Ubuntu
wicd package

Merge lp:~jtaylor/ubuntu/oneiric/wicd/CVE-2012-2095 into lp:ubuntu/oneiric/wicd

  1. Oneiric (11.10)
  2. CVE-2012-2095
  3. Merge into oneiric
Proposed by Julian Taylor
Status: Merged
Merge reported by: Julian Taylor
Merged at revision: not available
Proposed branch: lp:~jtaylor/ubuntu/oneiric/wicd/CVE-2012-2095
Merge into: lp:ubuntu/oneiric/wicd
Diff against target: 155 lines (+118/-1)
5 files modified
debian/changelog (+19/-0)
debian/control (+2/-1)
debian/patches/36-fix_local_privilege_escalation.patch (+73/-0)
debian/patches/37-mask-sensitive-info-from-log.patch (+22/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/oneiric/wicd/CVE-2012-2095
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+104177@code.launchpad.net
To post a comment you must log in.
lp:~jtaylor/ubuntu/oneiric/wicd/CVE-2012-2095 updated
23. By Julian Taylor

fix unicode issue in patch

24. By Julian Taylor

encode to ascii to avoid crash on unicode input

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Julian, could you please update the status of this merge request so it gets removed from the sponsors list? Thanks.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2011-02-12 00:16:58 +0000
3+++ debian/changelog 2012-05-03 22:42:19 +0000
4@@ -1,3 +1,22 @@
5+wicd (1.7.0+ds1-6ubuntu0.11.10.1) oneiric-security; urgency=low
6+
7+ * SECURITY UPDATE: privilege escalation (LP: #979221)
8+ - debian/patches/36-fix_local_privilege_escalation.patch:
9+ sanitize config properties
10+ Backported from
11+ http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/767
12+ Thanks to David Paleino <dapal@debian.org>
13+ - CVE-2012-2095
14+ * SECURITY UPDATE: information leak in log files (LP: #992177)
15+ - debian/patches/37-mask-sensitive-info-from-log.patch:
16+ mask sensitive information in logs
17+ Backported from
18+ http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
19+ Thanks to David Paleino <dapal@debian.org>
20+ - CVE-2012-0813
21+
22+ -- Julian Taylor <jtaylor@ubuntu.com> Mon, 30 Apr 2012 19:57:13 +0200
23+
24 wicd (1.7.0+ds1-6) unstable; urgency=low
25
26 * debian/patches/:
27
28=== modified file 'debian/control'
29--- debian/control 2011-02-12 00:16:58 +0000
30+++ debian/control 2012-05-03 22:42:19 +0000
31@@ -1,7 +1,8 @@
32 Source: wicd
33 Section: net
34 Priority: optional
35-Maintainer: David Paleino <dapal@debian.org>
36+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
37+XSBC-Original-Maintainer: David Paleino <dapal@debian.org>
38 Build-Depends:
39 debhelper (>= 7.2.3~)
40 , python
41
42=== added file 'debian/patches/36-fix_local_privilege_escalation.patch'
43--- debian/patches/36-fix_local_privilege_escalation.patch 1970-01-01 00:00:00 +0000
44+++ debian/patches/36-fix_local_privilege_escalation.patch 2012-05-03 22:42:19 +0000
45@@ -0,0 +1,73 @@
46+Description: sanitize config to prevent priviledge escalation
47+ see http://www.infosecinstitute.com/courses/ethical-hacking-wicd-0day.html
48+ CVE-2012-2095
49+Author: David Paleino <dapal@debian.org>
50+Origin: http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/767
51+
52+--- a/wicd/misc.py
53++++ b/wicd/misc.py
54+@@ -26,6 +26,7 @@
55+ import locale
56+ import sys
57+ import re
58++import string
59+ import gobject
60+ from threading import Thread
61+ from subprocess import Popen, STDOUT, PIPE, call
62+@@ -398,6 +399,15 @@
63+ ret = x.decode('utf-8', 'replace').encode('utf-8')
64+
65+ return ret
66++
67++def sanitize_config(s):
68++ """ Sanitize property names to be used in config-files. """
69++ allowed = string.ascii_letters + '_' + string.digits
