Bug#668456: pu: package wicd/1.7.0+ds1-5+squeeze1

Wed, 11 Apr 2012 15:33:17 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu

Hello RT,

I'm hereby requesting permission to upload a fix for wicd to p-u, bug #668397
(CCed), CVE-2012-2095. "git diff" attached.

The patch for stable is slightly different from the one just pushed in
unstable: namely, it needed an additional "has_profile", which was used in
pre-1.7.1 versions.

Thanks for your work,
David

-- 
 . ''`.   Debian developer | http://wiki.debian.org/DavidPaleino
 : :'  : Linuxer #334216 --|-- http://www.hanskalabs.net/
 `. `'`  GPG: 1392B174 ----|---- http://deb.li/dapal
   `-   2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174

diff --git a/debian/changelog b/debian/changelog
index 8a20bc0..21cd923 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+wicd (1.7.0+ds1-5+squeeze1) UNRELEASED; urgency=low
+
+  * debian/patches/:
+    - fix local privilege escalation, CVE-2012-2095
+      (31-fix_local_privilege_escalation.patch) (Closes: #668397)
+
+ -- David Paleino <da...@debian.org>  Thu, 12 Apr 2012 00:19:08 +0200
+
 wicd (1.7.0+ds1-5) unstable; urgency=medium
 
   * debian/patches/series:
diff --git a/debian/patches/31-fix_local_privilege_escalation.patch b/debian/patches/31-fix_local_privilege_escalation.patch
new file mode 100644
index 0000000..819eb20
--- /dev/null
+++ b/debian/patches/31-fix_local_privilege_escalation.patch
@@ -0,0 +1,99 @@
+From: David Paleino <d.pale...@gmail.com>
+Subject: fix local privilege escalation, CVE-2012-2095
+Origin: upstream, http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/751
+
+---
+ wicd/wicd-daemon.py |   58 ++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 50 insertions(+), 8 deletions(-)
+
+--- wicd.orig/wicd/wicd-daemon.py
++++ wicd/wicd/wicd-daemon.py
+@@ -980,6 +980,28 @@ class WirelessDaemon(dbus.service.Object
+                                                  "wireless-settings.conf"),
+                                     debug=debug)
+ 
++        self._validProperties = (
++            'bssid',
++            'essid',
++            'hidden',
++            'channel',
++            'mode',
++            'enctype',
++            'encryption_method',
++            'key',
++            'automatic',
++            'ip',
++            'netmask',
++            'broadcast',
++            'gateway',
++            'use_static_dns',
++            'use_global_dns',
++            'dns1',
++            'dns2',
++            'dns3',
++            'use_settings_globally',
++        )
++
+     def get_debug_mode(self):
+         return self._debug_mode
+     def set_debug_mode(self, mode):
+@@ -1088,9 +1110,9 @@ class WirelessDaemon(dbus.service.Object
+     def SetWirelessProperty(self, netid, prop, value):
+         """ Sets property to value in network specified. """
+         # We don't write script settings here.
+-        if (prop.strip()).endswith("script"):
+-            print "Setting script properties through the daemon is not" \
+-                  + " permitted."
++        if prop.strip() not in self._validProperties:
++            print "Trying to set invalid property (or property not " \
++                  "permitted): "+ prop.strip() + "."
+             return False
+         self.LastScan[netid][prop] = misc.to_unicode(misc.Noneify(value))
+ 
+@@ -1367,6 +1389,26 @@ class WiredDaemon(dbus.service.Object):
+                                                  "wired-settings.conf"), 
+                                     debug=debug)
+ 
++        self._validProperties = (
++            'ip',
++            'broadcast',
++            'netmask',
++            'gateway',
++            'search_domain',
++            'dns_domain',
++            'dns1',
++            'dns2',
++            'dns3',
++            'encryption_enabled',
++            'default',
++            'dhcphostname',
++            'lastused',
++            'profilename',
++            'use_global_dns',
++            'use_static_dns',
++            'has_profile',
++        )
++
+     def get_debug_mode(self):
+         return self._debug_mode
+     def set_debug_mode(self, mode):
+@@ -1407,14 +1449,14 @@ class WiredDaemon(dbus.service.Object):
+         return str(iface)
+ 
+     @dbus.service.method('org.wicd.daemon.wired')
+-    def SetWiredProperty(self, property, value):
++    def SetWiredProperty(self, prop, value):
+         """ Sets the given property to the given value. """
+         if self.WiredNetwork:
+-            if (property.strip()).endswith("script"):
+-                print "Setting script properties through the daemon" \
+-                      + " is not permitted."
++            if prop.strip() not in self._validProperties:
++                print "Trying to set invalid property (or property not " \
++                      "permitted): "+ prop.strip() + "."
+                 return False
+-            self.WiredNetwork[property] = misc.to_unicode(misc.Noneify(value))
++            self.WiredNetwork[prop] = misc.to_unicode(misc.Noneify(value))
+             return True
+         else:
+             print 'SetWiredProperty: WiredNetwork does not exist'
diff --git a/debian/patches/series b/debian/patches/series
index f813495..d46fe16 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@
 28-announce_dhclient.conf.template.patch
 29-document_variables_passed_to_scripts.patch
 30-make_connection_info_selectable.patch
+31-fix_local_privilege_escalation.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to