On Wed, Apr 11, 2012 at 05:27:10PM +0200, Arno Töll wrote: > I've briefly verified offending code against the Squeeze and Sid version > of the package but I didn't try to reproduce the steps to exploit wicd.
I did try the steps, or a variation on them, and confirmed that the package is exploitable. Patch attached, which is basically a reformat of the researcher's patch and verified to mitigate the problem. -- Jonathan Wiltshire [email protected] Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 <directhex> i have six years of solaris sysadmin experience, from 8->10. i am well qualified to say it is made from bonghits layered on top of bonghits
--- wicd-daemon.py.old 2012-04-11 21:33:34.584289029 +0100
+++ wicd-daemon.py 2012-04-11 21:47:20.209909506 +0100
@@ -946,6 +946,30 @@
self.LastScan = []
self.config = ConfigManager(wireless_conf, debug=debug)
+ #Using a dict to avoid repitition.
+ self._validProperties = {
+ 'bssid':None,
+ "essid":None,
+ "hidden":None,
+ "channel":None,
+ "mode":None,
+ "enctype":None,
+ "encryption_method":None,
+ "key":None,
+ "automatic":None,
+ "ip":None,
+ "netmask":None,
+ "broadcast":None,
+ "gateway":None,
+ "use_static_dns":None,
+ "use_global_dns":None,
+ "dns1":None,
+ "dns2":None,
+ "dns3":None,
+ "use_settings_globally":None,
+ "has_profile":None
+ }
+
def get_debug_mode(self):
return self._debug_mode
def set_debug_mode(self, mode):
@@ -1064,7 +1088,7 @@
def SetWirelessProperty(self, netid, prop, value):
""" Sets property to value in network specified. """
# We don't write script settings here.
- if (prop.strip()).endswith("script"):
+ if (prop.strip() not in self._validProperties):
print "Setting script properties through the daemon is not" \
+ " permitted."
return False
signature.asc
Description: Digital signature
