oss-sec mailing list archives
CVE Request - Wicd <= 1.5.8
From: Robby Workman <rw () rlworkman net>
Date: Fri, 6 Feb 2009 10:00:46 -0600
In Wicd <=1.5.8, the dbus configuration file's default context allows any user to own the org.wicd.daemon object, thus potentially allowing a user receive messages intended for the wicd daemon. These messages could include, among other things, credentials for secure networks. Typically, Wicd is used on single-user systems (such as laptops), and is started early in the boot process, so unless the daemon crashes or is stopped for some other reason, leveraging this would not be trivial for a malicious user, unless I'm missing something. This is fixed in the Wicd-1.5.9 release, and is not present at all in the development branch leading to 1.6.0. The bug was discovered by Tiziano Mueller of the Gentoo team; thanks to him for the report, analysis, and follow-up discussion. Here's the bzr commit with the fix: http://bazaar.launchpad.net/~wicd-devel/wicd/trunk/revision/222 About Wicd: Wicd <http://wicd.net> is a wired and wireless network manager application.
Current thread:
- CVE Request - Wicd <= 1.5.8 Robby Workman (Feb 06)
- Re: CVE Request - Wicd <= 1.5.8 Steven M. Christey (Feb 09)
