Bug 752464

Summary: VUL-1: yast2-network: save_y2logs can leak wireless passwords via LanItems.ycp
Product: [openSUSE] openSUSE 12.1 Reporter: Adam Spiers <aspiers>
Component: YaST2Assignee: Michal Filka <mfilka>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Major    
Priority: P5 - None CC: ismail, krahmer, locilka, meissner, qa-maintenance, security-team, suse-beta
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp2:49075
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Adam Spiers 2012-03-15 14:42:15 UTC 
I ran save_y2logs for bug 752235 and was about to attach the .tar.gz to the bug when I had a 'spidersense' moment and decided to check that the .tar.gz didn't contain any passwords.  It was lucky I checked, because I found my innerweb password in y2log:

YaST2/y2log:2012-03-15 10:20:24 <5> indian(11489) [YCP] LanItems.ycp:1191 $["BOOTPROTO":"dhcp", "BROADCAST":"", "ETHTOOL_OPTIONS":"", "IFPLUGD_PRIORITY":"0", "IPADDR":"", "MTU":"", "NAME":"WiFi Link 6000 Series", "NETWORK":"", "PREFIXLEN":"32", "REMOTE_IPADDR":"", "STARTMODE":"ifplugd", "USERCONTROL":"no", "WIRELESS_AP":"", "WIRELESS_AP_SCANMODE":"1", "WIRELESS_AUTH_MODE":"eap", "WIRELESS_BITRATE":"auto", "WIRELESS_CA_CERT":"", "WIRELESS_CHANNEL":"", "WIRELESS_CLIENT_CERT":"", "WIRELESS_CLIENT_KEY":"", "WIRELESS_CLIENT_KEY_PASSWORD":"", "WIRELESS_DEFAULT_KEY":"0", "WIRELESS_EAP_AUTH":"PEAP", "WIRELESS_EAP_MODE":"PEAP", "WIRELESS_ESSID":"Novell", "WIRELESS_FREQUENCY":"", "WIRELESS_KEY":"", "WIRELESS_KEY_0":"", "WIRELESS_KEY_1":"", "WIRELESS_KEY_2":"", "WIRELESS_KEY_3":"", "WIRELESS_KEY_LENGTH":"128", "WIRELESS_MODE":"Managed", "WIRELESS_NICK":"", "WIRELESS_NWID":"", "WIRELESS_PEAP_VERSION":"", "WIRELESS_POWER":"no", "WIRELESS_WPA_ANONID":"", "WIRELESS_WPA_IDENTITY":"aspiers", "WIRELESS_WPA_PASSWORD":"[censored :-)]", "WIRELESS_WPA_PSK":"", "_aliases":$[]]

It looks like WIRELESS_CLIENT_KEY_PASSWORD would have been leaked too.
Comment 1 Martin Vidner 2012-08-15 12:46:53 UTC 
Some openSUSE bugs for the new maintainer of yast2-network.
Comment 2 Christian Boltz 2012-08-15 21:13:25 UTC 
# osc maintainer openSUSE:Factory yast2-network
bugowner of YaST:Head/yast2-network : 
mvidner

maintainer of YaST:Head/yast2-network : 
mvidner

-> looks like you need to update the roles in OBS ;-)
Comment 4 Michal Filka 2012-09-05 13:11:49 UTC 
Thank you spiderman ;-)
Fixed in 2.24.4.
commit e5f6f07332d25703b249f7c8955597075a2d7a09
Submitted into the Factory.
Comment 7 Bernhard Wiedemann 2012-09-05 14:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (752464) was mentioned in
https://build.opensuse.org/request/show/132614 Factory / yast2-network
Comment 10 Marcus Meissner 2012-09-05 14:41:39 UTC 
pretty sure it will.

mildly security related (yast2-network logs wlan credentials in plaintext ... logfiles are hjowever root-only)
Comment 11 Marcus Meissner 2012-09-05 15:41:02 UTC 
I have assigned CVE-2012-0425 to this issue.
Comment 12 Marcus Meissner 2012-09-05 15:41:31 UTC 
CVE-2012-0425
Comment 13 Swamp Workflow Management 2012-09-07 17:35:17 UTC 
Update released for: yast2-network, yast2-network-devel-doc
Products:
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)