First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 195705
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Tobias Heinlein <keytoaster@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
madwifi-ng-0.9.3.2-xrates-dos.patch madwifi-ng-0.9.3.2-xrates-dos.patch patch Robert Buchholz 2007-10-15 00:05 0000 1.85 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 195705 depends on: Show dependency tree
Show dependency graph
Bug 195705 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-10-13 15:30 0000 
Clemens Kolbitsch and Sylvester Keil have reported a vulnerability in MadWifi,
which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the processing of beacon frames.
This can be exploited via a specially crafted beacon frame with an overly large
"length" value (greater than 15) in the extended supported rates element
("xrates").

Successful exploitation causes the driver to exit and results in a kernel
panic.

The vulnerability is reported in version 0.9.3.2. Other versions may also be
affected.

Solution:
Fixed in the SVN repository.
http://madwifi.org/changeset/2736

------- Comment #1 From Tobias Heinlein 2007-10-13 15:32:11 0000 ------- 
Steev, please provide an updated ebuild.

------- Comment #2 From Robert Buchholz 2007-10-15 00:03:52 0000 ------- 
The patch that addresses this issue for trunk is here:
  http://madwifi.org/changeset/2736

Since the code in ieee80211_scan_ap.c was merged in after the 0.9.3.2 release,
we only need to fix the parts in ieee80211_scan_sta.c.

------- Comment #3 From Robert Buchholz 2007-10-15 00:05:33 0000 ------- 
Created an attachment (id=133482) [edit]
madwifi-ng-0.9.3.2-xrates-dos.patch

Backported from trunk.

Steev, please have a look.

------- Comment #4 From Steev Klimaszewski 2007-10-16 05:43:51 0000 ------- 
Rbu you are a godsend - I am swamped with work - if a few other people can
verify that it works, ill give my blessing to apply (as I always do with the
security bugs)

------- Comment #5 From Robert Buchholz 2007-10-16 11:19:51 0000 ------- 
(In reply to comment #4)
> Rbu you are a godsend - I am swamped with work - if a few other people can
> verify that it works, ill give my blessing to apply (as I always do with the
> security bugs)

I don't use it. Maybe someone on mobile can give a test?

------- Comment #6 From Dominik Paulus 2007-10-20 12:13:24 0000 ------- 
According to the madwifi website, this bug (and the 2.6.23 compile errors) were
fixed in 0.9.3.3.
See http://madwifi.org/wiki/news/20071018/release-0-9-3-3-available

------- Comment #7 From Steev Klimaszewski 2007-10-20 21:03:27 0000 ------- 
That it is - I am just getting ready to commit - sorry its taken so long, been
a busy few weeks for me.

------- Comment #8 From Steev Klimaszewski 2007-10-20 22:26:27 0000 ------- 
Okay, 0.9.3.3 is in portage, security team do your thing :)

------- Comment #9 From Pierre-Yves Rofes 2007-10-20 22:40:26 0000 ------- 
Arches, please test and mark stable madwifi-ng-9.3.3
Target kewyords: "amd64 ppc x86"

------- Comment #10 From Pierre-Yves Rofes 2007-10-20 22:42:40 0000 ------- 
(In reply to comment #9)
> Arches, please test and mark stable madwifi-ng-9.3.3

Of course you should read 0.9.3.3 :p

btw, shouldn't madwifi-ng-tools stabilized too?

------- Comment #11 From Markus Meier 2007-10-21 14:45:32 0000 ------- 
(In reply to comment #10)
> btw, shouldn't madwifi-ng-tools stabilized too?

it is required by madwifi-ng. x86 stable.

------- Comment #12 From Tobias Scherbaum 2007-10-24 18:10:19 0000 ------- 
ppc stable

------- Comment #13 From Steve Dibb 2007-10-26 13:56:21 0000 ------- 
amd64 stable

------- Comment #14 From Robert Buchholz 2007-10-26 14:40:16 0000 ------- 
B3 -> glsa?

If I understand correctly, anyone in my network can crash my box, so this would
be a "yes" for me.

------- Comment #15 From Pierre-Yves Rofes 2007-11-02 23:16:55 0000 ------- 
yes too and request filed.

------- Comment #16 From Pierre-Yves Rofes 2007-11-07 20:47:55 0000 ------- 
GLSA 200711-09
First Last Prev Next    No search results available      Search page      Enter new bug