Your message dated Wed, 28 Jan 2009 01:17:06 +0000
with message-id <e1lrz3c-0002wx...@ries.debian.org>
and subject line Bug#512995: fixed in rt73 1:1.0.3.6-cvs20080623-dfsg1-3
has caused the Debian Bug report #512995,
regarding Possible security flaw in ad-hoc probe request processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
512995: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512995
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rt73
Severity: critical
Tags: security, upstream
"Aviv" <spring...@gmail.com> wrote on Bugtraq:
> Some Ralinktech wireless cards drivers are suffer from integer
> overflow. by sending malformed 802.11 Probe Request packet with no
> care about victim's MAC\BSS\SSID can cause to remote code execution in
> kernel mode.
>
> In order to exploit this issue, the attacker should send a Probe
> Request packet with SSID length bigger then 128 bytes (but less then
> 256) when the victim's card is in ADHOC mode. attacker shouldn't be
> on the same network nor even know the MAC\BSS\SSID, he can just send
> it broadcast.
>
> Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the
> latest driver version.
(Archived at
<http://archives.neohapsis.com/archives/bugtraq/2009-01/0167.html>.)
No CVE number appears to have been assigned to this yet.
Ralink's Linux drivers are based on their Windows drivers and the
following code in PeerProbeReqSanity() in the source file sanity.c
appears to have exactly this flaw:
if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID))
{
DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID
IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]);
return FALSE;
}
*pSsidLen = pFrame->Octet[1];
memcpy(Ssid, &pFrame->Octet[2], *pSsidLen);
pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID expands
to a decimal literal which will have type int. Therefore unsigned
values in the range [128, 255] will be treated as values in the range
[-128, -1] and will pass the test.
Similar code exists in the rt2400, rt2500, rt2570, rt61 and rt2860
drivers.
Ben.
--- End Message ---
--- Begin Message ---
Source: rt73
Source-Version: 1:1.0.3.6-cvs20080623-dfsg1-3
We believe that the bug you reported is fixed in the latest version of
rt73, which is due to be installed in the Debian FTP archive:
rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
to pool/contrib/r/rt73/rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
to pool/contrib/r/rt73/rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
to pool/contrib/r/rt73/rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
to pool/contrib/r/rt73/rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 512...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <b...@decadent.org.uk> (supplier of updated rt73 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 28 Jan 2009 00:53:13 +0000
Source: rt73
Binary: rt73-source rt73-common
Architecture: source all
Version: 1:1.0.3.6-cvs20080623-dfsg1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Ralink packages maintainers
<pkg-ralink-maintain...@lists.alioth.debian.org>
Changed-By: Ben Hutchings <b...@decadent.org.uk>
Description:
rt73-common - RT73(RT2571W) Wireless Lan Linux Driver - common files
rt73-source - RT73(RT2571W) Wireless Lan Linux Driver - kernel module sources
Closes: 512995
Changes:
rt73 (1:1.0.3.6-cvs20080623-dfsg1-3) unstable; urgency=high
.
* Fixed buffer overflow vulnerability in processing of ad-hoc probe
requests (CVE-2009-0282) (closes: bug#512995)
Checksums-Sha1:
f8d24ce0488c3e1df55845cea14da8b63a88c6f3 1341
rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
c67b4c371db04448af94a45b4d9381c866db3b76 10146
rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
5d1f9e15cbaab1c2407fd7888f466b099d6db108 241998
rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
5082ef225766e769a5e84166262a5646bff76fa7 17202
rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
Checksums-Sha256:
4e2092770ea5157564f75e6b1cfc2f8beae71a2824715fa2edd22393c67bdaee 1341
rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
74c8acd71e09b29ee2ca6276b4d6bf36746ef60920e63e0bff4301603024d0b8 10146
rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
8b42bb102999333e88264f246a2245180cc85f4e1c28bcb164128749e99ee9f1 241998
rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
9f99cfdb44da19345fdfb726d3a88b480787b9685e676e5f33e33a9d1f3ba1ef 17202
rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
Files:
f7105818c270676fd464ca8299c1cae9 1341 contrib/net extra
rt73_1.0.3.6-cvs20080623-dfsg1-3.dsc
d29fd22cee4eddbf5d9bfed615b0d35c 10146 contrib/net extra
rt73_1.0.3.6-cvs20080623-dfsg1-3.diff.gz
4c6f4cd65ab875534f8362f4229663b6 241998 contrib/net extra
rt73-source_1.0.3.6-cvs20080623-dfsg1-3_all.deb
f94259fcfda4c07f526d1a8e9a417d61 17202 contrib/net extra
rt73-common_1.0.3.6-cvs20080623-dfsg1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJf7Da79ZNCRIGYgcRAqF2AJ9D1pffLrTOKSiTgN5NzlghKK21GwCgulBS
vy2saCBw4VoV1QMBMJZQ6EM=
=8y0I
-----END PGP SIGNATURE-----
--- End Message ---
