Thread: [Madwifi-devel] HEADS UP: Three security issues fixed in release 0.9.3.1
Status: Beta
Brought to you by:
otaku
From: Michael R. <mre...@ma...> - 2007-05-23 10:32:39
|
Hi all. We recently have been made aware of three security-related issues in MadWifi v0.9.3. In response to these reports we've released v0.9.3.1 today (which is similar to v0.9.3 plus the relevant fixes). The release tarballs are available for immediate download from: http://sourceforge.net/project/showfiles.php?group_id=82936&package_id=85233 *We strongly advise all users of MadWifi to upgrade to v0.9.3.1 as soon as possible.* Thanks to Md Sohail Ahmad of AirTight Networks Inc. for reporting issue 1. We also like to thank the reporter of issues 2 and 3, who has asked to keep his identity private. The issues are: 1. Remote DoS: insufficient input validation (beacon interval) The beacon interval information that is gathered while scanning for Access Points is not properly validated. This could be exploited from remote to cause a DoS due to a "division by zero" exception. See also: http://madwifi.org/ticket/1270 2. Remote DoS: insufficient input validation (Fast Frame parsing) The code which parses fast frames and 802.3 frames embedded therein does not properly validate the size parameters in such frames. This could be exploited from remote to cause a DoS due to a NULL-pointer dereference. See also: http://madwifi.org/ticket/1335 3. Local DoS: insufficient input validation (WMM parameters) A restricted local user could pass invalid data to two ioctl handlers, causing a DoS due to access being made to invalid addresses. Chances are that this issue also might allow read and/or write access to kernel memory; this has not yet been verified. See also: http://madwifi.org/ticket/1334 Thanks for your attention. Bye, Mike |
From: Daniel D. <dd...@br...> - 2007-05-23 15:11:31
|
Hi Michael, On Wed, 2007-05-23 at 12:32 +0200, Michael Renzmann wrote: > We recently have been made aware of three security-related issues in > MadWifi v0.9.3. In response to these reports we've released v0.9.3.1 today Any chance these fixes could also be committed to trunk today so that they appear in the next snapshot? Thanks in advance. -- Daniel Drake Brontes Technologies, A 3M Company |
From: Kel M. <ke...@ot...> - 2007-05-24 01:46:46
|
Hi Daniel, On Thu, 24 May 2007 01:11:19 am Daniel Drake wrote: > Hi Michael, > > On Wed, 2007-05-23 at 12:32 +0200, Michael Renzmann wrote: > > We recently have been made aware of three security-related issues in > > MadWifi v0.9.3. In response to these reports we've released v0.9.3.1 > > today > > Any chance these fixes could also be committed to trunk today so that > they appear in the next snapshot? It is believed that these vulnerabilities do not exist in trunk: http://madwifi.org/ticket/1270#comment:12 http://madwifi.org/ticket/1334#comment:3 http://madwifi.org/ticket/1335#comment:2 The referenced changesets are: http://madwifi.org/changeset/2280 http://madwifi.org/changeset/2296 http://madwifi.org/changeset/2348 Looks like any snapshot >= 2348 should be "safe". Thanks, Kel. |