Your message dated Thu, 06 Nov 2008 14:17:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#504696: fixed in ndiswrapper 1.53-2
has caused the Debian Bug report #504696,
regarding ndiswrapper-source: longs ESSIDs can expose security vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
504696: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504696
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: ndiswrapper-source
Version: 1.53-1
Severity: grave
Tags: security patch
Justification: user security hole
>From [0]:
Anders Kaseorg discovered that ndiswrapper did not correctly handle long
ESSIDs. For a system using ndiswrapper, a physically near-by attacker could
generate specially crafted wireless network traffic and execute arbitrary
code with root privileges. (CVE-2008-4395 [1])
Attached is the diff contrinuted by Anders Kaseorg to [2].
[0] http://www.ubuntu.com/usn/usn-662-1
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4395
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/275860
Thanks, Kel.
---
diff --git a/ubuntu/ndiswrapper/iw_ndis.c b/ubuntu/ndiswrapper/iw_ndis.c
index b114ef6..01d3751 100644
--- a/ubuntu/ndiswrapper/iw_ndis.c
+++ b/ubuntu/ndiswrapper/iw_ndis.c
@@ -47,12 +47,7 @@ int set_essid(struct ndis_device *wnd, const char *ssid, int
ssid_len)
req.length = ssid_len;
if (ssid_len)
memcpy(&req.essid, ssid, ssid_len);
- DBG_BLOCK(2) {
- char buf[NDIS_ESSID_MAX_SIZE+1];
- memcpy(buf, ssid, ssid_len);
- buf[ssid_len] = 0;
- TRACE2("ssid = '%s'", buf);
- }
+ TRACE2("ssid = '%.*s'", ssid_len, ssid);
res = mp_set(wnd, OID_802_11_SSID, &req, sizeof(req));
if (res) {
@@ -125,7 +120,6 @@ static int iw_get_essid(struct net_device *dev, struct
iw_request_info *info,
EXIT2(return -EOPNOTSUPP);
}
memcpy(extra, req.essid, req.length);
- extra[req.length] = 0;
if (req.length > 0)
wrqu->essid.flags = 1;
else
@@ -1000,7 +994,7 @@ static int iw_set_nick(struct net_device *dev, struct
iw_request_info *info,
if (wrqu->data.length > IW_ESSID_MAX_SIZE || wrqu->data.length <= 0)
return -EINVAL;
- memset(wnd->nick, 0, sizeof(wnd->nick));
+ wnd->nick_len = wrqu->data.length;
memcpy(wnd->nick, extra, wrqu->data.length);
return 0;
}
@@ -1010,7 +1004,7 @@ static int iw_get_nick(struct net_device *dev, struct
iw_request_info *info,
{
struct ndis_device *wnd = netdev_priv(dev);
- wrqu->data.length = strlen(wnd->nick);
+ wrqu->data.length = wnd->nick_len;
memcpy(extra, wnd->nick, wrqu->data.length);
return 0;
}
diff --git a/ubuntu/ndiswrapper/ndis.h b/ubuntu/ndiswrapper/ndis.h
index 27ba99e..65d6b0b 100644
--- a/ubuntu/ndiswrapper/ndis.h
+++ b/ubuntu/ndiswrapper/ndis.h
@@ -878,6 +878,7 @@ struct ndis_device {
unsigned long scan_timestamp;
struct encr_info encr_info;
char nick[IW_ESSID_MAX_SIZE];
+ size_t nick_len;
struct ndis_essid essid;
struct auth_encr_capa capa;
enum ndis_infrastructure_mode infrastructure_mode;
diff --git a/ubuntu/ndiswrapper/proc.c b/ubuntu/ndiswrapper/proc.c
index fd5f433..6feff23 100644
--- a/ubuntu/ndiswrapper/proc.c
+++ b/ubuntu/ndiswrapper/proc.c
@@ -97,10 +97,8 @@ static int procfs_read_ndis_encr(char *page, char **start,
off_t off,
p += sprintf(p, "\n");
res = mp_query(wnd, OID_802_11_SSID, &essid, sizeof(essid));
- if (!res) {
- essid.essid[essid.length] = '\0';
- p += sprintf(p, "essid=%s\n", essid.essid);
- }
+ if (!res)
+ p += sprintf(p, "essid=%.*s\n", essid.length, essid.essid);
res = mp_query_int(wnd, OID_802_11_ENCRYPTION_STATUS, &encr_status);
if (!res) {
typeof(&wnd->encr_info.keys[0]) tx_key;
diff --git a/ubuntu/ndiswrapper/wrapndis.c b/ubuntu/ndiswrapper/wrapndis.c
