Your message dated Wed, 28 Jan 2009 00:47:04 +0000
with message-id <e1lrya8-0000ec...@ries.debian.org>
and subject line Bug#513000: fixed in rt2500 1:1.1.0-b4+cvs20080623-3
has caused the Debian Bug report #513000,
regarding Possible security flaw in ad-hoc probe request processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
513000: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513000
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rt73
Severity: critical
Tags: security, upstream
"Aviv" <spring...@gmail.com> wrote on Bugtraq:
> Some Ralinktech wireless cards drivers are suffer from integer
> overflow. by sending malformed 802.11 Probe Request packet with no
> care about victim's MAC\BSS\SSID can cause to remote code execution in
> kernel mode.
>
> In order to exploit this issue, the attacker should send a Probe
> Request packet with SSID length bigger then 128 bytes (but less then
> 256) when the victim's card is in ADHOC mode. attacker shouldn't be
> on the same network nor even know the MAC\BSS\SSID, he can just send
> it broadcast.
>
> Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the
> latest driver version.
(Archived at
<http://archives.neohapsis.com/archives/bugtraq/2009-01/0167.html>.)
No CVE number appears to have been assigned to this yet.
Ralink's Linux drivers are based on their Windows drivers and the
following code in PeerProbeReqSanity() in the source file sanity.c
appears to have exactly this flaw:
if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID))
{
DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID
IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]);
return FALSE;
}
*pSsidLen = pFrame->Octet[1];
memcpy(Ssid, &pFrame->Octet[2], *pSsidLen);
pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID expands
to a decimal literal which will have type int. Therefore unsigned
values in the range [128, 255] will be treated as values in the range
[-128, -1] and will pass the test.
Similar code exists in the rt2400, rt2500, rt2570, rt61 and rt2860
drivers.
Ben.
--- End Message ---
--- Begin Message ---
Source: rt2500
Source-Version: 1:1.1.0-b4+cvs20080623-3
We believe that the bug you reported is fixed in the latest version of
rt2500, which is due to be installed in the Debian FTP archive:
rt2500-source_1.1.0-b4+cvs20080623-3_all.deb
to pool/main/r/rt2500/rt2500-source_1.1.0-b4+cvs20080623-3_all.deb
rt2500_1.1.0-b4+cvs20080623-3.diff.gz
to pool/main/r/rt2500/rt2500_1.1.0-b4+cvs20080623-3.diff.gz
rt2500_1.1.0-b4+cvs20080623-3.dsc
to pool/main/r/rt2500/rt2500_1.1.0-b4+cvs20080623-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <b...@decadent.org.uk> (supplier of updated rt2500 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 28 Jan 2009 00:33:41 +0000
Source: rt2500
Binary: rt2500-source
Architecture: source all
Version: 1:1.1.0-b4+cvs20080623-3
Distribution: unstable
Urgency: high
Maintainer: Debian Ralink packages maintainers
<pkg-ralink-maintain...@lists.alioth.debian.org>
Changed-By: Ben Hutchings <b...@decadent.org.uk>
Description:
rt2500-source - source for rt2500 wireless network driver
Closes: 513000
Changes:
rt2500 (1:1.1.0-b4+cvs20080623-3) unstable; urgency=high
.
* Fixed buffer overflow vulnerability in processing of ad-hoc probe
requests (CVE-2009-0282) (closes: bug#513000)
Checksums-Sha1:
3733fe7f3eb1135e1c8f832a5a5d6907b803b41c 1398 rt2500_1.1.0-b4+cvs20080623-3.dsc
6dedf2f103d533557a069b00dabd71a78a4adddd 8106
rt2500_1.1.0-b4+cvs20080623-3.diff.gz
4d94b5931d540317adc6efde861388be5578f217 213466
rt2500-source_1.1.0-b4+cvs20080623-3_all.deb
Checksums-Sha256:
1bc8498b912e16ac07d57c65aec303b5d2e5d79e0140e8aba0e32178d7fa5e2a 1398
rt2500_1.1.0-b4+cvs20080623-3.dsc
7ff8c6aab09c7971305fdce69461b1ffb98949e5ac69d06ccc2c2f7ced4dff28 8106
rt2500_1.1.0-b4+cvs20080623-3.diff.gz
c7580ea2f6e4d7fba17cf06ab0b2c5f6e91776f15d42679f9d94971d93a6abd1 213466
rt2500-source_1.1.0-b4+cvs20080623-3_all.deb
Files:
8e17cc366f407bd86e2e8baae68b479a 1398 net extra
rt2500_1.1.0-b4+cvs20080623-3.dsc
c0418017c5e08a22b2b30ebeb885a4c5 8106 net extra
rt2500_1.1.0-b4+cvs20080623-3.diff.gz
fefe96df9cf445ccbb1f2b2089c2b6de 213466 net extra
rt2500-source_1.1.0-b4+cvs20080623-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJf6kL79ZNCRIGYgcRApg0AJ4hYYY7cxP+CbzntuEaxlDeOENX2ACgv554
von2Y85j29Bf4qZjVyL2DYY=
=NMj6
-----END PGP SIGNATURE-----
--- End Message ---
