Bug 242455 (CVE-2007-2874) - CVE-2007-2874 wpa_supplicant segfault during WPA2 association
Summary: CVE-2007-2874 wpa_supplicant segfault during WPA2 association
Status: CLOSED CURRENTRELEASE
Alias: CVE-2007-2874
Product: Fedora
Classification: Fedora
Component: wpa_supplicant   
(Show other bugs)
Version: 7
Hardware: All Linux
low
urgent
Target Milestone: ---
Assignee: Dan Williams
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-04 12:16 UTC by Jon Escombe
Modified: 2007-11-30 22:12 UTC (History)
5 users (show)

Fixed In Version: 0.5.7-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-09 21:37:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jon Escombe 2007-06-04 12:16:10 UTC
Description of problem:
Buffer overflow in wpa_supplicant-0.5.7-use-syslog.patch
during WPA2 association. 

Version-Release number of selected component (if applicable):
wpa_supplicant-0.5.7-2.fc7

How reproducible:
Attempt to connect to WPA2 network using NM (or driving wpa_supplicant manually
from the control interface). wpa_supplicant will segfault as it tries to dump a
large RX_EAPOL frame.

More detail and a patch here:
http://mail.gnome.org/archives/networkmanager-list/2007-June/msg00014.html

Have assigned severity to urgent as process is running as root and potentially
exploitable.

Comment 1 drago01 2007-06-04 13:53:42 UTC
I have the exact same problem when I try to connect to a dynamic wep network.

Comment 2 Mark J. Cox 2007-06-04 19:28:07 UTC
CVE-2007-2874 

Comment 3 Christopher Aillon 2007-06-04 19:34:10 UTC
Dan says he'll get this fixed tonight.  The patch supplied while it fixes this
one case is not correct (as the author mentioned) since it only increases the
buffer size.

Comment 4 Dan Williams 2007-06-04 20:06:21 UTC
Fix in progress; using vsnprintf/snprintf is a better fix than just increasing
the buffer size.

Comment 5 Christopher Aillon 2007-06-04 20:17:30 UTC
Btw, Dan: If it'll help, I can do the fedora updates stuff after you provide
builds.  I've already got tons of experience using the tool (yay firefox updates).

Comment 6 Christopher Aillon 2007-06-05 02:23:47 UTC
Updates should have been pushed out, though the mirrors may take some time to
catch up.

Comment 7 Roland Wolters 2007-06-05 14:10:48 UTC
It fixes my bug where I had regular crashes as well: bug 241777. Thanks for 
that!

Comment 8 Dan Williams 2007-10-09 21:37:43 UTC
should be closed; update is long available


Note You need to log in before you can comment on or make changes to this bug.