From ${URL} : "Aircrack-ng 1.2 Beta 3" multiple vulnerabilities Description: -------------------------------- Four vulnerabilities exist on aircrack-ng <= 1.2 Beta 3 which allow remote/local code execution, privilege escalation and denial of service. Specifically, the following vulnerabilities were identified: - A stack overflow at airodump-ng gps_tracker() which may lead to code execution, privilege escalation. - A length parameter inconsistency at aireplay tcp_test() which may lead to remote code execution. - A missing check for data format at buddy-ng which may lead to denial of service. - A missing check for invalid values at airserv-ng net_get() which may lead to denial of service. Researcher: --------------------------------- Nick Sampanis (n.sampanis[a t]obrela[do t]com) Vulnerabilities: ---------------------------------- gps_tracer stack overflow CVE-2014-8321 tcp_test length parameter inconsistency CVE-2014-8322 buddy-ng missing check in data format CVE-2014-8323 net_get missing check for invalid values CVE-2014-8324 Bugs and fixes submit date: ----------------------------------- 3/10/2014 Impact: ----------------------------------- CVE-2014-8321: Severity: High AV: Local Impact type: Code execution/Privilege escalation CVE-2014-8322: Severity: Critical AV: Remote Impact type: Code execution CVE-2014-8323: Severity: High AV: Remote Impact type: Denial of service CVE-2014-8324: Severity: High AV: Remote Impact type: Denial of service Solution - fix & patch: ------------------------------------ Kali linux(and maybe some other distros) use to distribute aircrack-ng package without stack cookie protection which makes CVE-2014-8322 easily exploitable. The new package with stack cookie protection enabled is called debian/1.2-beta3-0kali3. Download the respective commits from github. Soon a new version will be released but at the time there is no patched version. https://github.com/aircrack-ng/aircrack-ng/commit/ff70494dd389ba570dbdbf36f217c28d4381c6b5 https://github.com/aircrack-ng/aircrack-ng/commit/091b153f294b9b695b0b2831e65936438b550d7b https://github.com/aircrack-ng/aircrack-ng/commit/da087238963c1239fdabd47dc1b65279605aca70 https://github.com/aircrack-ng/aircrack-ng/commit/88702a3ce4c28a973bf69023cd0312f412f6193e Reference: ------------------------------------ https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1401/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
RC1 is in cvs already, 1.2_beta3 isn't stable. rc1 is fine to stable, and we can remove all older versions for all I care.
Arches, please test and mark stable: =net-wireless/aircrack-ng-1.2_rc1 Target keywords : "amd64 arm ppc x86"
(In reply to Agostino Sarubbo from comment #2) > Arches, please test and mark stable: > =net-wireless/aircrack-ng-1.2_rc1 > Target keywords : "amd64 arm ppc x86" and =net-wireless/lorcon-0.0_p20130212-r1 since it is a DEPEND.
amd64 stable
x86 stable
arm stable
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA has been drafted. Maintainers, please drop vulnerable versions so we can release the GLSA. Thanks.
(In reply to Sean Amoss from comment #8) > GLSA has been drafted. > > Maintainers, please drop vulnerable versions so we can release the GLSA. > Thanks. Oh man that felt good... --- ./ChangeLog +++ ./ChangeLog @@ -4,0 +5,16 @@ + 12 Nov 2014; Rick Farina <zerochaos@gentoo.org> -aircrack-ng-1.1-r2.ebuild, + -aircrack-ng-1.1-r4.ebuild, -aircrack-ng-1.2_beta3-r3.ebuild, + -files/aircrack-ng-1.0_rc3-respect_LDFLAGS.patch, + -files/aircrack-ng-1.0_rc4-fix_build.patch, + -files/aircrack-ng-1.1-CVE-2010-1159.patch, + -files/aircrack-ng-1.1-parallelmake.patch, + -files/aircrack-ng-1.1-respect_LDFLAGS.patch, + -files/aircrack-ng-1.1-sse-pic.patch, + -files/aircrack-ng-9999-fix-labels.patch, + -files/airodump-ng-oui-update-path-fix.patch, + -files/airodump-ng.ignore-negative-one.v4.patch, + -files/changeset_r1921_backport.diff, + -files/diff-wpa-migration-mode-aircrack-ng.diff, -files/eapol_fix.patch, + -files/ignore-channel-1-error.patch, -files/process-group-leader.c: + cleanup for security bug #528132 You may feel free to not wait on me to do such things in the future, although it did feel really good to delete all that old stuff.
This issue was resolved and addressed in GLSA 201411-08 at http://security.gentoo.org/glsa/glsa-201411-08.xml by GLSA coordinator Sean Amoss (ackle).