Bug 577654
| Summary: | Remote buffer overflow in aircrack-ng causes DOS and possible code execution | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukas Lueg <knabberknusperhaus> | ||||
| Component: | aircrack-ng | Assignee: | Till Maas <opensource> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 12 | CC: | huzaifas, opensource | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-12-03 16:38:56 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 582417 | ||||||
| Attachments: |
|
||||||
|
Description
Lukas Lueg
2010-03-28 16:53:25 UTC
aircrack-ng-1.0-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc13 aircrack-ng-1.0-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc11 aircrack-ng-1.0-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/aircrack-ng-1.0-2.fc12 This update does *NOT* fix the vulnerability, upstream screwed up on this one... * The code checks if the self-proclaimed size of the packet is larger than the real packet size. If the packet is larger than 256 bytes AND correctly tells about that, the heap will still be overwritten... * The self-proclaimed size of the packet is compared to uninitialized data, resulting in random results * They forgot to patch airbase-ng.c I reported this upstream: http://trac.aircrack-ng.org/ticket/728 (In reply to comment #4) > This update does *NOT* fix the vulnerability, upstream screwed up on this > one... > > * The code checks if the self-proclaimed size of the packet is larger than the > real packet size. If the packet is larger than 256 bytes AND correctly tells > about that, the heap will still be overwritten... > * The self-proclaimed size of the packet is compared to uninitialized data, > resulting in random results > * They forgot to patch airbase-ng.c They claim to have the bug fixed in aircrack-ng-1.1. Do you agree? Reference: http://trac.aircrack-ng.org/ticket/728#comment:2 My comments are always rejected as spam by Akismet :-) """ I've only checked airodump-ng and as far as I can see the fix is incorrect as the field "pkh.len" is uninitialized. It just happens to contain a value that prevents the bug from getting triggered - this is left to a random value on the stack however. It should read "caplen" instead of "pkh.len". Why don't you just compare the promoted size of the EAPOL-frame to "sizeof(wpa.eapol_frame)" ? """ (In reply to comment #7) > My comments are always rejected as spam by Akismet :-) Sorry, I thought I already forwared this to upstream, but it seems I somehow screw up. I did this now: http://trac.aircrack-ng.org/ticket/728#comment:3 This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |