[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: wicd writes sensitive information in log files (password, passphrase
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-01-26 23:14:50
Message-ID: 4F21DE6A.7090101 () redhat ! com
[Download RAW message or body]

On 01/26/2012 04:06 PM, Kurt Seifried wrote:
> wicd writes sensitive information in log files (password, passphrase...)
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652417
> 
> From: Vincent Lefevre <vincent@vinc17.net>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Subject: wicd writes sensitive information in log files (password,
>  passphrase...)
> Date: Sat, 17 Dec 2011 03:27:32 +0100
> 
> Package: wicd
> Version: 1.7.1~b3-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> wicd writes sensitive information in log files (under /var/log/wicd),
> such as passwords and passphrases. Users in the adm group can have
> access to them, but also log files are meant to be sent in bug
> reports, and if the bug reporter doesn't pay attention, there is
> a huge risk to transmit such information.
> 
> http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
> 
> === modified file 'wicd/configmanager.py'
> --- wicd/configmanager.py	2011-12-15 18:21:53 +0000
> +++ wicd/configmanager.py	2011-12-17 06:55:18 +0000
> @@ -120,8 +120,13 @@
>              ret = to_unicode(ret)
>              if default:
>                  if self.debug:
> -                    print ''.join(['found ', option, ' in configuration ',
> -                                   str(ret)])
> +                    # mask out sensitive information
> +                    if option in ['apsk', 'password', 'identity',
> 'private_key', \
> +                                  'private_key_passwd', 'key',
> 'passphrase']:
> +                        print ''.join(['found ', option, ' in
> configuration *****'])
> +                    else:
> +                        print ''.join(['found ', option, ' in
> configuration ',
> +                                       str(ret)])
>          else:
>              if default != "__None__":
>                  print 'did not find %s in configuration, setting
> default %s' % (option, str(default))
> 
> 

Please use CVE-2012-0813 for this issue. One thing I forgot to include:
affected version 9derp). wicd 1.6.2.2 and 1.7.0 are affected, a new
tarball doesn't appear to be out yet.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]