Control: severity -1 normal Control: tag -1 + moreinfo Hi Vincent,
Vincent Lefevre wrote: > Severity: grave > Tags: security > Justification: user security hole > > I'm using eduroam, and instead of keeping only one config associated > with it (e.g. [essid:eduroam]), wicd creates many of them in > /etc/wicd/wireless-settings.conf (based on the bssid instead of the > essid, Yes, this is by design. Are you aware that you need to explicitly configure if a configuration needs to be solely based on the ESSID? It's called "use these settings for all wifis with this ESSID" or similar. And IMNSHO it's a security feature and not a bug that wicd does use only the BSSID by default. That way credentials can't be leaked to to rogue access points which share the same ESSID (which is easy to do). > even though wicd seems to ignore the bssid when searching for > a matching config), If you set that flag, of course it does. > and when one updates the eduroam config, some old configs are not > updated, and wicd can randomly use them later. In which case did this happen? With an ESSID where you had the "use these settings for all wifis with this ESSID" flag set or not? In the latter case it should update all of them (or only keep one and remove the remaining ones with the same ESSID), in the former it shouldn't. (→ moreinfo) Downgrading to the default severity at least until the specific settings under which this happened, are clarified. > I noticed that after a password update: I got a connection failure > due to an old config with an old password. But there's the same issue > with the certificate (ca_cert field). In my case, some old configs > that became insecure after a security hole was found in the protocol > were still used by wicd, which could yield a leak of my password. Am I right that you say that it's not an outdated password which might be leaked, but the current password which is sent in an insecure way, like WEP instead of WPA? (But then I wonder: Why is the WPA password sent via WEP? IIRC WICD stores them per encryption method. And I don't think that sending no more valid passwords is a security threat that validates RC severity.) Once again: This depends a lot on your settings (see above) and depending on your settings. It should not happen with the setting "use these settings for all wifis with this ESSID", but it is expected to happen (and a security feature) if that flag is not set. > Note: The UI just presents the essid, so that the user will generally > not know what's going on. Which UI? WICD has several UIs (Gtk, Curses, CLI) and you filed that bug report against wicd-daemon. (→ moreinfo, too) Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE