154995 – (CVE-2006-5601) net-misc/xsupplicant "eap_do_notify()" Buffer Overflow Vulnerability (CVE-2006-{5601,5602})

Bug 154995 (CVE-2006-5601) - net-misc/xsupplicant "eap_do_notify()" Buffer Overflow Vulnerability (CVE-2006-{5601,5602})

Summary: net-misc/xsupplicant "eap_do_notify()" Buffer Overflow Vulnerability (CVE-200...

Status:	RESOLVED FIXED

Alias:	CVE-2006-5601

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/22612/
Whiteboard:	~1 [noglsa]
Keywords:

Duplicates (1):	153423 (view as bug list)
Depends on:	154994
Blocks:
	Show dependency tree

Reported:	2006-11-13 03:59 UTC by dago
Modified:	2010-10-07 22:09 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dago 2006-11-13 03:59:52 UTC

cf secunia webpage + xsupplicant homepage : http://open1x.sourceforge.net/

Solution : version bump to 1.2.8

It is possible to do that by just bumping the 1.2.2 ebuild, altough a new feature (support for TNC) has been introduced in 1.2.6 and would required additionnal changes (cf bugs #154993 & #154994). 

I open 2 bugs for this version because of this (patch first then add feature or leverage this vulnerability to quickly get TNC ;).

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-13 06:43:22 UTC

Mobile please advise and bump as necessary. Is xsupplicant installed suid?

Comment 2 dago 2006-11-13 22:59:43 UTC

No, it is not installed suid.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-14 00:16:37 UTC

Mobile please advise and mask if that is what is planned for the package.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-16 06:31:24 UTC

Mobile please advise and mask if that is what is planned for the package.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-20 22:00:35 UTC

No response from Mobile. I think we should mask this one, comments?

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-20 23:14:39 UTC

*** Bug 153423 has been marked as a duplicate of this bug. ***

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-20 23:18:26 UTC

Bah, no fun. It's not even stable on a single arch. Rerating.

Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev

2007-03-07 13:41:52 UTC

mobile, please comment on this bug, it has been open for months

the ebuild should either be bumped or masked

Comment 9 Stefan Cornelius (RETIRED) gentoo-dev

2007-03-07 13:54:44 UTC

masked now. was never stable -> no maskglsa required. setting to enhancement

Comment 10 Christian Faulhammer (RETIRED) gentoo-dev

2007-09-08 22:42:21 UTC

Maybe this is a candidate for removal?

Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev

2008-07-13 00:40:47 UTC

This ebuild has been masked for over a year. If nobody wants to bumb it, I guess it should be removed from the tree.

There are however two bugs with newer ebuilds attached (bug 154994 and bug 174802).

Comment 12 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2010-05-26 11:44:42 UTC

xsupplicant-2.2.0 is now in the tree. i'll change the mask and clean up the old ebuilds later.

Comment 13 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2010-06-01 08:11:09 UTC

i have restricted the mask to <xsupplicant-2.2.0

Comment 14 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2010-06-24 06:12:59 UTC

all affected ebuilds have been removed from the tree.

Comment 15 Stefan Behte (RETIRED) gentoo-dev

2010-10-07 22:09:15 UTC

There never was a stable version. Closing noglsa.