index f6e5d46..35ef1cd 100644
--- a/ubuntu/ndiswrapper/wrapndis.c
+++ b/ubuntu/ndiswrapper/wrapndis.c
@@ -2028,7 +2028,7 @@ static wstdcall NTSTATUS NdisAddDevice(struct
driver_object *drv_obj,
wnd->attributes = 0;
wnd->dma_map_count = 0;
wnd->dma_map_addr = NULL;
- wnd->nick[0] = 0;
+ wnd->nick_len = 0;
init_timer(&wnd->hangcheck_timer);
wnd->scan_timestamp = 0;
init_timer(&wnd->iw_stats_timer);
---
--- End Message ---
--- Begin Message ---
Source: ndiswrapper
Source-Version: 1.53-2
We believe that the bug you reported is fixed in the latest version of
ndiswrapper, which is due to be installed in the Debian FTP archive:
ndiswrapper-common_1.53-2_all.deb
to pool/main/n/ndiswrapper/ndiswrapper-common_1.53-2_all.deb
ndiswrapper-source_1.53-2_all.deb
to pool/main/n/ndiswrapper/ndiswrapper-source_1.53-2_all.deb
ndiswrapper-utils-1.9_1.53-2_amd64.deb
to pool/main/n/ndiswrapper/ndiswrapper-utils-1.9_1.53-2_amd64.deb
ndiswrapper_1.53-2.diff.gz
to pool/main/n/ndiswrapper/ndiswrapper_1.53-2.diff.gz
ndiswrapper_1.53-2.dsc
to pool/main/n/ndiswrapper/ndiswrapper_1.53-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kel Modderman <[EMAIL PROTECTED]> (supplier of updated ndiswrapper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 06 Nov 2008 21:06:38 +1000
Source: ndiswrapper
Binary: ndiswrapper-common ndiswrapper-utils-1.9 ndiswrapper-source
Architecture: source all amd64
Version: 1.53-2
Distribution: unstable
Urgency: high
Maintainer: Julian Andres Klode <[EMAIL PROTECTED]>
Changed-By: Kel Modderman <[EMAIL PROTECTED]>
Description:
ndiswrapper-common - Common scripts required to use the utilities for
ndiswrapper
ndiswrapper-source - Source for the ndiswrapper Linux kernel module
ndiswrapper-utils-1.9 - Userspace utilities for the ndiswrapper Linux kernel
module
Closes: 504696
Changes:
ndiswrapper (1.53-2) unstable; urgency=high
.
* Add debian/patches/CVE-2008-4395.patch to fix a vulnerability in handling
of long ESSIDs which allows execution of code as root via remote attacker.
(Closes: #504696)
Checksums-Sha1:
dd1fb5f41cfd88693257446beb03fd8fecc4365d 1150 ndiswrapper_1.53-2.dsc
31b1dfb0ef191c5adb00e63f7398894ae5dd9e95 12051 ndiswrapper_1.53-2.diff.gz
382c6e8153a33253c4fa347f6dc5e26d87cd6e89 20926
ndiswrapper-common_1.53-2_all.deb
91918b26d2d8e9a4d5f2dccac82f3e500a811269 160538
ndiswrapper-source_1.53-2_all.deb
5abe81b19cf511bd75bbebe9353cfee6643a82d0 36652
ndiswrapper-utils-1.9_1.53-2_amd64.deb
Checksums-Sha256:
1012883ac3ab1f78cacdfcf4b9bf692736b34a4b0a3f5b5299c105a908f41c9d 1150
ndiswrapper_1.53-2.dsc
3666cef296fd69a365baca816388cf7c19e40d5c2fea6740bb8040e70d4af87d 12051
ndiswrapper_1.53-2.diff.gz
dfb2857b1641419c38d781738610247234d648b489d5f06e6e86d1401c0678eb 20926
ndiswrapper-common_1.53-2_all.deb
1153cf9cef77bf3fb391358b1e13a23ed2bf07a846b9600d8059223d4da97183 160538
ndiswrapper-source_1.53-2_all.deb
770ec84e1bbcae2bd7ac2fa85f46609a7eea1b4c912be9f7de138f24c9559ecd 36652
ndiswrapper-utils-1.9_1.53-2_amd64.deb
Files:
77adee45a853283d511607c463605ff7 1150 misc optional ndiswrapper_1.53-2.dsc
acd1dddba548553ceb140b0ea28a1caa 12051 misc optional ndiswrapper_1.53-2.diff.gz
b2495ad3765d61a6fd56baa191caddb2 20926 misc optional
ndiswrapper-common_1.53-2_all.deb
d19395ffb21badc09514741f45ce45d2 160538 misc optional
ndiswrapper-source_1.53-2_all.deb
dabb97f1ffbfe45b57cffb7b5e41a486 36652 misc optional
ndiswrapper-utils-1.9_1.53-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkS+DMACgkQrCpf/gCCPsK9kgCgg8ATbHIbdwd+KcNi8wNE9Gb4
6FMAn0skaBfE/1MB6yTRnCA5x5RshmXG
=6OFM
-----END PGP SIGNATURE-----
--- End Message ---