Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 173434

Summary: net-wireless/madwifi-ng < 0.9.3 DoS and information leak (CVE-2006-71{78,79,80})
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gengor, steev
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/24670/
Whiteboard: B3 [glsa] p-y
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-05 07:37:04 UTC 
Some vulnerabilities have been reported in MadWifi, which can be exploited by malicious people to gain knowledge of potentially sensitive information or cause a DoS (Denial of Service).

1) An error within the "ieee80211_input()" function when handling AUTH frames from IBSS nodes can be exploited to cause a kernel crash by sending specially crafted AUTH frames.

Successful exploitation may require that the "Ad-Hoc" mode is used.

2) MadWifi does not correctly handle Channel Switch Announcements. This can be exploited to force a channel switch thus interrupting the communication by injecting a Channel Switch Announcement with "CS Count" set to 1 or less.

3) An error within ieee80211_output.c may cause unencrypted packets to be sent before the WPA authentication is completed. This can be exploited to gain knowledge of certain sensitive information, which may be leveraged for further attacks.

The vulnerabilities are reported in versions prior to 0.9.3.
CVE ids:
CVE-2006-7178
CVE-2006-7179
CVE-2006-7180

steev, please advise. Should we stabilize 0.9.3-r2?
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-05 07:37:50 UTC 
setting status.
Comment 2 Gordon Malm (RETIRED) gentoo-dev 2007-04-05 22:14:36 UTC 
Just a data point: I've been using madwifi-0.9.3 with both hostapd & wpa_supplicant on x86/hardened since it was introduced with no problems.  No problems with winblows WPA clients connecting to the hostapd box either.

FWIW, I've also seen no bugs opened about it or any regression complaints in the forums.  IMHO, This should be stabilized due to the decent amount of time in portage without any new bugs filed and the security issues.
Comment 3 Gordon Malm (RETIRED) gentoo-dev 2007-04-05 22:54:11 UTC 
Also, the patch for the buffer overflow in 0.9.2 that prompted 0.9.2.1 was not entirely correct.  See: http://madwifi.org/changeset/1847

I am not sure but I believe this could be an additional DoS to tack onto the list in the bug originators' post.

Did I mention 0.9.3 has a mountain of other bug, crash and lockup fixes? =)
Comment 4 Steev Klimaszewski (RETIRED) gentoo-dev 2007-04-06 00:17:27 UTC 
Stabilize and do whatever needs to be done please.  It's my birthday, so I am offline most of the rest of the week.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-06 07:52:57 UTC 
Thanks steev.
Hi arches, please stabilize madwifi-ng-0.9.3-r2.
Keywords are: ~amd64 ~ppc ~x86
Comment 6 Markus Meier gentoo-dev 2007-04-06 09:10:48 UTC 
net-wireless/madwifi-ng-0.9.3-r2
1. emerges on x86
2. passes collision test
3. works

net-wireless/madwifi-ng-tools-0.9.3
1. emerges on x86
2. passes collision test
3. works


Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19.7 i686)
=================================================================
System uname: 2.6.19.7 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 05 Apr 2007 13:00:08 +0000
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-04-06 10:04:10 UTC 
x86 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-08 12:06:13 UTC 
ppc stable
Comment 9 Marcus D. Hanwell (RETIRED) gentoo-dev 2007-04-09 19:52:37 UTC 
Stable on amd64.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-09 20:04:22 UTC 
Thanks arches.
Security, do we want a GLSA on this one?
I'd tend to say yes, Atheros cards are rather common.
Comment 11 Matt Drew (RETIRED) gentoo-dev 2007-04-09 20:59:03 UTC 
I'll vote yes - fairly common usage, and serious enough (esp the information leak).
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 10:47:50 UTC 
I tend to vote YES.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-11 11:55:40 UTC 
ok, closing votes and drafting GLSA.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-17 22:50:20 UTC 
GLSA 200704-15, thanks p-y and everybody