Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 173434 - net-wireless/madwifi-ng < 0.9.3 DoS and information leak (CVE-2006-71{78,79,80})
Summary: net-wireless/madwifi-ng < 0.9.3 DoS and information leak (CVE-2006-71{78,79,80})
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] p-y
Depends on:
Reported: 2007-04-05 07:37 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-04-17 22:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-05 07:37:04 UTC
Some vulnerabilities have been reported in MadWifi, which can be exploited by malicious people to gain knowledge of potentially sensitive information or cause a DoS (Denial of Service).

1) An error within the "ieee80211_input()" function when handling AUTH frames from IBSS nodes can be exploited to cause a kernel crash by sending specially crafted AUTH frames.

Successful exploitation may require that the "Ad-Hoc" mode is used.

2) MadWifi does not correctly handle Channel Switch Announcements. This can be exploited to force a channel switch thus interrupting the communication by injecting a Channel Switch Announcement with "CS Count" set to 1 or less.

3) An error within ieee80211_output.c may cause unencrypted packets to be sent before the WPA authentication is completed. This can be exploited to gain knowledge of certain sensitive information, which may be leveraged for further attacks.

The vulnerabilities are reported in versions prior to 0.9.3.
CVE ids:

steev, please advise. Should we stabilize 0.9.3-r2?
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-05 07:37:50 UTC
setting status.
Comment 2 Gordon Malm (RETIRED) gentoo-dev 2007-04-05 22:14:36 UTC
Just a data point: I've been using madwifi-0.9.3 with both hostapd & wpa_supplicant on x86/hardened since it was introduced with no problems.  No problems with winblows WPA clients connecting to the hostapd box either.

FWIW, I've also seen no bugs opened about it or any regression complaints in the forums.  IMHO, This should be stabilized due to the decent amount of time in portage without any new bugs filed and the security issues.
Comment 3 Gordon Malm (RETIRED) gentoo-dev 2007-04-05 22:54:11 UTC
Also, the patch for the buffer overflow in 0.9.2 that prompted was not entirely correct.  See:

I am not sure but I believe this could be an additional DoS to tack onto the list in the bug originators' post.

Did I mention 0.9.3 has a mountain of other bug, crash and lockup fixes? =)
Comment 4 Steev Klimaszewski gentoo-dev 2007-04-06 00:17:27 UTC
Stabilize and do whatever needs to be done please.  It's my birthday, so I am offline most of the rest of the week.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-06 07:52:57 UTC
Thanks steev.
Hi arches, please stabilize madwifi-ng-0.9.3-r2.
Keywords are: ~amd64 ~ppc ~x86
Comment 6 Markus Meier gentoo-dev 2007-04-06 09:10:48 UTC
1. emerges on x86
2. passes collision test
3. works

1. emerges on x86
2. passes collision test
3. works

Portage (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, i686)
System uname: i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 05 Apr 2007 13:00:08 +0000
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
LINGUAS="en de en_GB de_CH"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-04-06 10:04:10 UTC
x86 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-08 12:06:13 UTC
ppc stable
Comment 9 Marcus D. Hanwell (RETIRED) gentoo-dev 2007-04-09 19:52:37 UTC
Stable on amd64.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-09 20:04:22 UTC
Thanks arches.
Security, do we want a GLSA on this one?
I'd tend to say yes, Atheros cards are rather common.
Comment 11 Matt Drew (RETIRED) gentoo-dev 2007-04-09 20:59:03 UTC
I'll vote yes - fairly common usage, and serious enough (esp the information leak).
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-11 10:47:50 UTC
I tend to vote YES.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-11 11:55:40 UTC
ok, closing votes and drafting GLSA.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-17 22:50:20 UTC
GLSA 200704-15, thanks p-y and everybody