Vincent Lefevre
2011-Dec-17 02:27 UTC
[Secure-testing-team] Bug#652417: wicd writes sensitive information in log files (password, passphrase...)
Package: wicd Version: 1.7.1~b3-3 Severity: grave Tags: security Justification: user security hole wicd writes sensitive information in log files (under /var/log/wicd), such as passwords and passphrases. Users in the adm group can have access to them, but also log files are meant to be sent in bug reports, and if the bug reporter doesn''t pay attention, there is a huge risk to transmit such information. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''testing''), (500, ''stable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages wicd depends on: ii wicd-daemon 1.7.1~b3-3 ii wicd-gtk [wicd-client] 1.7.1~b3-3 wicd recommends no packages. wicd suggests no packages. Versions of packages wicd-gtk depends on: ii python 2.7.2-9 ii python-glade2 2.24.0-2 ii python-gtk2 2.24.0-2 ii wicd-daemon 1.7.1~b3-3 Versions of packages wicd-gtk recommends: ii gksu 2.0.2-6 ii python-notify 0.1.1-3 Versions of packages wicd-daemon depends on: ii adduser 3.113 ii dbus 1.4.16-1 ii debconf 1.5.41 ii ethtool 1:3.1-1 ii iproute 20111117-1 ii iputils-ping 3:20101006-1+b1 ii isc-dhcp-client [dhcp3-client] 4.1.1-P1-17 ii lsb-base 3.2-28 ii net-tools 1.60-24.1 ii psmisc 22.14-1 ii python 2.7.2-9 ii python-dbus 0.84.0-2 ii python-gobject 3.0.3-1 ii python-wicd 1.7.1~b3-3 ii wireless-tools 30~pre9-7 ii wpasupplicant 0.7.3-5 Versions of packages wicd-daemon recommends: ii wicd-gtk [wicd-client] 1.7.1~b3-3 Versions of packages wicd-daemon suggests: ii pm-utils 1.4.1-8 Versions of packages python-wicd depends on: ii python 2.7.2-9 ii python2.6 2.6.7-4 ii python2.7 2.7.2-8 -- debconf information: * wicd/users: vinc17 * wicd/users: vinc17