Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 26 Jan 2012 16:14:50 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: wicd writes sensitive information
 in log files (password, passphrase...)

On 01/26/2012 04:06 PM, Kurt Seifried wrote:
> wicd writes sensitive information in log files (password, passphrase...)
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652417
> 
> From: Vincent Lefevre <vincent@...c17.net>
> To: Debian Bug Tracking System <submit@...s.debian.org>
> Subject: wicd writes sensitive information in log files (password,
>  passphrase...)
> Date: Sat, 17 Dec 2011 03:27:32 +0100
> 
> Package: wicd
> Version: 1.7.1~b3-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> wicd writes sensitive information in log files (under /var/log/wicd),
> such as passwords and passphrases. Users in the adm group can have
> access to them, but also log files are meant to be sent in bug
> reports, and if the bug reporter doesn't pay attention, there is
> a huge risk to transmit such information.
> 
> http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
> 
> === modified file 'wicd/configmanager.py'
> --- wicd/configmanager.py	2011-12-15 18:21:53 +0000
> +++ wicd/configmanager.py	2011-12-17 06:55:18 +0000
> @@ -120,8 +120,13 @@
>              ret = to_unicode(ret)
>              if default:
>                  if self.debug:
> -                    print ''.join(['found ', option, ' in configuration ',
> -                                   str(ret)])
> +                    # mask out sensitive information
> +                    if option in ['apsk', 'password', 'identity',
> 'private_key', \
> +                                  'private_key_passwd', 'key',
> 'passphrase']:
> +                        print ''.join(['found ', option, ' in
> configuration *****'])
> +                    else:
> +                        print ''.join(['found ', option, ' in
> configuration ',
> +                                       str(ret)])
>          else:
>              if default != "__None__":
>                  print 'did not find %s in configuration, setting
> default %s' % (option, str(default))
> 
> 

Please use CVE-2012-0813 for this issue. One thing I forgot to include:
affected version 9derp). wicd 1.6.2.2 and 1.7.0 are affected, a new
tarball doesn't appear to be out yet.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