SCIENTIFIC-LINUX-ERRATA Archives

June 2007

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA for madwifi on SL5.x, SL4.x i386/x86_64
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Fri, 8 Jun 2007 16:28:18 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (128 lines) 
Synopsis:	Madwifi 0.9.3.1 fixes three security vulnerabilitie.
Issue date:	2007-05-23
CVE Names:	

Madwifi 0.9.3.1 Release note:
http://madwifi.org/wiki/news/20070523/release-0-9-3-1-fixes-three-security-issue

Security fixes in 0.9.3.1:
- http://madwifi.org/ticket/1270
In the madwifi/ath component if_ath.c handles the beacon configuration related 
initialization task both for clients and aps in the function 
ath_beacon_config(). The function uses macro "howmany" which performs divide 
operation. The macro is used without ensuring that the argument(denominator 
'intval') could be zero. The divide by zero condition can be triggered 
externally using a malformed packet.

- http://madwifi.org/ticket/1335
There is a vulnerability in packet parsing code whereby a remote attacker can 
craft a malicious packet that will DoS the system. Due to improper sanitization 
of nested 802.3 Ethernet frame length fields in Fast Frame packets, the MadWifi 
driver is vulnerable to a remote kernel denial of service. The problem is that 
the frame length is read directly from the attackers packet without validation. 
The attacker can specify a length so that after the skb_pull operation skb1 is 
less than sizeof(ethernet_header). When skb_pull is called again on skb1 in 
athff_decap it will return NULL. This results in a NULL dereference later on in 
the function.

- http://madwifi.org/ticket/1334
A restricted local user can make an unprivileged I/O control call to the 
driver's ieee80211_ioctl_getwmmparams. This function accepts an array index 
from the user, which is validated incorrectly. The function checks that the 
index supplied by the user is less than a maximum value, but does not check if 
the index is less than 0. A local attacker can specify a large negative number 
which will pass the check, and cause an error in the array dereference.

NOTE: The version number 0.9.3.1 is actually lower than the version number 
shipped in Scientific Linux 4.x.  This is correct.  This really is the latest 
version of madwifi.  We have adjusted the rpm's so that they can handle this.

SL 4.x

   SRPMS:
madwifi-0.9.3.1-10.sl4.src.rpm
   i386:
madwifi-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.ELsmp-0.9.3.1-10.sl4.i686.rpm
   x86_64:
madwifi-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.ELsmp-0.9.3.1-10.sl4.x86_64.rpm

SL 5.x

   SRPMS:
madwifi-0.9.3.1-11.sl5.src.rpm
   i386:
madwifi-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.i686.rpm
   x86_64:
madwifi-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.x86_64.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2