Bug 528132 (CVE-2014-8321)

Summary:	<net-wireless/aircrack-ng-1.2_rc1: multiple vulnerabilities (CVE-2014-{8321,8322,8323,8324})
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	bugzie, crypto+disabled, netmon, zerochaos
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://seclists.org/bugtraq/2014/Nov/1
Whiteboard:	B1 [glsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2014-11-03 15:19:05 UTC

From ${URL} :

"Aircrack-ng 1.2 Beta 3" multiple vulnerabilities
 
Description:
--------------------------------  
Four vulnerabilities exist on aircrack-ng <= 1.2 Beta 3 which allow remote/local code execution, privilege escalation 
and denial of service. Specifically, the following vulnerabilities were identified:
 
  -   A stack overflow at airodump-ng gps_tracker() which may lead to
code execution, privilege escalation.
  -   A length parameter inconsistency at aireplay tcp_test() which may
lead to remote code execution.
  -   A missing check for data format at buddy-ng which may lead to
denial of service.
  -   A missing check for invalid values at airserv-ng net_get() which
may lead to denial of service.
 
 
Researcher:
---------------------------------  
Nick Sampanis (n.sampanis[a t]obrela[do t]com)
 
 
Vulnerabilities:
----------------------------------
gps_tracer stack overflow  CVE-2014-8321
tcp_test length parameter inconsistency CVE-2014-8322
buddy-ng missing check  in data format CVE-2014-8323
net_get missing check for invalid values CVE-2014-8324
 
 
Bugs and fixes submit date:
-----------------------------------
3/10/2014
 
 
Impact:
-----------------------------------
CVE-2014-8321: Severity: High AV: Local Impact type: Code execution/Privilege escalation
CVE-2014-8322: Severity: Critical AV: Remote Impact type: Code execution
CVE-2014-8323: Severity: High AV: Remote Impact type: Denial of service
CVE-2014-8324: Severity: High AV: Remote Impact type: Denial of service

Solution - fix & patch:
------------------------------------
Kali linux(and maybe some other distros) use to distribute aircrack-ng package
without stack cookie protection which makes CVE-2014-8322 easily exploitable.
The new package with stack cookie protection enabled is called debian/1.2-beta3-0kali3.

Download the respective commits from github. Soon a new version
will be released but at the time there is no patched version.
 
https://github.com/aircrack-ng/aircrack-ng/commit/ff70494dd389ba570dbdbf36f217c28d4381c6b5
https://github.com/aircrack-ng/aircrack-ng/commit/091b153f294b9b695b0b2831e65936438b550d7b
https://github.com/aircrack-ng/aircrack-ng/commit/da087238963c1239fdabd47dc1b65279605aca70
https://github.com/aircrack-ng/aircrack-ng/commit/88702a3ce4c28a973bf69023cd0312f412f6193e

Reference:
------------------------------------
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1401/



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Rick Farina (Zero_Chaos) gentoo-dev

2014-11-03 15:49:03 UTC

RC1 is in cvs already, 1.2_beta3 isn't stable. rc1 is fine to stable, and we can remove all older versions for all I care.

Comment 2 Agostino Sarubbo gentoo-dev

2014-11-03 16:12:17 UTC

Arches, please test and mark stable:
=net-wireless/aircrack-ng-1.2_rc1
Target keywords : "amd64 arm ppc x86"

Comment 3 Agostino Sarubbo gentoo-dev

2014-11-03 16:16:26 UTC

(In reply to Agostino Sarubbo from comment #2)
> Arches, please test and mark stable:
> =net-wireless/aircrack-ng-1.2_rc1
> Target keywords : "amd64 arm ppc x86"

and =net-wireless/lorcon-0.0_p20130212-r1 since it is a DEPEND.

Comment 4 Agostino Sarubbo gentoo-dev

2014-11-03 16:17:00 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2014-11-03 16:17:20 UTC

x86 stable

Comment 6 Rick Farina (Zero_Chaos) gentoo-dev

2014-11-03 17:53:33 UTC

arm stable

Comment 7 Agostino Sarubbo gentoo-dev

2014-11-10 13:46:01 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 8 Sean Amoss (RETIRED) gentoo-dev

2014-11-10 23:34:59 UTC

GLSA has been drafted.

Maintainers, please drop vulnerable versions so we can release the GLSA. Thanks.

Comment 9 Rick Farina (Zero_Chaos) gentoo-dev

2014-11-12 00:15:36 UTC

(In reply to Sean Amoss from comment #8)
> GLSA has been drafted.
> 
> Maintainers, please drop vulnerable versions so we can release the GLSA.
> Thanks.

Oh man that felt good...

--- ./ChangeLog
+++ ./ChangeLog
@@ -4,0 +5,16 @@
+  12 Nov 2014; Rick Farina <zerochaos@gentoo.org> -aircrack-ng-1.1-r2.ebuild,
+  -aircrack-ng-1.1-r4.ebuild, -aircrack-ng-1.2_beta3-r3.ebuild,
+  -files/aircrack-ng-1.0_rc3-respect_LDFLAGS.patch,
+  -files/aircrack-ng-1.0_rc4-fix_build.patch,
+  -files/aircrack-ng-1.1-CVE-2010-1159.patch,
+  -files/aircrack-ng-1.1-parallelmake.patch,
+  -files/aircrack-ng-1.1-respect_LDFLAGS.patch,
+  -files/aircrack-ng-1.1-sse-pic.patch,
+  -files/aircrack-ng-9999-fix-labels.patch,
+  -files/airodump-ng-oui-update-path-fix.patch,
+  -files/airodump-ng.ignore-negative-one.v4.patch,
+  -files/changeset_r1921_backport.diff,
+  -files/diff-wpa-migration-mode-aircrack-ng.diff, -files/eapol_fix.patch,
+  -files/ignore-channel-1-error.patch, -files/process-group-leader.c:
+  cleanup for security bug #528132

You may feel free to not wait on me to do such things in the future, although it did feel really good to delete all that old stuff.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2014-11-23 18:15:00 UTC

This issue was resolved and addressed in
 GLSA 201411-08 at http://security.gentoo.org/glsa/glsa-201411-08.xml
by GLSA coordinator Sean Amoss (ackle).