priv escalation exploit for wicd possible

Reported by adam on 2012-04-11
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wicd
Critical
David Paleino
wicd (Debian)
Fix Released
Unknown
wicd (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned
David Paleino (dpaleino) wrote :

This issue has had assigned the following CVE ID:

CVE-2012-2095

Changed in wicd:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → David Paleino (dpaleino)
milestone: none → 1.7.2
Changed in wicd (Debian):
status: Unknown → New
David Paleino (dpaleino) on 2012-04-11
Changed in wicd:
status: Confirmed → Fix Committed
David Paleino (dpaleino) on 2012-04-11
Changed in wicd:
status: Fix Committed → Fix Released
visibility: private → public
affects: ubuntu → wicd (Ubuntu)
Changed in wicd (Debian):
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in wicd (Ubuntu):
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

12.04 has 1.7.2.1-1, which should be fixed. Stable releases will need a patch.

Changed in wicd (Ubuntu):
status: Triaged → Fix Released
Julian Taylor (jtaylor) wrote :

the patch still works like a charm in precise, no wonder it does nothing useful.
exploit lines still pass the criteria and are inserted into the file without any sanitation.

reopening, please sanitize the input properly

Changed in wicd (Ubuntu):
status: Fix Released → Confirmed
Julian Taylor (jtaylor) wrote :

as pointed out to me by mdeslaur it was reintroduced in revision 758
http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/758

David Paleino (dpaleino) wrote :

Please explain better.

That revision really fixes it in a more general way: without "=", spaces or newlines, you can't do much harm. Sure, you can write arbitrary values in the config file, but still nothing that would get executed.

David Paleino (dpaleino) on 2012-04-30
Changed in wicd:
milestone: 1.7.2 → 1.7.2.4
status: Fix Released → Fix Committed
status: Fix Committed → Fix Released
Julian Taylor (jtaylor) wrote :

This bug was fixed in the package wicd - 1.7.2.4-1

---------------
wicd (1.7.2.4-1) unstable; urgency=high

  * New upstream version
    - really fix local privilege escalation, CVE-2012-2095 (Closes: #668397)
  * Fixed typo in previous changelog entry

 -- David Paleino <email address hidden> Mon, 30 Apr 2012 21:32:55 +0200

Changed in wicd (Ubuntu):
status: Confirmed → Fix Released
Tyler Hicks (tyhicks) wrote :

jtaylor's branches look good. Packages are building and should be released soon.

Changed in wicd (Ubuntu Lucid):
status: New → Confirmed
Changed in wicd (Ubuntu Natty):
status: New → Confirmed
Changed in wicd (Ubuntu Oneiric):
status: New → Confirmed
Changed in wicd (Ubuntu Precise):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wicd - 1.7.2.3-1ubuntu0.1

---------------
wicd (1.7.2.3-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: local privilege escalation (LP: #979221)
    - debian/patches/33-fix_local_privilege_escalation.patch: sanitize
      config properties. Thanks to David Paleino <email address hidden>
    - CVE-2012-2095
 -- Julian Taylor <email address hidden> Mon, 30 Apr 2012 22:22:03 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wicd - 1.7.0+ds1-6ubuntu0.11.10.1

---------------
wicd (1.7.0+ds1-6ubuntu0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: local privilege escalation (LP: #979221)
    - debian/patches/36-fix_local_privilege_escalation.patch: sanitize
      config properties. Thanks to David Paleino <email address hidden>
    - CVE-2012-2095
  * SECURITY UPDATE: information leak in log files (LP: #992177)
    - debian/patches/37-mask-sensitive-info-from-log.patch: mask sensitive
      information in logs. Thanks to David Paleino <email address hidden>
    - CVE-2012-0813
 -- Julian Taylor <email address hidden> Mon, 30 Apr 2012 19:57:13 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wicd - 1.7.0+ds1-6ubuntu0.11.04.1

---------------
wicd (1.7.0+ds1-6ubuntu0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: local privilege escalation (LP: #979221)
    - debian/patches/36-fix_local_privilege_escalation.patch: sanitize
      config properties. Thanks to David Paleino <email address hidden>
    - CVE-2012-2095
  * SECURITY UPDATE: information leak in log files (LP: #992177)
    - debian/patches/37-mask-sensitive-info-from-log.patch: mask sensitive
      information in logs. Thanks to David Paleino <email address hidden>
    - CVE-2012-0813
 -- Julian Taylor <email address hidden> Mon, 30 Apr 2012 19:57:13 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wicd - 1.7.0+ds1-2ubuntu0.1

---------------
wicd (1.7.0+ds1-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: local privilege escalation (LP: #979221)
    - debian/patches/23-fix_local_privilege_escalation.patch: sanitize
      config properties. Thanks to David Paleino <email address hidden>
    - CVE-2012-2095
  * SECURITY UPDATE: information leak in log files (LP: #992177)
    - debian/patches/24-mask-sensitive-info-from-log.patch: mask sensitive
      information in logs. Thanks to David Paleino <email address hidden>
    - CVE-2012-0813
 -- Julian Taylor <email address hidden> Mon, 30 Apr 2012 22:15:04 +0200

Changed in wicd (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in wicd (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in wicd (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in wicd (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.