Bug 785147 (CVE-2012-0813) - CVE-2012-0813 wicd: Sensitive information disclosure via log file entries
Summary: CVE-2012-0813 wicd: Sensitive information disclosure via log file entries
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-0813
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 768575 (view as bug list)
Depends On: 785149 785150
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-27 12:57 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:50 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-27 18:27:31 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-01-27 12:57:04 UTC
A sensitive information disclosure flaw was found in the way wicd, wireless and wired network connection manager, performed management of sensitive information, to be stored in log files. Fields like 'password', 'identity', 'private_key', 'private_key_passwd' etc., were not excluded from being logged into /var/log/wicd log file, which could allow local attacker, with the privileges of the 'adm' group to view content of these entities in plain text, leading to information disclosure.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652417
[2] https://bugs.gentoo.org/show_bug.cgi?id=401005
[3] http://www.openwall.com/lists/oss-security/2012/01/26/13
    (CVE request)
[4] http://www.openwall.com/lists/oss-security/2012/01/26/14
    (CVE assignment)

Upstream (experimental branch) patch:
[5] http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682

Comment 1 Jan Lieskovsky 2012-01-27 13:00:14 UTC
This issue affects the version of the wicd package, as shipped with Fedora EPEL 6. Please schedule an update.

--

This issue affects the versions of the wicd package, as shipped with Fedora release of 15 and 16. Please schedule an update.

Comment 2 Jan Lieskovsky 2012-01-27 13:01:27 UTC
Created wicd tracking bugs for this issue

Affects: fedora-all [bug 785149]
Affects: epel-6 [bug 785150]

Comment 3 David Cantrell 2012-01-27 20:15:06 UTC
I have patched wicd for F-15, F-16, rawhide, and EPEL-6 and built updates:

wicd-1.7.0-11.fc15
wicd-1.7.0-10-fc16
wicd-1.7.1-0.3.b2.fc17
wicd-1.7.0-2.el6

I am confused with the two tracker bugs and how to properly file a security update in the updates system.

Comment 4 Jan Lieskovsky 2012-01-30 07:39:27 UTC
(In reply to comment #3)

Hello David,

> I have patched wicd for F-15, F-16, rawhide, and EPEL-6 and built updates:
> 
> wicd-1.7.0-11.fc15
> wicd-1.7.0-10-fc16
> wicd-1.7.1-0.3.b2.fc17
> wicd-1.7.0-2.el6

Thank you for scheduling these.

> 
> I am confused with the two tracker bugs and how to properly file a security
> update in the updates system.

When making Bodhi update request, each of the Fedora updates:
1) wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16, and wicd-1.7.1-0.3.b2.fc17 should reference the following two bugs: #785147 (i.e. this one), and #785149 (i.e. the fedora-all tracker),

2) while the Fedora EPEL 6 update: wicd-1.7.0-2.el6 should reference the following two bugs: #785147 (this one) and #785150 (epel-6 tracker) in the Bugs Fixed section.

Bodhi will then take care for the rest.

Comment 5 David Cantrell 2012-01-31 16:02:27 UTC
Thank you for the information.  I have filed bodhi updates for wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16
, and wicd-1.7.0-2.el6.  The F-17 build will just make it in to F-17 final.

Comment 6 Jan Lieskovsky 2012-01-31 16:09:49 UTC
(In reply to comment #5)
> Thank you for the information.  I have filed bodhi updates for
> wicd-1.7.0-11.fc15, wicd-1.7.0-10-fc16
> , and wicd-1.7.0-2.el6.  The F-17 build will just make it in to F-17 final.

Brilliant, thank you for those.

Comment 7 Fedora Update System 2012-02-16 20:08:10 UTC
wicd-1.7.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2012-02-17 00:53:38 UTC
wicd-1.7.0-10.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2012-02-17 00:54:42 UTC
wicd-1.7.0-11.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Kurt Seifried 2012-12-11 08:31:47 UTC
*** Bug 768575 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.