[wicd] Fix CVS-2012-0813 (#785147)

David Cantrell dcantrel at fedoraproject.org
Fri Jan 27 19:22:01 UTC 2012 

commit 309fe7376a594ecbdaaad0a610dd5d4771f55810
Author: David Cantrell <david.l.cantrell at gmail.com>
Date:   Fri Jan 27 14:21:47 2012 -0500

    Fix CVS-2012-0813 (#785147)

 wicd-1.7.1b2-CVE-2012-0813.patch |   19 +++++++++++++++++++
 wicd.spec                        |   11 ++++++++++-
 2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/wicd-1.7.1b2-CVE-2012-0813.patch b/wicd-1.7.1b2-CVE-2012-0813.patch
new file mode 100644
index 0000000..06f0e8f
--- /dev/null
+++ b/wicd-1.7.1b2-CVE-2012-0813.patch
@@ -0,0 +1,19 @@
+diff -up wicd-1.7.1b2/wicd/configmanager.py.CVE-2012-0813 wicd-1.7.1b2/wicd/configmanager.py
+--- wicd-1.7.1b2/wicd/configmanager.py.CVE-2012-0813	2010-10-29 11:36:55.000000000 -0400
++++ wicd-1.7.1b2/wicd/configmanager.py	2012-01-27 14:17:48.773091678 -0500
+@@ -107,8 +107,13 @@ class ConfigManager(RawConfigParser):
+                 ret = ret[3:-3]
+             if default:
+                 if self.debug:
+-                    print ''.join(['found ', option, ' in configuration ', 
+-                                   str(ret)])
++                    # mask out sensitive information
++                    if option in ['apsk', 'password', 'identity', 'private_key', \
++                                  'private_key_passwd', 'key', 'passphrase']:
++                        print ''.join(['found ', option, ' in configuration *****'])
++                    else:
++                        print ''.join(['found ', option, ' in configuration ', 
++                                       str(ret)])
+         else:
+             if default != "__None__":
+                 print 'did not find %s in configuration, setting default %s' % (option, str(default))
diff --git a/wicd.spec b/wicd.spec
index 8fd600b..3c94572 100644
--- a/wicd.spec
+++ b/wicd.spec
@@ -10,7 +10,7 @@
 
 Name:                wicd
 Version:             1.7.1
-Release:             0.2.%{alphatag}%{?dist}
+Release:             0.3.%{alphatag}%{?dist}
 Summary:             Wireless and wired network connection manager
 
 Group:               System Environment/Base
@@ -27,6 +27,7 @@ Patch2:              wicd-1.7.1b2-error-messages.patch
 Patch3:              wicd-1.7.0-dbus-policy.patch
 Patch4:              wicd-1.7.1b2-wired_showing.patch
 Patch5:              wicd-1.7.1b2-initialize-check-and-message.patch
+Patch6:              wicd-1.7.1b2-CVE-2012-0813.patch
 
 BuildRoot:           %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -u -n)
 BuildRequires:       python2-devel
@@ -109,6 +110,11 @@ Client program for wicd that uses a GTK+ interface.
 # Make sure check and message are always a lambda
 %patch5 -p1
 
+# Fix CVE-2012-0813
+# Patch based on upstream:
+# http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/revision/682
+%patch6 -p1
+
 %build
 # NOTE: --etc is where dhclient.conf.template goes
 %{__python} setup.py configure \
@@ -293,6 +299,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_datadir}/icons/hicolor/scalable/apps/wicd-gtk.svg
 
 %changelog
+* Fri Jan 27 2012 David Cantrell <dcantrell at redhat.com> - 1.7.1b2-0.3
+- Fix CVS-2012-0813 (#785147)
+
 * Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.7.1-0.2.b2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

More information about the scm-commits mailing list