Subject: | |
From: | |
Reply To: | |
Date: | Fri, 8 Jun 2007 16:28:18 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Madwifi 0.9.3.1 fixes three security vulnerabilitie.
Issue date: 2007-05-23
CVE Names:
Madwifi 0.9.3.1 Release note:
http://madwifi.org/wiki/news/20070523/release-0-9-3-1-fixes-three-security-issue
Security fixes in 0.9.3.1:
- http://madwifi.org/ticket/1270
In the madwifi/ath component if_ath.c handles the beacon configuration related
initialization task both for clients and aps in the function
ath_beacon_config(). The function uses macro "howmany" which performs divide
operation. The macro is used without ensuring that the argument(denominator
'intval') could be zero. The divide by zero condition can be triggered
externally using a malformed packet.
- http://madwifi.org/ticket/1335
There is a vulnerability in packet parsing code whereby a remote attacker can
craft a malicious packet that will DoS the system. Due to improper sanitization
of nested 802.3 Ethernet frame length fields in Fast Frame packets, the MadWifi
driver is vulnerable to a remote kernel denial of service. The problem is that
the frame length is read directly from the attackers packet without validation.
The attacker can specify a length so that after the skb_pull operation skb1 is
less than sizeof(ethernet_header). When skb_pull is called again on skb1 in
athff_decap it will return NULL. This results in a NULL dereference later on in
the function.
- http://madwifi.org/ticket/1334
A restricted local user can make an unprivileged I/O control call to the
driver's ieee80211_ioctl_getwmmparams. This function accepts an array index
from the user, which is validated incorrectly. The function checks that the
index supplied by the user is less than a maximum value, but does not check if
the index is less than 0. A local attacker can specify a large negative number
which will pass the check, and cause an error in the array dereference.
NOTE: The version number 0.9.3.1 is actually lower than the version number
shipped in Scientific Linux 4.x. This is correct. This really is the latest
version of madwifi. We have adjusted the rpm's so that they can handle this.
SL 4.x
SRPMS:
madwifi-0.9.3.1-10.sl4.src.rpm
i386:
madwifi-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.ELsmp-0.9.3.1-10.sl4.i686.rpm
x86_64:
madwifi-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
SL 5.x
SRPMS:
madwifi-0.9.3.1-11.sl5.src.rpm
i386:
madwifi-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.i686.rpm
x86_64:
madwifi-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|