Summary: | <net-wireless/hostapd-2.4-r2: EAP-pwd missing payload length validation (CVE-2015-{4143,4144,4145,4146}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexander, gurligebis |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-05-06 08:21:44 UTC
Bumped to 2.4-r2, which has these patches. Security team - please mark for stabilization if you want. Guys, there are another two vulnerabilities published at the same time (May 4, 2015): http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt Can you handle them in this bug report? Or should I open separate bugs for them? I have added them to -r3 - security, please stabilize that version instead. -r2 has been removed from the tree. Mixed them up - -r1 has been removed, and -r2 has been added. Please stabilize -r2 Arches, please test and mark stable: =net-wireless/hostapd-2.4-r2 Target Keywords : "amd64 ppc x86" Thank you! ppc stable amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Done, the old version has been removed :-) Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. CVE-2015-4146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4146): The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message. CVE-2015-4145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4145): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message. CVE-2015-4144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4144): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message. CVE-2015-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4143): The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload. Security, you forgot about CVE-2015-{4141,4142} This issue was resolved and addressed in GLSA 201606-17 at https://security.gentoo.org/glsa/201606-17 by GLSA coordinator Aaron Bauman (b-man). |