20:15:06 UTC 
I have patched wicd for F-15, F-16, rawhide, and EPEL-6 and built updates:

wicd-1.7.0-11.fc15
wicd-1.7.0-10-fc16
wicd-1.7.1-0.3.b2.fc17
wicd-1.7.0-2.el6

I am confused with the two tracker bugs and how to properly file a security update in the updates system.
Comment 4 Jan Lieskovsky 2012-01-30 07:39:27 UTC 
(In reply to comment #3)

Hello David,

> I have patched wicd for F-15, F-16, rawhide, and EPEL-6 and built updates:
> 
> wicd-1.7.0-11.fc15
> wicd-1.7.0-10-fc16
> wicd-1.7.1-0.3.b2.fc17
> wicd-1.7.0-2.el6

Thank you for scheduling these.

> 
> I am confused with the two tracker bugs and how to properly file a security
> update in the updates system.

When making Bodhi update request, each of the Fedora updates:
1) wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16, and wicd-1.7.1-0.3.b2.fc17 should reference the following two bugs: #785147 (i.e. this one), and #785149 (i.e. the fedora-all tracker),

2) while the Fedora EPEL 6 update: wicd-1.7.0-2.el6 should reference the following two bugs: #785147 (this one) and #785150 (epel-6 tracker) in the Bugs Fixed section.

Bodhi will then take care for the rest.
Comment 5 David Cantrell 2012-01-31 16:02:27 UTC 
Thank you for the information.  I have filed bodhi updates for wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16
, and wicd-1.7.0-2.el6.  The F-17 build will just make it in to F-17 final.
Comment 6 Jan Lieskovsky 2012-01-31 16:09:49 UTC 
(In reply to comment #5)
> Thank you for the information.  I have filed bodhi updates for
> wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16
> , and wicd-1.7.0-2.el6.  The F-17 build will just make it in to F-17 final.

Brilliant, thank you for those.
Comment 7 Fedora Update System 2012-02-16 20:08:10 UTC 
wicd-1.7.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-02-17 00:53:38 UTC 
wicd-1.7.0-10.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-02-17 00:54:42 UTC 
wicd-1.7.0-11.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Kurt Seifried 2012-12-11 08:31:47 UTC 
*** Bug 768575 has been marked as a duplicate of this bug. ***