Debian Bug report logs -
#652417
wicd writes sensitive information in log files (password, passphrase...)
Reported by: Vincent Lefevre <vincent@vinc17.net>
Date: Sat, 17 Dec 2011 02:30:05 UTC
Severity: grave
Tags: confirmed, fixed-upstream, security, upstream
Found in version wicd/1.7.1~b3-3
Fixed in version wicd/1.7.1~b3-4
Done: David Paleino <dapal@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Paleino <dapal@debian.org>:
Bug#652417; Package wicd.
(Sat, 17 Dec 2011 02:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Paleino <dapal@debian.org>.
(Sat, 17 Dec 2011 02:30:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wicd
Version: 1.7.1~b3-3
Severity: grave
Tags: security
Justification: user security hole
wicd writes sensitive information in log files (under /var/log/wicd),
such as passwords and passphrases. Users in the adm group can have
access to them, but also log files are meant to be sent in bug
reports, and if the bug reporter doesn't pay attention, there is
a huge risk to transmit such information.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages wicd depends on:
ii wicd-daemon 1.7.1~b3-3
ii wicd-gtk [wicd-client] 1.7.1~b3-3
wicd recommends no packages.
wicd suggests no packages.
Versions of packages wicd-gtk depends on:
ii python 2.7.2-9
ii python-glade2 2.24.0-2
ii python-gtk2 2.24.0-2
ii wicd-daemon 1.7.1~b3-3
Versions of packages wicd-gtk recommends:
ii gksu 2.0.2-6
ii python-notify 0.1.1-3
Versions of packages wicd-daemon depends on:
ii adduser 3.113
ii dbus 1.4.16-1
ii debconf 1.5.41
ii ethtool 1:3.1-1
ii iproute 20111117-1
ii iputils-ping 3:20101006-1+b1
ii isc-dhcp-client [dhcp3-client] 4.1.1-P1-17
ii lsb-base 3.2-28
ii net-tools 1.60-24.1
ii psmisc 22.14-1
ii python 2.7.2-9
ii python-dbus 0.84.0-2
ii python-gobject 3.0.3-1
ii python-wicd 1.7.1~b3-3
ii wireless-tools 30~pre9-7
ii wpasupplicant 0.7.3-5
Versions of packages wicd-daemon recommends:
ii wicd-gtk [wicd-client] 1.7.1~b3-3
Versions of packages wicd-daemon suggests:
ii pm-utils 1.4.1-8
Versions of packages python-wicd depends on:
ii python 2.7.2-9
ii python2.6 2.6.7-4
ii python2.7 2.7.2-8
-- debconf information:
* wicd/users: vinc17
* wicd/users: vinc17
Information forwarded
to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#652417; Package wicd.
(Sat, 17 Dec 2011 07:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to dapal@debian.org:
Extra info received and forwarded to list. Copy sent to David Paleino <dapal@debian.org>.
(Sat, 17 Dec 2011 07:00:05 GMT) (full text, mbox, link).
Message #10 received at 652417@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 652417 confirmed pending upstream fixed-upstream
thanks
Hello Vincent,
On Sat, 17 Dec 2011 03:27:32 +0100, Vincent Lefevre wrote:
> Package: wicd
> Version: 1.7.1~b3-3
> Severity: grave
> Tags: security
> Justification: user security hole
having fun filing RC bugs, eh? :)
> wicd writes sensitive information in log files (under /var/log/wicd),
> such as passwords and passphrases. Users in the adm group can have
> access to them, but also log files are meant to be sent in bug
> reports, and if the bug reporter doesn't pay attention, there is
> a huge risk to transmit such information.
Fixed upstream:
http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
--
. ''`. Debian developer | http://wiki.debian.org/DavidPaleino
: :' : Linuxer #334216 --|-- http://www.hanskalabs.net/
`. `'` GPG: 1392B174 ----|---- http://deb.li/dapal
`- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) upstream, confirmed, fixed-upstream, and pending.
Request was from David Paleino <dapal@debian.org>
to control@bugs.debian.org.
(Sat, 17 Dec 2011 07:00:07 GMT) (full text, mbox, link).
