Date: Thu, 26 Jan 2012 16:14:50 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: wicd writes sensitive information in log files (password, passphrase...) On 01/26/2012 04:06 PM, Kurt Seifried wrote: > wicd writes sensitive information in log files (password, passphrase...) > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652417 > > From: Vincent Lefevre <vincent@...c17.net> > To: Debian Bug Tracking System <submit@...s.debian.org> > Subject: wicd writes sensitive information in log files (password, > passphrase...) > Date: Sat, 17 Dec 2011 03:27:32 +0100 > > Package: wicd > Version: 1.7.1~b3-3 > Severity: grave > Tags: security > Justification: user security hole > > wicd writes sensitive information in log files (under /var/log/wicd), > such as passwords and passphrases. Users in the adm group can have > access to them, but also log files are meant to be sent in bug > reports, and if the bug reporter doesn't pay attention, there is > a huge risk to transmit such information. > > http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682 > > === modified file 'wicd/configmanager.py' > --- wicd/configmanager.py 2011-12-15 18:21:53 +0000 > +++ wicd/configmanager.py 2011-12-17 06:55:18 +0000 > @@ -120,8 +120,13 @@ > ret = to_unicode(ret) > if default: > if self.debug: > - print ''.join(['found ', option, ' in configuration ', > - str(ret)]) > + # mask out sensitive information > + if option in ['apsk', 'password', 'identity', > 'private_key', \ > + 'private_key_passwd', 'key', > 'passphrase']: > + print ''.join(['found ', option, ' in > configuration *****']) > + else: > + print ''.join(['found ', option, ' in > configuration ', > + str(ret)]) > else: > if default != "__None__": > print 'did not find %s in configuration, setting > default %s' % (option, str(default)) > > Please use CVE-2012-0813 for this issue. One thing I forgot to include: affected version 9derp). wicd 188.8.131.52 and 1.7.0 are affected, a new tarball doesn't appear to be out yet. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