Your message dated Wed, 28 Jan 2009 00:32:10 +0000
with message-id <e1lryli-0008es...@ries.debian.org>
and subject line Bug#512999: fixed in rt2400 1.2.2+cvs20080623-3
has caused the Debian Bug report #512999,
regarding Possible security flaw in ad-hoc probe request processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
512999: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512999
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rt73
Severity: critical
Tags: security, upstream
"Aviv" <spring...@gmail.com> wrote on Bugtraq:
> Some Ralinktech wireless cards drivers are suffer from integer
> overflow. by sending malformed 802.11 Probe Request packet with no
> care about victim's MAC\BSS\SSID can cause to remote code execution in
> kernel mode.
>
> In order to exploit this issue, the attacker should send a Probe
> Request packet with SSID length bigger then 128 bytes (but less then
> 256) when the victim's card is in ADHOC mode. attacker shouldn't be
> on the same network nor even know the MAC\BSS\SSID, he can just send
> it broadcast.
>
> Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the
> latest driver version.
(Archived at
<http://archives.neohapsis.com/archives/bugtraq/2009-01/0167.html>.)
No CVE number appears to have been assigned to this yet.
Ralink's Linux drivers are based on their Windows drivers and the
following code in PeerProbeReqSanity() in the source file sanity.c
appears to have exactly this flaw:
if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID))
{
DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID
IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]);
return FALSE;
}
*pSsidLen = pFrame->Octet[1];
memcpy(Ssid, &pFrame->Octet[2], *pSsidLen);
pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID expands
to a decimal literal which will have type int. Therefore unsigned
values in the range [128, 255] will be treated as values in the range
[-128, -1] and will pass the test.
Similar code exists in the rt2400, rt2500, rt2570, rt61 and rt2860
drivers.
Ben.
--- End Message ---
--- Begin Message ---
Source: rt2400
Source-Version: 1.2.2+cvs20080623-3
We believe that the bug you reported is fixed in the latest version of
rt2400, which is due to be installed in the Debian FTP archive:
rt2400-source_1.2.2+cvs20080623-3_all.deb
to pool/main/r/rt2400/rt2400-source_1.2.2+cvs20080623-3_all.deb
rt2400_1.2.2+cvs20080623-3.diff.gz
to pool/main/r/rt2400/rt2400_1.2.2+cvs20080623-3.diff.gz
rt2400_1.2.2+cvs20080623-3.dsc
to pool/main/r/rt2400/rt2400_1.2.2+cvs20080623-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 512...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <b...@decadent.org.uk> (supplier of updated rt2400 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 28 Jan 2009 00:23:31 +0000
Source: rt2400
Binary: rt2400-source
Architecture: source all
Version: 1.2.2+cvs20080623-3
Distribution: unstable
Urgency: high
Maintainer: Debian Ralink packages maintainers
<pkg-ralink-maintain...@lists.alioth.debian.org>
Changed-By: Ben Hutchings <b...@decadent.org.uk>
Description:
rt2400-source - source for rt2400 wireless network driver
Closes: 512999
Changes:
rt2400 (1.2.2+cvs20080623-3) unstable; urgency=high
.
* Fixed buffer overflow vulnerability in processing of ad-hoc probe
requests (CVE-2009-0282) (closes: bug#512999)
Checksums-Sha1:
e319d235663780a1d61f75791f1e0146bc11a785 1375 rt2400_1.2.2+cvs20080623-3.dsc
7e54e841ea1d67dd249b2c58079d7f5767756238 7156
rt2400_1.2.2+cvs20080623-3.diff.gz
de6a8b59a1e93ff9eb1ae13db23d19d86737fcf7 118014
rt2400-source_1.2.2+cvs20080623-3_all.deb
Checksums-Sha256:
ea4f1dc3668a91dfbcf291d3ccda8b5d1c93d957fdccf6a49b7e1bc041e67da4 1375
rt2400_1.2.2+cvs20080623-3.dsc
0b48820b021f8bbb48ced436d8b7f594f14f80fce145beb7f8f7693e6cb768a7 7156
rt2400_1.2.2+cvs20080623-3.diff.gz
674da236aba460f8019d3dbf4bfb23b6f96d7e13324752f66829f377827058fd 118014
rt2400-source_1.2.2+cvs20080623-3_all.deb
Files:
af944b2332e2287116ead097de76d1d3 1375 net extra rt2400_1.2.2+cvs20080623-3.dsc
1e11d649d731b3c54f63d1192d7b4acb 7156 net extra
rt2400_1.2.2+cvs20080623-3.diff.gz
bb8109d33e0792a7537f3a4de47ce895 118014 net extra
rt2400-source_1.2.2+cvs20080623-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJf6dx79ZNCRIGYgcRAtxeAKCYGav5VVTv8ihGQU9JGzlO4h0/GACdEL6U
8O/FbnBtLRc7Ziv4d3/EzDc=
=citQ
-----END PGP SIGNATURE-----
--- End Message ---
