Your message dated Wed, 28 Jan 2009 00:47:06 +0000
with message-id <e1lryaa-0000ee...@ries.debian.org>
and subject line Bug#513001: fixed in rt2570 1.1.0+cvs20080623-2
has caused the Debian Bug report #513001,
regarding Possible security flaw in ad-hoc probe request processing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
513001: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513001
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rt73
Severity: critical
Tags: security, upstream
"Aviv" <spring...@gmail.com> wrote on Bugtraq:
> Some Ralinktech wireless cards drivers are suffer from integer
> overflow. by sending malformed 802.11 Probe Request packet with no
> care about victim's MAC\BSS\SSID can cause to remote code execution in
> kernel mode.
>
> In order to exploit this issue, the attacker should send a Probe
> Request packet with SSID length bigger then 128 bytes (but less then
> 256) when the victim's card is in ADHOC mode. attacker shouldn't be
> on the same network nor even know the MAC\BSS\SSID, he can just send
> it broadcast.
>
> Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the
> latest driver version.
(Archived at
<http://archives.neohapsis.com/archives/bugtraq/2009-01/0167.html>.)
No CVE number appears to have been assigned to this yet.
Ralink's Linux drivers are based on their Windows drivers and the
following code in PeerProbeReqSanity() in the source file sanity.c
appears to have exactly this flaw:
if ((pFrame->Octet[0] != IE_SSID) || (pFrame->Octet[1] > MAX_LEN_OF_SSID))
{
DBGPRINT(RT_DEBUG_TRACE, "PeerProbeReqSanity fail - wrong SSID
IE(Type=%d,Len=%d)\n",pFrame->Octet[0],pFrame->Octet[1]);
return FALSE;
}
*pSsidLen = pFrame->Octet[1];
memcpy(Ssid, &pFrame->Octet[2], *pSsidLen);
pFrame->Octet is an array of signed char and MAX_LEN_OF_SSID expands
to a decimal literal which will have type int. Therefore unsigned
values in the range [128, 255] will be treated as values in the range
[-128, -1] and will pass the test.
Similar code exists in the rt2400, rt2500, rt2570, rt61 and rt2860
drivers.
Ben.
--- End Message ---
--- Begin Message ---
Source: rt2570
Source-Version: 1.1.0+cvs20080623-2
We believe that the bug you reported is fixed in the latest version of
rt2570, which is due to be installed in the Debian FTP archive:
rt2570-source_1.1.0+cvs20080623-2_all.deb
to pool/main/r/rt2570/rt2570-source_1.1.0+cvs20080623-2_all.deb
rt2570_1.1.0+cvs20080623-2.diff.gz
to pool/main/r/rt2570/rt2570_1.1.0+cvs20080623-2.diff.gz
rt2570_1.1.0+cvs20080623-2.dsc
to pool/main/r/rt2570/rt2570_1.1.0+cvs20080623-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 513...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <b...@decadent.org.uk> (supplier of updated rt2570 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 28 Jan 2009 00:39:19 +0000
Source: rt2570
Binary: rt2570-source
Architecture: source all
Version: 1.1.0+cvs20080623-2
Distribution: unstable
Urgency: high
Maintainer: Debian Ralink packages maintainers
<pkg-ralink-maintain...@lists.alioth.debian.org>
Changed-By: Ben Hutchings <b...@decadent.org.uk>
Description:
rt2570-source - source for rt2570 wireless network driver
Closes: 513001
Changes:
rt2570 (1.1.0+cvs20080623-2) unstable; urgency=high
.
* Fixed buffer overflow vulnerability in processing of ad-hoc probe
requests (CVE-2009-0282) (closes: bug#513001)
Checksums-Sha1:
1ad25bdcc344367ee7e7b0b1015cd9681eecb901 1375 rt2570_1.1.0+cvs20080623-2.dsc
982fd2ab765baea0ff2e37068879397f453a800a 7096
rt2570_1.1.0+cvs20080623-2.diff.gz
6eba4dcbc7de44176a1472f005646bce947bffa8 215138
rt2570-source_1.1.0+cvs20080623-2_all.deb
Checksums-Sha256:
662bf6394679b01e78c57d6dd56720a35acc963ef28274fbc97c7cefd649f8b0 1375
rt2570_1.1.0+cvs20080623-2.dsc
68948496c34274fc9c91ecdb93f65d5be8038dc4d80b94d5aff99363d8a9aa07 7096
rt2570_1.1.0+cvs20080623-2.diff.gz
e23556e0a0f1bf6c92dc90d9fc5e1340f311c34a59987a24d30243262efb46ca 215138
rt2570-source_1.1.0+cvs20080623-2_all.deb
Files:
cfc66fc3734eb2debe7479f7dbeb99eb 1375 net extra rt2570_1.1.0+cvs20080623-2.dsc
c12bde5100877b021481244740ec24c7 7096 net extra
rt2570_1.1.0+cvs20080623-2.diff.gz
98506ba8b55df03ebbfc0f3b8c3af226 215138 net extra
rt2570-source_1.1.0+cvs20080623-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJf6wJ79ZNCRIGYgcRAgQIAJ9V4UlmAUcqCFkHfTtXgooIYqU8nACdH1uy
79aiAEEtQ31b+X8SCVmAdCo=
=0yc8
-----END PGP SIGNATURE-----
--- End Message ---
