Bug#668456: pu: package wicd/1.7.0+ds1-5+squeeze2

To: 668456@bugs.debian.org
Cc: Adam D. Barratt <adam@adam-barratt.org.uk>
Subject: Bug#668456: pu: package wicd/1.7.0+ds1-5+squeeze2
From: David Paleino <dapal@debian.org>
Date: Mon, 30 Apr 2012 22:08:12 +0200
Message-id: <[🔎] 20120430220812.6e442f74@local>
Reply-to: dapal@debian.org, 668456@bugs.debian.org

retitle 668456 pu: package wicd/1.7.0+ds1-5+squeeze2
tags 668456 - confirmed pending
thanks

Hello people,

sorry to bother you again, but... my 1.7.2.3 release of wicd didn't really fix
anything. Now I _really_ fixed it with 1.7.2.4, which I just uploaded to sid.

Unfortunately, I pushed the wrong patch to p-u already; so here is an updated
patch, with an updated version (don't know if it's needed).

Please evaluate the patch (it's a bit different from the one in sid since
squeeze still had py2.5 available), and advice on how to proceed (re the
version number)

Thanks,
David

-- 
 . ''`.   Debian developer | http://wiki.debian.org/DavidPaleino
 : :'  : Linuxer #334216 --|-- http://www.hanskalabs.net/
 `. `'`  GPG: 1392B174 ----|---- http://deb.li/dapal
   `-   2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174

diff --git a/debian/changelog b/debian/changelog
index 8a20bc0..c245a54 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+wicd (1.7.0+ds1-5+squeeze2) UNRELEASED; urgency=low
+
+  * debian/patches/:
+    - 31-fix_local_privilege_escalation.patch, CVE-2012-2095,
+      improved. Really fixes the bug. (Closes: #668397)
+
+ -- David Paleino <dapal@debian.org>  Mon, 30 Apr 2012 21:53:47 +0200
+
+wicd (1.7.0+ds1-5+squeeze1) proposed-updates; urgency=low
+
+  * debian/patches/:
+    - fix local privilege escalation, CVE-2012-2095
+      (31-fix_local_privilege_escalation.patch) (Closes: #668397)
+
+ -- David Paleino <dapal@debian.org>  Tue, 24 Apr 2012 22:05:28 +0200
+
 wicd (1.7.0+ds1-5) unstable; urgency=medium
 
   * debian/patches/series:
diff --git a/debian/patches/31-fix_local_privilege_escalation.patch b/debian/patches/31-fix_local_privilege_escalation.patch
new file mode 100644
index 0000000..6201cfe
--- /dev/null
+++ b/debian/patches/31-fix_local_privilege_escalation.patch
@@ -0,0 +1,65 @@
+From: David Paleino <d.paleino@gmail.com>
+Subject: fix local privilege escalation, CVE-2012-2095
+Origin: upstream, http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/767
+
+---
+ wicd/misc.py        |    8 ++++++++
+ wicd/wicd-daemon.py |    9 ++++++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- wicd.orig/wicd/wicd-daemon.py
++++ wicd/wicd/wicd-daemon.py
+@@ -1088,7 +1088,8 @@ class WirelessDaemon(dbus.service.Object
+     def SetWirelessProperty(self, netid, prop, value):
+         """ Sets property to value in network specified. """
+         # We don't write script settings here.
+-        if (prop.strip()).endswith("script"):
++        prop = misc.sanitize_config(prop)
++        if prop.endswith('script'):
+             print "Setting script properties through the daemon is not" \
+                   + " permitted."
+             return False
+@@ -1280,7 +1281,8 @@ class WirelessDaemon(dbus.service.Object
+     @dbus.service.method('org.wicd.daemon.wireless')
+     def SaveWirelessNetworkProperty(self, id, option):
+         """ Writes a particular wireless property to disk. """
+-        if (option.strip()).endswith("script"):
++        option = misc.sanitize_config(option)
++        if option.endswith("script"):
+             print 'You cannot save script information to disk through ' + \
+                   'the daemon.'
+             return
+@@ -1410,7 +1412,8 @@ class WiredDaemon(dbus.service.Object):
+     def SetWiredProperty(self, property, value):
+         """ Sets the given property to the given value. """
+         if self.WiredNetwork:
+-            if (property.strip()).endswith("script"):
++            property = misc.sanitize_config(property)
++            if property.endswith('script'):
+                 print "Setting script properties through the daemon" \
+                       + " is not permitted."
+                 return False
+--- wicd.orig/wicd/misc.py
++++ wicd/wicd/misc.py
+@@ -26,6 +26,7 @@ import os
+ import locale
+ import sys
+ import re
++import string
+ import gobject
+ from threading import Thread
+ from subprocess import Popen, STDOUT, PIPE, call
+@@ -378,6 +379,13 @@ def noneToString(text):
+     else:
+         return str(text)
+ 
++def sanitize_config(s):
++    """ Sanitize property names to be used in config-files. """
++    allowed = string.ascii_letters + '_' + string.digits
++    table = string.maketrans(allowed, ' ' * len(allowed))
++    blank = string.maketrans('', '')
++    return s.translate(blank, table)
++
+ def to_unicode(x):
+     """ Attempts to convert a string to utf-8. """
+     # If this is a unicode string, encode it and return
diff --git a/debian/patches/series b/debian/patches/series
index f813495..d46fe16 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@
 28-announce_dhclient.conf.template.patch
 29-document_variables_passed_to_scripts.patch
 30-make_connection_info_selectable.patch
+31-fix_local_privilege_escalation.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: pu: package wicd/1.7.0+ds1-5+squeeze2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: Bug#655912: transition: libupnp3 -> libupnp6
Next by Date: Processed: pu: package wicd/1.7.0+ds1-5+squeeze2
Previous by thread: Bug#666126: transition: poppler 0.18
Next by thread: Processed: pu: package wicd/1.7.0+ds1-5+squeeze2
Index(es):
- Date
- Thread