Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 113322

Summary: Kernel: Information leak in Orinoco driver (CVE-2005-3180)
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: henrik
Priority: High Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=feecb2ffde28639e60ede769c6f817dc536c677b
Whiteboard: [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
pcmcia-cs-3.2.8-orinoco-memleak.patch none

Description Thierry Carrez (RETIRED) gentoo-dev 2005-11-23 02:01:10 UTC 
In Ubuntu's USN-219-1:

Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
Comment 1 Henrik Brix Andersen 2005-11-27 14:39:34 UTC 
I've added the patch to net-wireless/orinoco-0.15_rc3-r1, which is still ~x86.

If nobody tells me otherwise, I will mark it stable on x86 tomorrow and remove
the vulnerable version net-wireless/orinoco-0.15_rc2-r2.

Will this require a GLSA?

PS: Why wasn't I added to CC: on this bug when it was opened?
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-11-28 00:41:48 UTC 
Uh, I thought it was a kernel-only thing. Is the orinoco driver only standalone ?
If it's a package thing, it will require a GLSA vote to decide.
Comment 3 Henrik Brix Andersen 2005-11-28 00:52:24 UTC 
It is both.

The orinoco driver is available in multiple places in portage:

sys-kernel/*-sources
net-wireless/orinoco
sys-apps/pcmcia-cs-modules

I'll look into backporting the fix to pcmcia-cs-modules later today.
Comment 4 Henrik Brix Andersen 2005-12-18 05:13:08 UTC 
Created attachment 75008 [details, diff]
pcmcia-cs-3.2.8-orinoco-memleak.patch

I'm sorry that I haven't updated this bug sooner - I've been busy with exams and haven't been able to find the time for testing sys-apps/pcmcia-cs-modules with linux-2.4.x yet.

Attaching the backported patch here in the hope someone else will beat me to it...
Comment 5 Tim Yamin (RETIRED) gentoo-dev 2006-01-02 15:27:17 UTC 
Adding maintainers: rsbac-sources: kang
Comment 6 Tim Yamin (RETIRED) gentoo-dev 2006-01-15 14:44:53 UTC 
All kernel dojo now fixed (thanks kang), do we need a GLSA for the pcmcia-cs-modules/orinoco packages?
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-01-16 00:45:40 UTC 
We should probably vote on it.
I've no clue how exploitable it is -- could this really be used for drive-by memory dumps ? Or is it more a theorical thing which requires active participation of the victim, like pairing to a malicious node ?
Comment 8 Henrik Brix Andersen 2006-01-30 13:59:32 UTC 
I don't think a GLSA is needed, since this exploit is rather theoretical.

On a side note, I've just marked orinoco-0.15_rc4 (which fixes this issue) stable on x86.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-30 14:17:39 UTC 
I vote for no GLSA.

Still need testing on the attached patch before we have a fixed version of sys-apps/pcmcia-cs-modules.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-06 12:14:14 UTC 
Brix any news on this one?
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-02-07 10:44:43 UTC 
Voting no GLSA too.
Comment 12 Tim Yamin (RETIRED) gentoo-dev 2006-02-07 11:12:13 UTC 
No GLSA vote reached; kernel dojo finished, bug closing...