Bug#668456: marked as done (pu: package wicd/1.7.0+ds1-5+squeeze2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 12 May 2012 13:32:55 +0100
with message-id <dda96cc3369bdcdc1a3cdf68c2fc2f56@mail.adsl.funky-badger.org>
and subject line Closing requests for packages included in 6.0.5
has caused the Debian Bug report #668456,
regarding pu: package wicd/1.7.0+ds1-5+squeeze2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
668456: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668456
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: pu: package wicd/1.7.0+ds1-5+squeeze1
• From: David Paleino <dapal@debian.org>
• Date: Thu, 12 Apr 2012 00:31:48 +0200
• Message-id: <20120412003148.629ae99f@local>
• Reply-to: dapal@debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hello RT,

I'm hereby requesting permission to upload a fix for wicd to p-u, bug #668397
(CCed), CVE-2012-2095. "git diff" attached.

The patch for stable is slightly different from the one just pushed in
unstable: namely, it needed an additional "has_profile", which was used in
pre-1.7.1 versions.

Thanks for your work,
David

-- 
 . ''`.   Debian developer | http://wiki.debian.org/DavidPaleino
 : :'  : Linuxer #334216 --|-- http://www.hanskalabs.net/
 `. `'`  GPG: 1392B174 ----|---- http://deb.li/dapal
   `-   2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174

diff --git a/debian/changelog b/debian/changelog
index 8a20bc0..21cd923 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+wicd (1.7.0+ds1-5+squeeze1) UNRELEASED; urgency=low
+
+  * debian/patches/:
+    - fix local privilege escalation, CVE-2012-2095
+      (31-fix_local_privilege_escalation.patch) (Closes: #668397)
+
+ -- David Paleino <dapal@debian.org>  Thu, 12 Apr 2012 00:19:08 +0200
+
 wicd (1.7.0+ds1-5) unstable; urgency=medium
 
   * debian/patches/series:
diff --git a/debian/patches/31-fix_local_privilege_escalation.patch b/debian/patches/31-fix_local_privilege_escalation.patch
new file mode 100644
index 0000000..819eb20
--- /dev/null
+++ b/debian/patches/31-fix_local_privilege_escalation.patch
@@ -0,0 +1,99 @@
+From: David Paleino <d.paleino@gmail.com>
+Subject: fix local privilege escalation, CVE-2012-2095
+Origin: upstream, http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/751
+
+---
+ wicd/wicd-daemon.py |   58 ++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 50 insertions(+), 8 deletions(-)
+
+--- wicd.orig/wicd/wicd-daemon.py
++++ wicd/wicd/wicd-daemon.py
+@@ -980,6 +980,28 @@ class WirelessDaemon(dbus.service.Object
+                                                  "wireless-settings.conf"),
+                                     debug=debug)
+ 
++        self._validProperties = (
++            'bssid',
++            'essid',
++            'hidden',
++            'channel',
++            'mode',
++            'enctype',
++            'encryption_method',
++            'key',
++            'automatic',
++            'ip',
++            'netmask',
++            'broadcast',
++            'gateway',
++            'use_static_dns',
++            'use_global_dns',
++            'dns1',
++            'dns2',
++            'dns3',
++            'use_settings_globally',
++        )
++
+     def get_debug_mode(self):
+         return self._debug_mode
+     def set_debug_mode(self, mode):
+@@ -1088,9 +1110,9 @@ class WirelessDaemon(dbus.service.Object
+     def SetWirelessProperty(self, netid, prop, value):
+         """ Sets property to value in network specified. """
+         # We don't write script settings here.
+-        if (prop.strip()).endswith("script"):
+-            print "Setting script properties through the daemon is not" \
+-                  + " permitted."
++        if prop.strip() not in self._validProperties:
++            print "Trying to set invalid property (or property not " \
++                  "permitted): "+ prop.strip() + "."
+             return False
+         self.LastScan[netid][prop] = misc.to_unicode(misc.Noneify(value))
+ 
+@@ -1367,6 +1389,26 @@ class WiredDaemon(dbus.service.Object):
+                                                  "wired-settings.conf"), 
+                                     debug=debug)
+ 
++        self._validProperties = (
++            'ip',
++            'broadcast',
++            'netmask',
++            'gateway',
++            'search_domain',
++            'dns_domain',
++            'dns1',
++            'dns2',
++            'dns3',
++            'encryption_enabled',
++            'default',
++            'dhcphostname',
++            'lastused',
++            'profilename',
++            'use_global_dns',
++            'use_static_dns',
++            'has_profile',
++        )
++
+     def get_debug_mode(self):
+         return self._debug_mode
+     def set_debug_mode(self, mode):
+@@ -1407,14 +1449,14 @@ class WiredDaemon(dbus.service.Object):
+         return str(iface)
+ 
+     @dbus.service.method('org.wicd.daemon.wired')
+-    def SetWiredProperty(self, property, value):
++    def SetWiredProperty(self, prop, value):
+         """ Sets the given property to the given value. """
+         if self.WiredNetwork:
+-            if (property.strip()).endswith("script"):
+-                print "Setting script properties through the daemon" \
+-                      + " is not permitted."
++            if prop.strip() not in self._validProperties:
++                print "Trying to set invalid property (or property not " \
++                      "permitted): "+ prop.strip() + "."
+                 return False
+-            self.WiredNetwork[property] = misc.to_unicode(misc.Noneify(value))
++            self.WiredNetwork[prop] = misc.to_unicode(misc.Noneify(value))
+             return True
+         else:
+             print 'SetWiredProperty: WiredNetwork does not exist'
diff --git a/debian/patches/series b/debian/patches/series
index f813495..d46fe16 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@
 28-announce_dhclient.conf.template.patch
 29-document_variables_passed_to_scripts.patch
 30-make_connection_info_selectable.patch
+31-fix_local_privilege_escalation.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: <623148-done@bugs.debian.org>, <657722-done@bugs.debian.org>, <658424-done@bugs.debian.org>, <660693-done@bugs.debian.org>, <661473-done@bugs.debian.org>, <661652-done@bugs.debian.org>, <663104-done@bugs.debian.org>, <664567-done@bugs.debian.org>, <666001-done@bugs.debian.org>, <666222-done@bugs.debian.org>, <666687-done@bugs.debian.org>, <668456-done@bugs.debian.org>, <670730-done@bugs.debian.org>, <671449-done@bugs.debian.org>
• Subject: Closing requests for packages included in 6.0.5
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 12 May 2012 13:32:55 +0100
• Message-id: <dda96cc3369bdcdc1a3cdf68c2fc2f56@mail.adsl.funky-badger.org>

Version: 6.0.5

Hi,

All of the packages referenced by the closed bugs were included in the 6.0.5 point release which occured today.

Regards,

Adam

--- End Message ---