Reply sent
to David Paleino <dapal@debian.org>:
You have taken responsibility.
(Sat, 21 Jan 2012 10:51:13 GMT) (full text, mbox, link).
Notification sent
to Vincent Lefevre <vincent@vinc17.net>:
Bug acknowledged by developer.
(Sat, 21 Jan 2012 10:51:15 GMT) (full text, mbox, link).
Message #17 received at 652417-close@bugs.debian.org (full text, mbox, reply):
Source: wicd
Source-Version: 1.7.1~b3-4
We believe that the bug you reported is fixed in the latest version of
wicd, which is due to be installed in the Debian FTP archive:
python-wicd_1.7.1~b3-4_all.deb
to main/w/wicd/python-wicd_1.7.1~b3-4_all.deb
wicd-cli_1.7.1~b3-4_all.deb
to main/w/wicd/wicd-cli_1.7.1~b3-4_all.deb
wicd-curses_1.7.1~b3-4_all.deb
to main/w/wicd/wicd-curses_1.7.1~b3-4_all.deb
wicd-daemon_1.7.1~b3-4_all.deb
to main/w/wicd/wicd-daemon_1.7.1~b3-4_all.deb
wicd-gtk_1.7.1~b3-4_all.deb
to main/w/wicd/wicd-gtk_1.7.1~b3-4_all.deb
wicd_1.7.1~b3-4.debian.tar.gz
to main/w/wicd/wicd_1.7.1~b3-4.debian.tar.gz
wicd_1.7.1~b3-4.dsc
to main/w/wicd/wicd_1.7.1~b3-4.dsc
wicd_1.7.1~b3-4_all.deb
to main/w/wicd/wicd_1.7.1~b3-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 652417@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Paleino <dapal@debian.org> (supplier of updated wicd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 21 Jan 2012 11:24:53 +0100
Source: wicd
Binary: wicd wicd-daemon wicd-gtk wicd-curses wicd-cli python-wicd
Architecture: source all
Version: 1.7.1~b3-4
Distribution: unstable
Urgency: low
Maintainer: David Paleino <dapal@debian.org>
Changed-By: David Paleino <dapal@debian.org>
Description:
python-wicd - wired and wireless network manager - Python module
wicd - wired and wireless network manager - metapackage
wicd-cli - wired and wireless network manager - scriptable console client
wicd-curses - wired and wireless network manager - Curses client
wicd-daemon - wired and wireless network manager - daemon
wicd-gtk - wired and wireless network manager - GTK+ client
Closes: 652417 655159 655994
Changes:
wicd (1.7.1~b3-4) unstable; urgency=low
.
* Fix translations even more (Closes: #655994)
* Hopefully fixed bug with ESSIDs containing '\x00' (Closes: #655159)
* Mask out sensitive info in logfiles (Closes: #652417)
Checksums-Sha1:
b0f5b879143c017946d62e932f0267b55713c8c7 1447 wicd_1.7.1~b3-4.dsc
9caefc1e30062c31e30eab84fba9b4d708e7cc1d 199824 wicd_1.7.1~b3-4.debian.tar.gz
77a597250bf3bc17cffcd3f195a1e54232be99e6 14588 wicd_1.7.1~b3-4_all.deb
1ba63abfd82879804484a7db2466f46a13533177 246292 wicd-daemon_1.7.1~b3-4_all.deb
6a35d6bca63ea88ae0b8ce5bb675bdec88481df4 116430 wicd-gtk_1.7.1~b3-4_all.deb
11f3dbb2439dc874b44e2ba65383a6cd32e51fbb 43992 wicd-curses_1.7.1~b3-4_all.deb
ba20b5d3b8e8de333dd8fa39d0217f83a20893f7 17728 wicd-cli_1.7.1~b3-4_all.deb
4f13919b59e5e25a42269550883d3225ae73b853 49548 python-wicd_1.7.1~b3-4_all.deb
Checksums-Sha256:
a66a7b6768a14d636df61928c4ab7ee5b407c857e5cce2f152c8fd34025a8507 1447 wicd_1.7.1~b3-4.dsc
b61f78f775a8290a3adecd637a9319cd5f7307f9bb41ff06367128be5408e00e 199824 wicd_1.7.1~b3-4.debian.tar.gz
45ea9a355791076d82229ee9e3e70c46a321107419c532b70b9ac094bef093d1 14588 wicd_1.7.1~b3-4_all.deb
