Clemens Kolbitsch and Sylvester Keil have reported a vulnerability in MadWifi, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in the processing of beacon frames. This can be exploited via a specially crafted beacon frame with an overly large "length" value (greater than 15) in the extended supported rates element ("xrates").
Successful exploitation causes the driver to exit and results in a kernel panic.
The vulnerability is reported in version 0.9.3.2. Other versions may also be affected.
Fixed in the SVN repository.
Steev, please provide an updated ebuild.
The patch that addresses this issue for trunk is here:
Since the code in ieee80211_scan_ap.c was merged in after the 0.9.3.2 release, we only need to fix the parts in ieee80211_scan_sta.c.
Created attachment 133482 [details, diff]
Backported from trunk.
Steev, please have a look.
Rbu you are a godsend - I am swamped with work - if a few other people can verify that it works, ill give my blessing to apply (as I always do with the security bugs)
(In reply to comment #4)
> Rbu you are a godsend - I am swamped with work - if a few other people can
> verify that it works, ill give my blessing to apply (as I always do with the
> security bugs)
I don't use it. Maybe someone on mobile can give a test?
According to the madwifi website, this bug (and the 2.6.23 compile errors) were fixed in 0.9.3.3.
That it is - I am just getting ready to commit - sorry its taken so long, been a busy few weeks for me.
Okay, 0.9.3.3 is in portage, security team do your thing :)
Arches, please test and mark stable madwifi-ng-9.3.3
Target kewyords: "amd64 ppc x86"
(In reply to comment #9)
> Arches, please test and mark stable madwifi-ng-9.3.3
Of course you should read 0.9.3.3 :p
btw, shouldn't madwifi-ng-tools stabilized too?
(In reply to comment #10)
> btw, shouldn't madwifi-ng-tools stabilized too?
it is required by madwifi-ng. x86 stable.
B3 -> glsa?
If I understand correctly, anyone in my network can crash my box, so this would be a "yes" for me.
yes too and request filed.