[Secure-testing-team] Bug#652417: wicd writes sensitive information in log files (password, passphrase...)

Vincent Lefevre vincent at vinc17.net
Sat Dec 17 02:27:32 UTC 2011 

Package: wicd
Version: 1.7.1~b3-3
Severity: grave
Tags: security
Justification: user security hole

wicd writes sensitive information in log files (under /var/log/wicd),
such as passwords and passphrases. Users in the adm group can have
access to them, but also log files are meant to be sent in bug
reports, and if the bug reporter doesn't pay attention, there is
a huge risk to transmit such information.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages wicd depends on:
ii  wicd-daemon             1.7.1~b3-3
ii  wicd-gtk [wicd-client]  1.7.1~b3-3

wicd recommends no packages.

wicd suggests no packages.

Versions of packages wicd-gtk depends on:
ii  python         2.7.2-9
ii  python-glade2  2.24.0-2
ii  python-gtk2    2.24.0-2
ii  wicd-daemon    1.7.1~b3-3

Versions of packages wicd-gtk recommends:
ii  gksu           2.0.2-6
ii  python-notify  0.1.1-3

Versions of packages wicd-daemon depends on:
ii  adduser                         3.113
ii  dbus                            1.4.16-1
ii  debconf                         1.5.41
ii  ethtool                         1:3.1-1
ii  iproute                         20111117-1
ii  iputils-ping                    3:20101006-1+b1
ii  isc-dhcp-client [dhcp3-client]  4.1.1-P1-17
ii  lsb-base                        3.2-28
ii  net-tools                       1.60-24.1
ii  psmisc                          22.14-1
ii  python                          2.7.2-9
ii  python-dbus                     0.84.0-2
ii  python-gobject                  3.0.3-1
ii  python-wicd                     1.7.1~b3-3
ii  wireless-tools                  30~pre9-7
ii  wpasupplicant                   0.7.3-5

Versions of packages wicd-daemon recommends:
ii  wicd-gtk [wicd-client]  1.7.1~b3-3

Versions of packages wicd-daemon suggests:
ii  pm-utils  1.4.1-8

Versions of packages python-wicd depends on:
ii  python     2.7.2-9
ii  python2.6  2.6.7-4
ii  python2.7  2.7.2-8

-- debconf information:
* wicd/users: vinc17
* wicd/users: vinc17

More information about the Secure-testing-team mailing list