Red Hat Bugzilla – Bug 292991
CVE-2007-6025 Stack overflow when handling TSF from the driver
Last modified: 2007-11-20 03:17:32 EST
Description of problem:
Kees Cook reported this to the Debian BTS:
There is a stack overflow in wpa_supplicant when handling TSF info from
drivers that support it. Patch attached.
Created attachment 197231 [details]
The proposed Debian patch
I do not believe that any version of Fedora or RHEL is vulnerable due to this
problem, because we do not ship a version of wpa_supplicant that is new enough
to have TSF-related code. I have quickly checked all other instances of
hexstr2bin and they all appear to be correctly determining the length of the
We ship wpa_supplicant 0.5.7 in F-7 and rawhide, 0.4.9 in FC-6, and no version
greater than 0.5.7 in RHEL. Shall I mark as NOTABUG?