Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 195705 - net-wireless/madwifi-ng < 0.9.3.3 "xrates" Remote Denial of Service (CVE-2007-5448)
Summary: net-wireless/madwifi-ng < 0.9.3.3 "xrates" Remote Denial of Service (CVE-2007...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27197/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-13 15:30 UTC by Tobias Heinlein (RETIRED)
Modified: 2007-11-07 20:47 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
madwifi-ng-0.9.3.2-xrates-dos.patch (madwifi-ng-0.9.3.2-xrates-dos.patch,1.85 KB, patch)
2007-10-15 00:05 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-13 15:30:55 UTC
Clemens Kolbitsch and Sylvester Keil have reported a vulnerability in MadWifi, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the processing of beacon frames. This can be exploited via a specially crafted beacon frame with an overly large "length" value (greater than 15) in the extended supported rates element ("xrates").

Successful exploitation causes the driver to exit and results in a kernel panic.

The vulnerability is reported in version 0.9.3.2. Other versions may also be affected.

Solution:
Fixed in the SVN repository.
http://madwifi.org/changeset/2736
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-13 15:32:11 UTC
Steev, please provide an updated ebuild.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-10-15 00:03:52 UTC
The patch that addresses this issue for trunk is here:
  http://madwifi.org/changeset/2736

Since the code in ieee80211_scan_ap.c was merged in after the 0.9.3.2 release, we only need to fix the parts in ieee80211_scan_sta.c.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-10-15 00:05:33 UTC
Created attachment 133482 [details, diff]
madwifi-ng-0.9.3.2-xrates-dos.patch

Backported from trunk.

Steev, please have a look.
Comment 4 Steev Klimaszewski (RETIRED) gentoo-dev 2007-10-16 05:43:51 UTC
Rbu you are a godsend - I am swamped with work - if a few other people can verify that it works, ill give my blessing to apply (as I always do with the security bugs)
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-10-16 11:19:51 UTC
(In reply to comment #4)
> Rbu you are a godsend - I am swamped with work - if a few other people can
> verify that it works, ill give my blessing to apply (as I always do with the
> security bugs)

I don't use it. Maybe someone on mobile can give a test?
Comment 6 Dominik Paulus 2007-10-20 12:13:24 UTC
According to the madwifi website, this bug (and the 2.6.23 compile errors) were fixed in 0.9.3.3.
See http://madwifi.org/wiki/news/20071018/release-0-9-3-3-available
Comment 7 Steev Klimaszewski (RETIRED) gentoo-dev 2007-10-20 21:03:27 UTC
That it is - I am just getting ready to commit - sorry its taken so long, been a busy few weeks for me.
Comment 8 Steev Klimaszewski (RETIRED) gentoo-dev 2007-10-20 22:26:27 UTC
Okay, 0.9.3.3 is in portage, security team do your thing :)
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-20 22:40:26 UTC
Arches, please test and mark stable madwifi-ng-9.3.3
Target kewyords: "amd64 ppc x86"
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-20 22:42:40 UTC
(In reply to comment #9)
> Arches, please test and mark stable madwifi-ng-9.3.3

Of course you should read 0.9.3.3 :p

btw, shouldn't madwifi-ng-tools stabilized too?
Comment 11 Markus Meier gentoo-dev 2007-10-21 14:45:32 UTC
(In reply to comment #10)
> btw, shouldn't madwifi-ng-tools stabilized too?

it is required by madwifi-ng. x86 stable.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-24 18:10:19 UTC
ppc stable
Comment 13 Steve Dibb (RETIRED) gentoo-dev 2007-10-26 13:56:21 UTC
amd64 stable
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-10-26 14:40:16 UTC
B3 -> glsa?

If I understand correctly, anyone in my network can crash my box, so this would be a "yes" for me.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-02 23:16:55 UTC
yes too and request filed.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-07 20:47:55 UTC
GLSA 200711-09