Hi, * Arno Töll <a...@debian.org> [2012-04-11 17:32]: > Package: wicd > Severity: critical > Tags: security > Justification: root security hole > > It was discovered, wicd in any version supported by Debian (i.e. stable, > testing and unstable) yields to local privilege escalation by injecting > arbitrary code through the DBus interface due to incomplete input > sanitation. > > I've briefly verified offending code against the Squeeze and Sid version > of the package but I didn't try to reproduce the steps to exploit wicd. > As far as I know there is no upstream fix available. > > > Details can be found on [1] or via Full Disclosure post [2]. > > [1] http://www.infosecinstitute.com/courses/ethical_hacking_training.html > [2] <00e301cd17f2$0b33efd0$219bcf70$@com> / > http://seclists.org/fulldisclosure/2012/Apr/123
CVE-2012-2095 has been assigned to this issue. Please mention this id when uploading a fix. Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpL6CwZEUq8V.pgp
Description: PGP signature