Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 239371
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
ndiswrapper-CVE-2008-4395.patch ndiswrapper-CVE-2008-4395.patch patch Robert Buchholz 2008-10-02 20:29 0000 2.96 KB Details | Diff
ndiswrapper-1.53.ebuild ndiswrapper-1.53.ebuild text/plain Piotr Jaroszyński 2008-10-02 22:53 0000 2.95 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 239371 depends on: Show dependency tree
Bug 239371 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-10-02 20:27 0000 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Anders Kaseorg discovered that ndiswrapper did not correctly handle
long ESSIDs.  If ndiswrapper is in use, a physically near-by attacker
could generate specially crafted wireless network traffic and crash
the system, leading to a denial of service.

------- Comment #1 From Robert Buchholz 2008-10-02 20:28:26 0000 ------- 
Piotr, please prepare an updated ebuild applying the patch and attach it to
this bug. We will do prestable testing here. Do not commit anything to CVS.

------- Comment #2 From Robert Buchholz 2008-10-02 20:29:23 0000 ------- 
Created an attachment (id=167023) [details]
ndiswrapper-CVE-2008-4395.patch

------- Comment #3 From Piotr Jaroszyński 2008-10-02 22:53:13 0000 ------- 
Created an attachment (id=167029) [details]
ndiswrapper-1.53.ebuild

------- Comment #4 From Robert Buchholz 2008-10-03 01:20:22 0000 ------- 
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.
Target keywords : "x86"

CC'ing current Liaisons:
     x86 : maekke, armin76

------- Comment #5 From Markus Meier 2008-10-04 09:26:03 0000 ------- 
looks good on x86

------- Comment #6 From Robert Buchholz 2008-10-24 10:42:57 0000 ------- 
This is now public via:
http://www.mail-archive.com/frugalware-git@frugalware.org/msg22366.html

Please commit to CVS with the stable keyword gathered in this bug.

------- Comment #7 From Piotr Jaroszyński 2008-10-27 12:54:17 0000 ------- 
done

------- Comment #8 From Christian Hoffmann 2008-10-27 14:00:40 0000 ------- 
Please don't close security bugs right after your part of the work is done, the
security team's is not done necessarily. :)

Time for GLSA vote.

------- Comment #9 From Christian Hoffmann 2008-11-06 13:58:08 0000 ------- 
Note that the Ubuntu advisory [1] talks about "arbitrary code [execution] with
root privileges", so maybe we need to reclassify this.

[1] http://www.ubuntu.com/usn/usn-662-1

------- Comment #10 From Robert Buchholz 2008-11-06 16:33:40 0000 ------- 
CVE does so, too. Filed a request

------- Comment #11 From Robert Buchholz 2009-01-11 00:48:29 0000 ------- 
GLSA 200901-01, sorry for delay.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug