Bug#425738: madwifi: several DOS-able holes
Kel Modderman
kel at otaku42.de
Thu May 24 04:52:34 UTC 2007
Hi Bernd and security team,
On Thu, 24 May 2007 02:28:12 am Bernd Zeimetz wrote:
> Package: madwifi
> Version: 0.9.3
> Severity: critical
> Tags: security
>
> Hi,
I was wondering how long it would take for someone to file a bug.
0.9.3-2 was uploaded to unstable[0] before the vulnerabilities were made
public by the team at madwifi.org. It contained the pertinent patches.
>
> although I'm pretty sure you know about those issues, it won't be bad to
> have them listed in the bugtracker. In case Etch is affected, too,
> please get the fixes into r1.
>
> http://madwifi.org/ticket/1270
> http://madwifi.org/ticket/1335
> http://madwifi.org/ticket/1334
Last time madwifi vulnerabilities were discussed with the security team[1]
there was a strong indication that non-free was not cared for[2]. I didn't
know how much truth there was to that at the time as there was no further
action required then.
This time further action could be taken as there do exist security flaws in
the madwifi package shipped with etch. The debian security FAQ states[3] that
the security team generally don't care for contrib or non-free but they may
be influenced into passing on required changes if handed to them on a silver
platter by the maintainer or some other developer.
A debdiff is attached that would fix the security concerns in madwifi stable
version 1:0.9.2+r1842.20061207-2.
Below is a brief description of the security concerns taken from the 0.9.3.1
madwifi release announcement, there are no known CVE id's at this time.
1. Remote DoS: insufficient input validation (beacon interval)
The beacon interval information that is gathered while scanning for Access
Points is not properly validated. This could be exploited from remote to
cause a DoS due to a "division by zero" exception.
See also: http://madwifi.org/ticket/1270
2. Remote DoS: insufficient input validation (Fast Frame parsing)
The code which parses fast frames and 802.3 frames embedded therein does not
properly validate the size parameters in such frames. This could be exploited
from remote to cause a DoS due to a NULL-pointer dereference.
See also: http://madwifi.org/ticket/1335
3. Local DoS: insufficient input validation (WMM parameters)
A restricted local user could pass invalid data to two ioctl handlers, causing
a DoS due to access being made to invalid addresses. Chances are that this
issue also might allow read and/or write access to kernel memory; this has
not yet been verified.
See also: http://madwifi.org/ticket/1334
I've tested the resulting debian package and it does not change behaviour in
ways that will make the end user unhappy as far as I can see. Hopefully it
also conforms to guidelines set out in the debian reference for targetting
security related fixes to the stable branch.
Thanks, Kel.
[0]
http://packages.qa.debian.org/m/madwifi/news/20070522T134706Z.html
[1]
http://lists.alioth.debian.org/pipermail/pkg-madwifi-maintainers/2007-April/000626.html
[2]
http://lists.alioth.debian.org/pipermail/pkg-madwifi-maintainers/2007-April/000634.html
[3]
http://www.debian.org/security/faq#contrib
[4]
http://madwifi.org/wiki/Releases/0.9.3.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: madwifi_0.9.2+r1842.20061207-2_to_madwifi_0.9.2+r1842.20061207-3.patch
Type: text/x-diff
Size: 14683 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-madwifi-maintainers/attachments/20070524/d3908da9/attachment-0001.patch
More information about the Pkg-madwifi-maintainers
mailing list