70++ table = string.maketrans(allowed, ' ' * len(allowed))
71++
72++ # s is a dbus.String -- since we don't allow unicode property keys,
73++ # make it simple.
74++ return s.encode("ascii", "replace").translate(None, table)
75+
76+ def RenameProcess(new_name):
77+ """ Renames the process calling the function to the given name. """
78+--- a/wicd/wicd-daemon.py
79++++ b/wicd/wicd-daemon.py
80+@@ -1088,7 +1088,8 @@
81+ def SetWirelessProperty(self, netid, prop, value):
82+ """ Sets property to value in network specified. """
83+ # We don't write script settings here.
84+- if (prop.strip()).endswith("script"):
85++ prop = misc.sanitize_config(prop)
86++ if prop.endswith("script"):
87+ print "Setting script properties through the daemon is not" \
88+ + " permitted."
89+ return False
90+@@ -1282,7 +1283,8 @@
91+ @dbus.service.method('org.wicd.daemon.wireless')
92+ def SaveWirelessNetworkProperty(self, id, option):
93+ """ Writes a particular wireless property to disk. """
94+- if (option.strip()).endswith("script"):
95++ option = misc.sanitize_config(option)
96++ if option.endswith("script"):
97+ print 'You cannot save script information to disk through ' + \
98+ 'the daemon.'
99+ return
100+@@ -1409,14 +1411,15 @@
101+ return str(iface)
102+
103+ @dbus.service.method('org.wicd.daemon.wired')
104+- def SetWiredProperty(self, property, value):
105++ def SetWiredProperty(self, prop, value):
106+ """ Sets the given property to the given value. """
107+ if self.WiredNetwork:
108+- if (property.strip()).endswith("script"):
109++ prop = misc.sanitize_config(prop)
110++ if prop.endswith("script"):
111+ print "Setting script properties through the daemon" \
112+ + " is not permitted."
113+ return False
114+- self.WiredNetwork[property] = misc.to_unicode(misc.Noneify(value))
115++ self.WiredNetwork[prop] = misc.to_unicode(misc.Noneify(value))
116+ return True
117+ else:
118+ print 'SetWiredProperty: WiredNetwork does not exist'
119
120=== added file 'debian/patches/37-mask-sensitive-info-from-log.patch'
121--- debian/patches/37-mask-sensitive-info-from-log.patch 1970-01-01 00:00:00 +0000
122+++ debian/patches/37-mask-sensitive-info-from-log.patch 2012-05-03 22:42:19 +0000
123@@ -0,0 +1,22 @@
124+Description: mask sensitive information from logs
125+ CVE-2012-0813
126+Author: David Paleino <dapal@debian.org>
127+Origin: http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
128+--- a/wicd/configmanager.py
129++++ b/wicd/configmanager.py
130+@@ -107,8 +107,13 @@
131+ ret = ret[3:-3]
132+ if default:
133+ if self.debug:
134+- print ''.join(['found ', option, ' in configuration ',
135+- str(ret)])
136++ # mask out sensitive information
137++ if option in ['apsk', 'password', 'identity', 'private_key', \
138++ 'private_key_passwd', 'key', 'passphrase']:
139++ print ''.join(['found ', option, ' in configuration *****'])
140++ else:
141++ print ''.join(['found ', option, ' in configuration ',
142++ str(ret)])
143+ else:
144+ if default != "__None__":
145+ print 'did not find %s in configuration, setting default %s' % (option, str(default))
146
147=== modified file 'debian/patches/series'
148--- debian/patches/series 2011-02-12 00:16:58 +0000
149+++ debian/patches/series 2012-05-03 22:42:19 +0000
150@@ -26,3 +26,5 @@
151 33-deepcopy_python27_fixes.patch
152 34-dont_save_useless_config.patch
153 35-restrict_netmode_characters.patch
154+36-fix_local_privilege_escalation.patch
155+37-mask-sensitive-info-from-log.patch

Subscribers

People subscribed via source and target branches

to all changes: