-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#14 - ------------------------------------------------------------
Name: tcpdump Date: 2007-03-09 Severity: High Warning #: 2007-#14 - ------------------------------------------------------------ Product Background =================== A tool for network monitoring and data acquisition Problem Background =================== There's an off-by-one heap-overflow in the ieee802.11 printer, which can be triggered by a maliciously crafted 802.11 frame. The link type must have been explicitly specified for this to work. The function parse_elements() in print-802_11.c checks the length pbody->tim.length from the frame for too small values in line 265, but then uses the wrong variable in the following range check in line 267. Since pbody->tim.length is defined as a u_int8_t it can hold a maximum value of 255, which in turn would copy 252 bytes into pbody->tim.bitmap, which is only 251 bytes of size. Impact ====== Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based. Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ tcpdump current network <= 3.9.5-1 Only patched Package Fix =================== Patch tcpdump with this patch ( from CVS repo ): http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c?r1=1.42&r2=1.43 ==================== Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html where I will summarize all warning. I try to make a place where we, member of community, can talk about these: http://jjdanimoth.netsons.org/flyspray/ I'm away from 10-03-2007 to 15-03-2007. I hope that community members continues to open new security bug in my absence ;) (Use my unofficial security tracker, waiting response from devs ). Thank you. Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1218 Contact ================== JJDaNiMoTh < jjdanimoth AT gmail DOT com > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF8YLKcJj0HNhER0MRAkYcAJ9SUm7G0eUJgulXLnprn3lcayydqACbBF93 ijHMlSz/eFVCH5QYYUgqLDg= =iXPE -----END PGP SIGNATURE----- _______________________________________________ arch mailing list [email protected] http://www.archlinux.org/mailman/listinfo/arch
