[Madwifi-devel] HEADS UP: Security issue fixed in release 0.9.2.1 / r1842 - CVE-2006-6332

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi all.

As reported earlier by Julien Tinnes [1] a security issue has been
discovered by a group of researchers from France Telecom. The issue,
CVE-2006-6332 [2], is caused by a buffer overflow bug in some routines
that are used for scanning for Access Points. The bug can be triggered by
sending properly crafted 802.11 beacon and/or probe response frames, which
allows to inject and execute code on the scanning hosts. In other words:
this issue is remotely exploitable.

This is a critical security flaw. From what we know so far, the bug has
been in trunk since r1504 (probably longer). This means that all previous
releases of MadWifi (0.9.0, 0.9.1 and 0.9.2) are affected.

In response to Julien's report we released v0.9.2.1 today (which is
similar to v0.9.2 plus the fix for CVE-2006-6332) and committed the same
fix to trunk in r1842. We recommend to upgrade immediately.

The v0.9.2.1 tarball can be downloaded from sf.net [3]. A snapshot tarball
of r1842 is available as well [4].

The MadWifi team would like to thank Julien Tinnes, Laurent Butti and
Jerome Razniewski for their investigation, report and cooperation.

Bye, Mike

[1] http://article.gmane.org/gmane.linux.drivers.madwifi.user/11906
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332
[3] http://sourceforge.net/project/showfiles.php?group_id=82936
[4] http://snapshots.madwifi.org/madwifi-ng/madwifi-ng-r1842-20061207.tar.gz