e7686a6fef7edfd3dc893a3d25b35e80da82b588c579edb612cda4bc219380c7 246292 wicd-daemon_1.7.1~b3-4_all.deb
235457b5a692650b852c048c93b2809fc1e74dc1527912c17e631aad0096a9b8 116430 wicd-gtk_1.7.1~b3-4_all.deb
7393d3936b5f42cfa2bf76fdff6beaf56c8cd67d7f7ba19070c26ba918adf946 43992 wicd-curses_1.7.1~b3-4_all.deb
276015c87aee40eb285e2209cb0182ff4c2bdbd564edc5a34a391d8d6a8da13a 17728 wicd-cli_1.7.1~b3-4_all.deb
ba7cfaf33cc2a4d70b23c6e457abdee12680c7aa6e62e240eec2ec77e0540acd 49548 python-wicd_1.7.1~b3-4_all.deb
Files:
ec894342abffd34466b9a74cf447a7a5 1447 net optional wicd_1.7.1~b3-4.dsc
7f471be2852c8f555f1a43db4ae72ed5 199824 net optional wicd_1.7.1~b3-4.debian.tar.gz
b05eec44cba87e2217d387c178b4709e 14588 net optional wicd_1.7.1~b3-4_all.deb
998d016f037a69950a7e4b6adb1e59bc 246292 net optional wicd-daemon_1.7.1~b3-4_all.deb
55a16ab77c192f3d27de774cf0b3a56f 116430 net optional wicd-gtk_1.7.1~b3-4_all.deb
c2bd77dfb0a16d83693c34a57b94caf0 43992 net optional wicd-curses_1.7.1~b3-4_all.deb
ecc22820346c963def0b95950c779339 17728 net optional wicd-cli_1.7.1~b3-4_all.deb
5c8fec2bbc8110ae4b514e5fec99eed7 49548 python optional python-wicd_1.7.1~b3-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8alKMACgkQ5qqQFxOSsXSiWQCgrXYu9EE6XTkf3hKFoFvWC3g1
CzkAniJXFhV+ItHYdQ2KAJ5NezswS7cf
=Uq2z
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#652417; Package wicd.
(Thu, 26 Jan 2012 00:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Seifried <kseifried@redhat.com>:
Extra info received and forwarded to list. Copy sent to David Paleino <dapal@debian.org>.
(Thu, 26 Jan 2012 00:21:03 GMT) (full text, mbox, link).
Message #22 received at 652417@bugs.debian.org (full text, mbox, reply):
Does this issue need a CVE #?
--
-- Kurt Seifried / Red Hat Security Response Team
kseifried@redhat.com
Information forwarded
to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#652417; Package wicd.
(Thu, 26 Jan 2012 07:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to dapal@debian.org:
Extra info received and forwarded to list. Copy sent to David Paleino <dapal@debian.org>.
(Thu, 26 Jan 2012 07:00:04 GMT) (full text, mbox, link).
Message #27 received at 652417@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, 25 Jan 2012 17:20:02 -0700, Kurt Seifried wrote:
> Does this issue need a CVE #?
What for? :) The bug is already fixed too...
--
. ''`. Debian developer | http://wiki.debian.org/DavidPaleino
: :' : Linuxer #334216 --|-- http://www.hanskalabs.net/
`. `'` GPG: 1392B174 ----|---- http://deb.li/dapal
`- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#652417; Package wicd.
(Fri, 27 Jan 2012 16:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Seifried <kseifried@redhat.com>:
Extra info received and forwarded to list. Copy sent to David Paleino <dapal@debian.org>.
(Fri, 27 Jan 2012 16:21:05 GMT) (full text, mbox, link).
Message #32 received at 652417@bugs.debian.org (full text, mbox, reply):
Please use CVE-2012-0813 for this issue.
http://seclists.org/oss-sec/2012/q1/294
--
Kurt Seifried Red Hat Security Response Team (SRT)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 25 Feb 2012 07:34:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:49:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon