Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Fri, 6 Feb 2009 10:00:46 -0600
From: Robby Workman <rw@...orkman.net>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com
Subject: CVE Request - Wicd <= 1.5.8

In Wicd <=1.5.8, the dbus configuration file's default context
allows any user to own the org.wicd.daemon object, thus potentially
allowing a user receive messages intended for the wicd daemon.
These messages could include, among other things, credentials for
secure networks.

Typically, Wicd is used on single-user systems (such as laptops),
and is started early in the boot process, so unless the daemon
crashes or is stopped for some other reason, leveraging this would
not be trivial for a malicious user, unless I'm missing something.

This is fixed in the Wicd-1.5.9 release, and is not present at all
in the development branch leading to 1.6.0.

The bug was discovered by Tiziano Mueller of the Gentoo team; thanks
to him for the report, analysis, and follow-up discussion.

Here's the bzr commit with the fix:
http://bazaar.launchpad.net/~wicd-devel/wicd/trunk/revision/222

About Wicd:
Wicd <http://wicd.net> is a wired and wireless network manager
application.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux