Summary: | <net-wireless/wpa_supplicant-2.4-r3: EAP-pwd missing payload length validation (CVE - Pending) (CVE-2015-{4141,4142,4143,4144,4145,4146}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexander, gurligebis, zerochaos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-05-06 08:21:09 UTC
Bumped to 2.4-r2, which has these patches. Security team - please mark for stabilization if you want. There are another two vulnerabilities published at the same time (May 4, 2015): http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt Can you handle them in this bug report? Or should I open separate bugs for them? I have added them to -r3 - security, please stabilize that version instead. -r2 has been removed from the tree. amd64 stable ppc stable Stable for PPC64. arm stable It works on x86 for me, so I'm marking it as stable there too, since it looks like x86 was forgotten, and I see no reason to wait even longer to have them see it, test it and stabilize it. All archs stable, so removing old version. CVE Requested May 26 - http://seclists.org/oss-sec/2015/q2/569 Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. (In reply to Yury German from comment #9) > CVE Requested May 26 - http://seclists.org/oss-sec/2015/q2/569 CVEs also requested for other vulnerabiliries fixed in 2.4-r3: http://seclists.org/oss-sec/2015/q2/396 http://seclists.org/oss-sec/2015/q2/397 CVE-2015-4146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4146): The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message. CVE-2015-4145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4145): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message. CVE-2015-4144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4144): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message. CVE-2015-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4143): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload. CVE-2015-4142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4142): Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read. CVE-2015-4141 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4141): The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an out-of-bounds read or heap-based buffer overflow. Why is "(CVE - Pending)" in the summary? This issue was resolved and addressed in GLSA 201606-17 at https://security.gentoo.org/glsa/201606-17 by GLSA coordinator Aaron Bauman (b-man). |