Ubuntu
wicd package

priv escalation exploit for wicd possible

Lucid (10.04)
Bug #979221

Bug #979221 reported by adam on 2012-04-11

264

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
wicd	Fix Released	Critical	David Paleino	wicd 1.7.2.4
wicd (Debian)	Fix Released	Unknown	debbugs #668397
wicd (Ubuntu)	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Undecided	Unassigned
Natty	Fix Released	Undecided	Unassigned
Oneiric	Fix Released	Undecided	Unassigned
Precise	Fix Released	Undecided	Unassigned

Bug Description

Please see details here: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

Related branches

lp:wicd/1.6

lp:~jtaylor/ubuntu/precise/wicd/CVE-2012-2095

Merged into lp:ubuntu/precise/wicd

Ubuntu branches: Pending requested 2012-04-30

lp:~jtaylor/ubuntu/oneiric/wicd/CVE-2012-2095

Merged into lp:ubuntu/oneiric/wicd

Ubuntu branches: Pending requested 2012-04-30

lp:~jtaylor/ubuntu/natty/wicd/CVE-2012-2095

Merged into lp:ubuntu/natty/wicd

Ubuntu branches: Pending requested 2012-04-30

lp:~jtaylor/ubuntu/lucid/wicd/CVE-2012-2095

Merged into lp:ubuntu/lucid/wicd

Ubuntu Development Team: Pending requested 2012-04-30

lp:ubuntu/precise-security/wicd

lp:ubuntu/lucid-security/wicd

lp:ubuntu/natty-security/wicd

lp:ubuntu/oneiric-security/wicd

CVE References

Revision history for this message

David Paleino (dpaleino) wrote on 2012-04-11:

This issue has had assigned the following CVE ID:

CVE-2012-2095

Changed in wicd:
status:	New → Confirmed
importance:	Undecided → Critical
assignee:	nobody → David Paleino (dpaleino)
milestone:	none → 1.7.2

Bug Watch Updater (bug-watch-updater) on 2012-04-11

Changed in wicd (Debian):
status:	Unknown → New

David Paleino (dpaleino) on 2012-04-11

Changed in wicd:
status:	Confirmed → Fix Committed

David Paleino (dpaleino) on 2012-04-11

Changed in wicd:
status:	Fix Committed → Fix Released
visibility:	private → public

Vadim Rutkovsky (roignac) on 2012-04-12

affects:

ubuntu → wicd (Ubuntu)

Bug Watch Updater (bug-watch-updater) on 2012-04-13

Changed in wicd (Debian):
status:	New → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-20:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in wicd (Ubuntu):
status:	New → Triaged

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-20:

12.04 has 1.7.2.1-1, which should be fixed. Stable releases will need a patch.

Changed in wicd (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Julian Taylor (jtaylor) wrote on 2012-04-30:

the patch still works like a charm in precise, no wonder it does nothing useful.
exploit lines still pass the criteria and are inserted into the file without any sanitation.

reopening, please sanitize the input properly

Changed in wicd (Ubuntu):
status:	Fix Released → Confirmed

Revision history for this message

Julian Taylor (jtaylor) wrote on 2012-04-30:

as pointed out to me by mdeslaur it was reintroduced in revision 758
http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/758

Revision history for this message

David Paleino (dpaleino) wrote on 2012-04-30:

Please explain better.

That revision really fixes it in a more general way: without "=", spaces or newlines, you can't do much harm. Sure, you can write arbitrary values in the config file, but still nothing that would get executed.

David Paleino (dpaleino) on 2012-04-30

Changed in wicd:
milestone:	1.7.2 → 1.7.2.4
status:	Fix Released → Fix Committed
status:	Fix Committed → Fix Released

Revision history for this message

Julian Taylor (jtaylor) wrote on 2012-05-01:

This bug was fixed in the package wicd - 1.7.2.4-1

---------------
wicd (1.7.2.4-1) unstable; urgency=high

  * New upstream version
    - really fix local privilege escalation, CVE-2012-2095 (Closes: #668397)
  * Fixed typo in previous changelog entry

-- David Paleino <email address hidden> Mon, 30 Apr 2012 21:32:55 +0200

Changed in wicd (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-05-07:

jtaylor's branches look good. Packages are building and should be released soon.

Changed in wicd (Ubuntu Lucid):
status:	New → Confirmed
Changed in wicd (Ubuntu Natty):
status:	New → Confirmed
Changed in wicd (Ubuntu Oneiric):
status:	New → Confirmed
Changed in wicd (Ubuntu Precise):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-05-07:

This bug was fixed in the package wicd - 1.7.2.3-1ubuntu0.1

---------------
wicd (1.7.2.3-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: local privilege escalation (LP: #979221)
    - debian/patches/33-fix_local_privilege_escalation.patch: sanitize
      config properties. Thanks to David Paleino <email address hidden>
    - CVE-2012-2095
-- Julian Taylor <email address hidden> Mon, 30 Apr 2012 22:22:03 +0200

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-05-07:

#10

This bug was fixed in the package wicd - 1.7.0+ds1-6ubuntu0.11.10.1

---------------
wicd (1.7.0+ds1-6ubuntu0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: local privilege escalation (LP: #979221)
    - debian/patches/36-fix_local_privilege_escalation.patch: sanitize
      config properties. Thanks to David Paleino <email address hidden>
    - CVE-2012-2095
  * SECURITY UPDATE: information leak in log files (LP: #992177)
    - debian/patches/37-mask-sensitive-info-from-log.patch: mask sensitive
      information in logs. Thanks to David Paleino <email address hidden>
    - CVE-2012-0813
-- Julian Taylor <email address hidden> Mon, 30 Apr 2012 19:57:13 +0200

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-05-07:

#11

This bug was fixed in the package wicd - 1.7.0+ds1-6ubuntu0.11.04.1

---------------
wicd (1.7.0+ds1-6ubuntu0.11.04.1) natty-security; urgency=low

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-05-07:

#12

This bug was fixed in the package wicd - 1.7.0+ds1-2ubuntu0.1

---------------
wicd (1.7.0+ds1-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: local privilege escalation (LP: #979221)
    - debian/patches/23-fix_local_privilege_escalation.patch: sanitize
      config properties. Thanks to David Paleino <email address hidden>
    - CVE-2012-2095
  * SECURITY UPDATE: information leak in log files (LP: #992177)
    - debian/patches/24-mask-sensitive-info-from-log.patch: mask sensitive
      information in logs. Thanks to David Paleino <email address hidden>
    - CVE-2012-0813
-- Julian Taylor <email address hidden> Mon, 30 Apr 2012 22:15:04 +0200

Changed in wicd (Ubuntu Lucid):
status:	Confirmed → Fix Released
Changed in wicd (Ubuntu Natty):
status:	Confirmed → Fix Released
Changed in wicd (Ubuntu Oneiric):
status:	Confirmed → Fix Released
Changed in wicd (Ubuntu Precise):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #668397
[done critical upstream confirmed security fixed-upstream] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuwicd package

priv escalation exploit for wicd possible

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
wicd package