Bug 292991 (CVE-2007-6025) - CVE-2007-6025 Stack overflow when handling TSF from the driver
Summary: CVE-2007-6025 Stack overflow when handling TSF from the driver
Alias: CVE-2007-6025
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Depends On: 293001 293011
TreeView+ depends on / blocked
Reported: 2007-09-17 10:03 UTC by Lubomir Kundrak
Modified: 2021-11-12 19:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-09-17 14:27:35 UTC

Attachments (Terms of Use)
The proposed Debian patch (731 bytes, application/octet-stream)
2007-09-17 10:03 UTC, Lubomir Kundrak
no flags Details

Description Lubomir Kundrak 2007-09-17 10:03:51 UTC
Description of problem:

Kees Cook reported this to the Debian BTS:
There is a stack overflow in wpa_supplicant when handling TSF info from
drivers that support it.  Patch attached.

Comment 1 Lubomir Kundrak 2007-09-17 10:03:51 UTC
Created attachment 197231 [details]
The proposed Debian patch

Comment 4 Dan Williams 2007-09-17 14:27:35 UTC
I do not believe that any version of Fedora or RHEL is vulnerable due to this
problem, because we do not ship a version of wpa_supplicant that is new enough
to have TSF-related code.  I have quickly checked all other instances of
hexstr2bin and they all appear to be correctly determining the length of the
returned buffer. 

We ship wpa_supplicant 0.5.7 in F-7 and rawhide, 0.4.9 in FC-6, and no version
greater than 0.5.7 in RHEL.  Shall I mark as NOTABUG?

Note You need to log in before you can comment on or make changes to this bug.