Ubuntu
wicd package

Merge lp:~jtaylor/ubuntu/precise/wicd/CVE-2012-2095 into lp:ubuntu/precise/wicd

  1. Precise (12.04)
  2. CVE-2012-2095
  3. Merge into precise
Proposed by Julian Taylor
Status: Merged
Merge reported by: Julian Taylor
Merged at revision: not available
Proposed branch: lp:~jtaylor/ubuntu/precise/wicd/CVE-2012-2095
Merge into: lp:ubuntu/precise/wicd
Diff against target: 121 lines (+89/-1)
4 files modified
debian/changelog (+12/-0)
debian/control (+2/-1)
debian/patches/33-fix_local_privilege_escalation.patch (+74/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/precise/wicd/CVE-2012-2095
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+104176@code.launchpad.net
To post a comment you must log in.
lp:~jtaylor/ubuntu/precise/wicd/CVE-2012-2095 updated
26. By Julian Taylor

fix unicode issue in patch

27. By Julian Taylor

encode to ascii to avoid crash on unicode input

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Julian, could you please update the status of this merge request so it gets removed from the sponsors list? Thanks.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2012-04-22 18:42:19 +0000
3+++ debian/changelog 2012-05-03 22:41:19 +0000
4@@ -1,3 +1,15 @@
5+wicd (1.7.2.3-1ubuntu0.12.04.1) precise-security; urgency=low
6+
7+ * SECURITY UPDATE: privilege escalation (LP: #979221)
8+ - debian/patches/33-fix_local_privilege_escalation.patch:
9+ sanitize config properties
10+ Backported from
11+ http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/767
12+ Thanks to David Paleino <dapal@debian.org>
13+ - CVE-2012-2095
14+
15+ -- Julian Taylor <jtaylor@ubuntu.com> Mon, 30 Apr 2012 22:22:03 +0200
16+
17 wicd (1.7.2.3-1) unstable; urgency=high
18
19 * New upstram version
20
21=== modified file 'debian/control'
22--- debian/control 2012-04-12 22:08:37 +0000
23+++ debian/control 2012-05-03 22:41:19 +0000
24@@ -1,7 +1,8 @@
25 Source: wicd
26 Section: net
27 Priority: optional
28-Maintainer: David Paleino <dapal@debian.org>
29+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
30+XSBC-Original-Maintainer: David Paleino <dapal@debian.org>
31 Build-Depends:
32 debhelper (>= 7.2.3~)
33 , python (>= 2.6.6-3~)
34
35=== added file 'debian/patches/33-fix_local_privilege_escalation.patch'
36--- debian/patches/33-fix_local_privilege_escalation.patch 1970-01-01 00:00:00 +0000
37+++ debian/patches/33-fix_local_privilege_escalation.patch 2012-05-03 22:41:19 +0000
38@@ -0,0 +1,74 @@
39+Description: sanitize config to prevent priviledge escalation
40+ see http://www.infosecinstitute.com/courses/ethical-hacking-wicd-0day.html
41+ CVE-2012-2095
42+Author: David Paleino <dapal@debian.org>
43+Origin: http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/767
44+
45+--- a/wicd/misc.py
46++++ b/wicd/misc.py
47+@@ -26,6 +26,7 @@
48+ import locale
49+ import sys
50+ import re
51++import string
52+ import gobject
53+ from threading import Thread
54+ from subprocess import Popen, STDOUT, PIPE, call
55+@@ -427,11 +428,12 @@
56+
57+ def sanitize_config(s):
58+ """ Sanitize property names to be used in config-files. """
59+- s = s.strip()
60+- s = s.replace('=', '')
61+- s = s.replace(' ', '')
62+- s = s.replace('\n', '')
63+- return s
64++ allowed = string.ascii_letters + '_' + string.digits
65++ table = string.maketrans(allowed, ' ' * len(allowed))
66++
67++ # s is a dbus.String -- since we don't allow unicode property keys,
68++ # make it simple.
69++ return s.encode("ascii", "replace").translate(None, table)
70+
71+ def sanitize_escaped(s):
72+ """ Sanitize double-escaped unicode strings. """
73+--- a/wicd/wicd-daemon.py
74++++ b/wicd/wicd-daemon.py
75+@@ -1064,9 +1064,10 @@
76+ def SetWirelessProperty(self, netid, prop, value):
77+ """ Sets property to value in network specified. """
78+ # We don't write script settings here.
79+- if misc.sanitize_config(prop).endswith('script'):
80+- print 'Setting script properties through the daemon' \
81+- + ' is not permitted.'
82++ prop = misc.sanitize_config(prop)
83++ if prop.endswith("script"):
84++ print "Setting script properties through the daemon is not" \
85++ + " permitted."
86+ return False
87+ self.LastScan[netid][prop] = misc.to_unicode(misc.Noneify(value))
88+
89+@@ -1264,7 +1265,8 @@
90+ @dbus.service.method('org.wicd.daemon.wireless')
91+ def SaveWirelessNetworkProperty(self, id, option):
92+ """ Writes a particular wireless property to disk. """
93+- if (option.strip()).endswith("script"):
94++ option = misc.sanitize_config(option)
95++ if option.endswith("script"):
96+ print 'You cannot save script information to disk through ' + \
97+ 'the daemon.'
98+ return
99+@@ -1406,9 +1408,10 @@
100+ def SetWiredProperty(self, prop, value):
101+ """ Sets the given property to the given value. """
102+ if self.WiredNetwork:
103+- if misc.sanitize_config(prop).endswith('script'):
104+- print 'Setting script properties through the daemon' \
105+- + ' is not permitted.'
106++ prop = misc.sanitize_config(prop)
107++ if prop.endswith("script"):
108++ print "Setting script properties through the daemon" \
109++ + " is not permitted."
110+ return False
111+ self.WiredNetwork[prop] = misc.to_unicode(misc.Noneify(value))
112+ return True
113
114=== modified file 'debian/patches/series'
115--- debian/patches/series 2012-02-02 20:36:02 +0000
116+++ debian/patches/series 2012-05-03 22:41:19 +0000
117@@ -2,3 +2,4 @@
118 02-workaround_dhclient_bug.patch
119 26-support_etc-network_scripts.patch
120 32-prefer_gksu.patch
121+33-fix_local_privilege_escalation.patch

Subscribers

People subscribed via source and target branches

to all changes: