Clemens Kolbitsch and Sylvester Keil have reported a vulnerability in MadWifi, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the processing of beacon frames. This can be exploited via a specially crafted beacon frame with an overly large "length" value (greater than 15) in the extended supported rates element ("xrates"). Successful exploitation causes the driver to exit and results in a kernel panic. The vulnerability is reported in version 0.9.3.2. Other versions may also be affected. Solution: Fixed in the SVN repository. http://madwifi.org/changeset/2736
Steev, please provide an updated ebuild.
The patch that addresses this issue for trunk is here: http://madwifi.org/changeset/2736 Since the code in ieee80211_scan_ap.c was merged in after the 0.9.3.2 release, we only need to fix the parts in ieee80211_scan_sta.c.
Created attachment 133482 [details, diff] madwifi-ng-0.9.3.2-xrates-dos.patch Backported from trunk. Steev, please have a look.
Rbu you are a godsend - I am swamped with work - if a few other people can verify that it works, ill give my blessing to apply (as I always do with the security bugs)
(In reply to comment #4) > Rbu you are a godsend - I am swamped with work - if a few other people can > verify that it works, ill give my blessing to apply (as I always do with the > security bugs) I don't use it. Maybe someone on mobile can give a test?
According to the madwifi website, this bug (and the 2.6.23 compile errors) were fixed in 0.9.3.3. See http://madwifi.org/wiki/news/20071018/release-0-9-3-3-available
That it is - I am just getting ready to commit - sorry its taken so long, been a busy few weeks for me.
Okay, 0.9.3.3 is in portage, security team do your thing :)
Arches, please test and mark stable madwifi-ng-9.3.3 Target kewyords: "amd64 ppc x86"
(In reply to comment #9) > Arches, please test and mark stable madwifi-ng-9.3.3 Of course you should read 0.9.3.3 :p btw, shouldn't madwifi-ng-tools stabilized too?
(In reply to comment #10) > btw, shouldn't madwifi-ng-tools stabilized too? it is required by madwifi-ng. x86 stable.
ppc stable
amd64 stable
B3 -> glsa? If I understand correctly, anyone in my network can crash my box, so this would be a "yes" for me.
yes too and request filed.
GLSA 200711-09