Acknowledgement sent to Matteo Rosi <rosi@lart.det.unifi.it>:
New Bug report received and forwarded. Copy sent to Faidon Liambotis <faidon@cube.gr>.
(full text, mbox, link).
Package: Hostapd
Version: 0.3.7-2
Severity: critical
Tags: security, patch, sarge
Description:
An invalid value, in a field of EAPoL frame, causes a segmantation fault
error in hostapd deamon.
We found it using Stress: a software for protocol implementation testing
and security testing, you can find it at
http://lart.det.unifi.it/Members/rosi/stress
We find the error in wpa.c file, line 1416:
key_data_length = ntohs(key->key_data_length);
for correct it we can take the patch made by Maulinen in revision
1.71.2.1 in cvs system:
key_data_length = ntohs(key->key_data_length);
if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
"key_data overflow (%d > %d)",
key_data_length,
data_len - sizeof(*hdr) - sizeof(*key));
return;
}
regards,
Matteo Rosi, Leonardo Maccari
--
Telecommunication Network Lab,
Department of Electronics and Telecommunications, University of Florence
http://lart.det.unifi.it/
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#365897; Package hostapd.
(full text, mbox, link).
Acknowledgement sent to Faidon Liambotis <faidon@cube.gr>:
Extra info received and forwarded to list.
(full text, mbox, link).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Matteo Rosi wrote:
| Package: Hostapd
| Version: 0.3.7-2
| Severity: critical
| Tags: security, patch, sarge
|
| Description:
| An invalid value, in a field of EAPoL frame, causes a segmantation fault
| error in hostapd deamon.
|
| We found it using Stress: a software for protocol implementation testing
| and security testing, you can find it at
|
| http://lart.det.unifi.it/Members/rosi/stress
Thanks for the detailed report.
Security team, please advise and/or upload. I believe the severity is
inflated, as this is just a DoS on the program, but I'm leaving it to
you to lower it.
Attached is a patch doing exactly what Matteo said, copied from upstream
and compile tested.
The version in sid/etch (0.5.0-1) is unaffected by this issue.
Regards,
Faidon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEWQNsVty5d8XpUzMRAo8eAJ4kO2KQyGrNq5/R61hPojr72eV8lwCeI/e4
Eb1KKoaCKxSB7zL27FvY/XM=
=T51f
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Faidon Liambotis <faidon@cube.gr>: Bug#365897; Package hostapd.
(full text, mbox, link).
Acknowledgement sent to Matteo Rosi <rosi@lart.det.unifi.it>:
Extra info received and forwarded to list. Copy sent to Faidon Liambotis <faidon@cube.gr>.
(full text, mbox, link).
Cc: Debian Security Team <team@security.debian.org>,
365897@bugs.debian.org
Subject: Re: Bug#365897: seg fault error in hostapd
Date: Thu, 04 May 2006 17:45:12 +0200
Faidon Liambotis wrote:
> Hi,
> Matteo Rosi wrote:
> | Package: Hostapd
> | Version: 0.3.7-2
> | Severity: critical
> | Tags: security, patch, sarge
> Security team, please advise and/or upload. I believe the severity is
> inflated, as this is just a DoS on the program, but I'm leaving it to
> you to lower it.
we didn't have time to investigate it further but the problem seems to
be related to an unchecked buffer length, so even if now it only causes
a segfault, it might also cause worse consequences.
regards,
Matteo Rosi, Leonardo Maccari
--
Telecommunication Network Lab,
Department of Electronics and Telecommunications, University of Florence
http://lart.det.unifi.it/
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#365897; Package hostapd.
(full text, mbox, link).
Acknowledgement sent to Faidon Liambotis <faidon@cube.gr>:
Extra info received and forwarded to list.
(full text, mbox, link).
notfound 365897 0.3.7-2
found 365897 1:0.3.7-2
close 365897 1:0.3.7-2sarge1
close 365897 1:0.5.0-1
thanks
The bug is fixed both in stable (by version 1:0.3.7-2sarge1) and in
etch/unstable.
Regards,
Faidon
Bug marked as not found in version 0.3.7-2.
Request was from Faidon Liambotis <faidon@cube.gr>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 1:0.3.7-2.
Request was from Faidon Liambotis <faidon@cube.gr>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1:0.3.7-2sarge1, send any further explanations to Matteo Rosi <rosi@lart.det.unifi.it>
Request was from Faidon Liambotis <faidon@cube.gr>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1:0.5.0-1, send any further explanations to Matteo Rosi <rosi@lart.det.unifi.it>
Request was from Faidon Liambotis <faidon@cube.gr>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 07:56:56 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.