lp:~jtaylor/ubuntu/natty/wicd/CVE-2012-2095

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:ubuntu/natty/wicd

Ubuntu branches: Pending requested 2012-04-30

Diff: 155 lines (+118/-1)

5 files modified

debian/changelog (+19/-0)
debian/control (+2/-1)
debian/patches/36-fix_local_privilege_escalation.patch (+73/-0)
debian/patches/37-mask-sensitive-info-from-log.patch (+22/-0)
debian/patches/series (+2/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #979221: priv escalation exploit for wicd possible	Undecided	Fix Released
Bug #992177: wicd writes sensitive information in log files (password, passphrase...)	Undecided	Fix Released

Link a bug report

Related blueprints

23. By Julian Taylor on 2012-05-03

encode to ascii to avoid crash on unicode input

22. By Julian Taylor on 2012-05-03

fix unicode issue in patch

21. By Julian Taylor on 2012-04-30

add description

20. By Julian Taylor on 2012-04-30

* SECURITY UPDATE: privilege escalation (LP: #979221)
  - debian/patches/36-fix_local_privilege_escalation.patch:
    sanitize config properties
    Backported from
    http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/767
    Thanks to David Paleino <email address hidden>
  - CVE-2012-2095
* SECURITY UPDATE: information leak in log files (LP: #992177)
  - debian/patches/37-mask-sensitive-info-from-log.patch:
    mask sensitive information in logs
    Backported from
    http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
    Thanks to David Paleino <email address hidden>
  - CVE-2012-0813

19. By David Paleino on 2011-02-12

* debian/patches/:
  - 26-support_etc-network_scripts.patch refreshed, /etc/network/
    scripts should now be properly supported (Closes: #579497)
  - 31-dont_crash_on_notification_exceptions.patch added
    (Closes: #569755, #587303)
  - 32-prefer_gksu.patch added (Closes: #575403)
  - 33-deepcopy_python27_fixes.patch backported from Ubuntu,
    thanks to Matthieu Baerts (LP: #602825)
  - 34-dont_save_useless_config.patch added: don't save link quality,
    signal strength and bitrates in the configuration files.
    (Closes: #612918)
  - 35-restrict_netmode_characters.patch added, don't crash
    if the network mode is not what we expect. Thanks to Julien
    Blache for the patch (Closes: #550957)
* debian/control:
  - removed depedency on python-iniparse from wicd-daemon
  - removed Build-Depends on quilt
  - fixed typo in long description, thanks to Martin Eberhard Schauer
    (Closes: #611567)
  - bump Standards-Version to 3.9.1, no changes needed
  - use Breaks+Replaces instead of Conflicts+Replaces
* debian/rules:
  - don't use "--with quilt" anymore
* debian/po/pt_BR.po added: debconf translation for Brazilian
  Portuguese, thanks to Adriano Rafael Gomes (Closes: #594266)
* debian/wicd-daemon.config: don't ask if all users are already
  in the netdev group (Closes: #588078)
* debian/wicd-cli.8: explain -w/--save and -m/--name (Closes: #583586)
* debian/wicd-daemon.wicd.init, export $PATH, makes the daemon work
  in a clean environment. Thanks to Peter Palfrader (Closes: #604810)
* debian/wicd-curses.postrm: redirect stderr (Closes: #605338)

18. By Matthieu Baerts on 2010-12-11

* debian/patches/
 - Added 31-deepcopy+python27-fixes.patch for python 2.7
   (credit to Archlinux and Remy Oudompheng - LP: #602825)

17. By David Paleino on 2010-05-29

* debian/patches/series:
  - 26-support_etc-network_scripts.patch disabled, needs more proper
    support (reopen #579497)

16. By David Paleino on 2010-05-25

* Urgency high because of RC #582980
* debian/patches:
  - 25-use_dhcpcd_also_in_Debian.patch refreshed, to make it work
    again with dhcpcd. Thanks to Brad Jorsch (Closes: #582980)
  - 30-make_connection_info_selectable.patch added (Closes: #571579)

15. By David Paleino on 2010-05-24

* debian/control:
  - fixed package descriptions (Closes: #574152)
* debian/patches/:
  - 23-fix_script_macro_expansion.patch ported from upstream,
    fixes bug in script macro expansion.
  - 24-wait_for_DHCP_client.patch added, waits for DHCP's client
    process to end, avoiding zombie processes. Thanks to Marin
    Ivanov for the patch! (Closes: #537195)
  - 25-use_dhcpcd_also_in_Debian.patch added: upstream changed
    the client from dhcpcd to dhcpcd-bin. This patch reverts it,
    so that defaults in /etc/default/dhcpcd are still observed.
    (Closes: #578014)
  - 26-support_etc-network_scripts.patch added, support /etc/network/
    hierarchy for connection scripts (Closes: #579497)
  - 27-fix_resolv.conf_perms.patch added, make sure dhclient.conf has
    0644 permissions (Closes: #582798)
  - 28-announce_dhclient.conf.template.patch added, describe
    /etc/wicd/dhclient.conf.template in wicd(8) (Closes: #582817)
  - 29-document_variables_passed_to_scripts.patch added (Closes: #570891)
* debian/NEWS.Debian updated to announce /etc/wicd/dhclient.conf.template

14. By David Paleino on 2010-03-05

Fix RC bug: daemon doesn't start anymore because copy.deepcopy()
fails with the iniparse object, coming from 20-use_iniparse.patch.
Bug 568326 reopened. (Closes: #572599)