[pkg-wicd-maint] Bug#902421: wicd-daemon: silently keeps and uses obsolete, possibly insecure config in /etc/wicd/wireless-settings.conf

Vincent Lefevre vincent at vinc17.net
Tue Jun 26 13:52:57 BST 2018 

Package: wicd-daemon
Version: 1.7.4+tb2-6
Severity: grave
Tags: security
Justification: user security hole

I'm using eduroam, and instead of keeping only one config associated
with it (e.g. [essid:eduroam]), wicd creates many of them in
/etc/wicd/wireless-settings.conf (based on the bssid instead of the
essid, even though wicd seems to ignore the bssid when searching for
a matching config), and when one updates the eduroam config, some
old configs are not updated, and wicd can randomly use them later.

I noticed that after a password update: I got a connection failure
due to an old config with an old password. But there's the same issue
with the certificate (ca_cert field). In my case, some old configs
that became insecure after a security hole was found in the protocol
were still used by wicd, which could yield a leak of my password.

Note: The UI just presents the essid, so that the user will generally
not know what's going on.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.16.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wicd-daemon depends on:
ii  adduser           3.117
ii  dbus              1.12.8-3
ii  debconf           1.5.67
ii  iputils-ping      3:20161105-1
ii  isc-dhcp-client   4.3.5-4
ii  lsb-base          9.20170808
ii  psmisc            23.1-1+b1
ii  python            2.7.15-3
ii  python-dbus       1.2.8-2
ii  python-gobject-2  2.28.6-13+b1
ii  python-wicd       1.7.4+tb2-6
ii  wireless-tools    30~pre9-12+b1
ii  wpasupplicant     2:2.6-17

Versions of packages wicd-daemon recommends:
ii  rfkill                     2.32-0.1
ii  wicd-curses [wicd-client]  1.7.4+tb2-6
ii  wicd-gtk [wicd-client]     1.7.4+tb2-6

Versions of packages wicd-daemon suggests:
pn  pm-utils  <none>

Versions of packages wicd depends on:
ii  wicd-curses [wicd-client]  1.7.4+tb2-6
ii  wicd-gtk [wicd-client]     1.7.4+tb2-6

Versions of packages wicd-gtk depends on:
ii  python         2.7.15-3
ii  python-glade2  2.24.0-5.1+b1
ii  python-gtk2    2.24.0-5.1+b1

Versions of packages wicd-gtk recommends:
ii  menu           2.1.47+b1
ii  policykit-1    0.105-20
ii  python-notify  0.1.1-4

Versions of packages wicd-curses depends on:
ii  python        2.7.15-3
ii  python-urwid  2.0.1-2

Versions of packages wicd-curses recommends:
ii  sudo  1.8.23-1

Versions of packages python-wicd depends on:
ii  net-tools  1.60+git20161116.90da8a0-2
ii  python     2.7.15-3

Versions of packages python-wicd suggests:
ii  ethtool   1:4.16-1
ii  iproute2  4.16.0-4

-- Configuration Files:
/etc/wicd/encryption/templates/active changed [not included]

-- debconf information:
* wicd/users:

More information about the pkg-wicd-maint mailing list