Bug 242455 - (CVE-2007-2874) CVE-2007-2874 wpa_supplicant segfault during WPA2 association
CVE-2007-2874 wpa_supplicant segfault during WPA2 association
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: wpa_supplicant (Show other bugs)
7
All Linux
low Severity urgent
: ---
: ---
Assigned To: Dan Williams
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-04 08:16 EDT by Jon Escombe
Modified: 2007-11-30 17:12 EST (History)
5 users (show)

See Also:
Fixed In Version: 0.5.7-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-09 17:37:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jon Escombe 2007-06-04 08:16:10 EDT
Description of problem:
Buffer overflow in wpa_supplicant-0.5.7-use-syslog.patch
during WPA2 association. 

Version-Release number of selected component (if applicable):
wpa_supplicant-0.5.7-2.fc7

How reproducible:
Attempt to connect to WPA2 network using NM (or driving wpa_supplicant manually
from the control interface). wpa_supplicant will segfault as it tries to dump a
large RX_EAPOL frame.

More detail and a patch here:
http://mail.gnome.org/archives/networkmanager-list/2007-June/msg00014.html

Have assigned severity to urgent as process is running as root and potentially
exploitable.
Comment 1 drago01 2007-06-04 09:53:42 EDT
I have the exact same problem when I try to connect to a dynamic wep network.
Comment 2 Mark J. Cox (Product Security) 2007-06-04 15:28:07 EDT
CVE-2007-2874 
Comment 3 Christopher Aillon 2007-06-04 15:34:10 EDT
Dan says he'll get this fixed tonight.  The patch supplied while it fixes this
one case is not correct (as the author mentioned) since it only increases the
buffer size.
Comment 4 Dan Williams 2007-06-04 16:06:21 EDT
Fix in progress; using vsnprintf/snprintf is a better fix than just increasing
the buffer size.
Comment 5 Christopher Aillon 2007-06-04 16:17:30 EDT
Btw, Dan: If it'll help, I can do the fedora updates stuff after you provide
builds.  I've already got tons of experience using the tool (yay firefox updates).
Comment 6 Christopher Aillon 2007-06-04 22:23:47 EDT
Updates should have been pushed out, though the mirrors may take some time to
catch up.
Comment 7 Roland Wolters 2007-06-05 10:10:48 EDT
It fixes my bug where I had regular crashes as well: bug 241777. Thanks for 
that!
Comment 8 Dan Williams 2007-10-09 17:37:43 EDT
should be closed; update is long available

Note You need to log in before you can comment on or make changes to this bug.