Date:         Fri, 8 Jun 2007 16:28:18 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA for madwifi  on SL5.x, SL4.x i386/x86_64
Comments: To: scientific-linux-errata@fnal.gov

Synopsis:	Madwifi 0.9.3.1 fixes three security vulnerabilitie.
Issue date:	2007-05-23
CVE Names:	

Madwifi 0.9.3.1 Release note:

Security fixes in 0.9.3.1:
- In the madwifi/ath component if_ath.c handles the beacon configuration related 
initialization task both for clients and aps in the function 
ath_beacon_config(). The function uses macro "howmany" which performs divide 
operation. The macro is used without ensuring that the argument(denominator 
'intval') could be zero. The divide by zero condition can be triggered 
externally using a malformed packet.

- There is a vulnerability in packet parsing code whereby a remote attacker can 
craft a malicious packet that will DoS the system. Due to improper sanitization 
of nested 802.3 Ethernet frame length fields in Fast Frame packets, the MadWifi 
driver is vulnerable to a remote kernel denial of service. The problem is that 
the frame length is read directly from the attackers packet without validation. 
The attacker can specify a length so that after the skb_pull operation skb1 is 
less than sizeof(ethernet_header). When skb_pull is called again on skb1 in 
athff_decap it will return NULL. This results in a NULL dereference later on in 
the function.

- A restricted local user can make an unprivileged I/O control call to the 
driver's ieee80211_ioctl_getwmmparams. This function accepts an array index 
from the user, which is validated incorrectly. The function checks that the 
index supplied by the user is less than a maximum value, but does not check if 
the index is less than 0. A local attacker can specify a large negative number 
which will pass the check, and cause an error in the array dereference.

NOTE: The version number 0.9.3.1 is actually lower than the version number 
shipped in Scientific Linux 4.x.  This is correct.  This really is the latest 
version of madwifi.  We have adjusted the rpm's so that they can handle this.

SL 4.x

   SRPMS:
madwifi-0.9.3.1-10.sl4.src.rpm
   i386:
madwifi-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-2.6.9-55.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.EL-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.ELhugemem-0.9.3.1-10.sl4.i686.rpm
kernel-module-madwifi-hal-2.6.9-55.ELsmp-0.9.3.1-10.sl4.i686.rpm
   x86_64:
madwifi-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-2.6.9-55.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.EL-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpm
kernel-module-madwifi-hal-2.6.9-55.ELsmp-0.9.3.1-10.sl4.x86_64.rpm

SL 5.x

   SRPMS:
madwifi-0.9.3.1-11.sl5.src.rpm
   i386:
madwifi-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5PAE-0.9.3.1-11.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.i686.rpm
   x86_64:
madwifi-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: madwifi SL5.x, SL4.x i386/x86_64 Errata 16-28-18

Madwifi 0.9.3.1 fixes three security vulnerabilitie.

Summary

Date:         Fri, 8 Jun 2007 16:28:18 -0500Reply-To:     Troy Dawson Sender:       Security Errata for Scientific Linux              From:         Troy Dawson Subject:      Security ERRATA for madwifi  on SL5.x, SL4.x i386/x86_64Comments: To: scientific-linux-errata@fnal.govSynopsis:	Madwifi 0.9.3.1 fixes three security vulnerabilitie.Issue date:	2007-05-23CVE Names:	Madwifi 0.9.3.1 Release note:Security fixes in 0.9.3.1:- In the madwifi/ath component if_ath.c handles the beacon configuration related initialization task both for clients and aps in the function ath_beacon_config(). The function uses macro "howmany" which performs divide operation. The macro is used without ensuring that the argument(denominator 'intval') could be zero. The divide by zero condition can be triggered externally using a malformed packet.- There is a vulnerability in packet parsing code whereby a remote attacker can craft a malicious packet that will DoS the system. Due to improper sanitization of nested 802.3 Ethernet frame length fields in Fast Frame packets, the MadWifi driver is vulnerable to a remote kernel denial of service. The problem is that the frame length is read directly from the attackers packet without validation. The attacker can specify a length so that after the skb_pull operation skb1 is less than sizeof(ethernet_header). When skb_pull is called again on skb1 in athff_decap it will return NULL. This results in a NULL dereference later on in the function.- A restricted local user can make an unprivileged I/O control call to the driver's ieee80211_ioctl_getwmmparams. This function accepts an array index from the user, which is validated incorrectly. The function checks that the index supplied by the user is less than a maximum value, but does not check if the index is less than 0. A local attacker can specify a large negative number which will pass the check, and cause an error in the array dereference.NOTE: The version number 0.9.3.1 is actually lower than the version number shipped in Scientific Linux 4.x.  This is correct.  This really is the latest version of madwifi.  We have adjusted the rpm's so that they can handle this.SL 4.x   SRPMS:madwifi-0.9.3.1-10.sl4.src.rpm   i386:madwifi-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.10.ELhugemem-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.3.ELhugemem-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.8.ELhugemem-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-55.EL-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-55.ELhugemem-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-2.6.9-55.ELsmp-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.10.ELhugemem-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.3.ELhugemem-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.8.ELhugemem-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-55.EL-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-55.ELhugemem-0.9.3.1-10.sl4.i686.rpmkernel-module-madwifi-hal-2.6.9-55.ELsmp-0.9.3.1-10.sl4.i686.rpm   x86_64:madwifi-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.10.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.3.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.8.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-55.EL-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-55.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-2.6.9-55.ELsmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.10.EL-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.10.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.10.ELsmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.3.EL-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.3.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.3.ELsmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.8.EL-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.8.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-42.0.8.ELsmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-55.EL-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-55.ELlargesmp-0.9.3.1-10.sl4.x86_64.rpmkernel-module-madwifi-hal-2.6.9-55.ELsmp-0.9.3.1-10.sl4.x86_64.rpmSL 5.x   SRPMS:madwifi-0.9.3.1-11.sl5.src.rpm   i386:madwifi-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-2.6.18-8.1.3.el5PAE-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-2.6.18-8.1.4.el5PAE-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-8.1.3.el5PAE-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-8.1.4.el5PAE-0.9.3.1-11.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.i686.rpm   x86_64:madwifi-0.9.3.1-11.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-8.1.3.el5-0.9.3.1-11.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-8.1.3.el5xen-0.9.3.1-11.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-8.1.4.el5-0.9.3.1-11.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-8.1.4.el5xen-0.9.3.1-11.sl5.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity

Related News

28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap
5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved