Ubuntu

[PATCH] ndiswrapper remote buffer overflows on long ESSIDs

Reported by Anders Kaseorg on 2008-09-29
260
Affects Status Importance Assigned to Milestone
ndiswrapper
Fix Released
Undecided
Unassigned
linux (Ubuntu)
Low
Ubuntu Kernel Team
linux-ubuntu-modules-2.6.24 (Ubuntu)
Low
Ubuntu Kernel Team
ndiswrapper (Debian)
Fix Released
Unknown
ndiswrapper (Gentoo Linux)
Fix Released
High

Bug Description

I managed to configure an iMac to export an ad-hoc wireless network with a 32-character ESSID (this seems to be a Mac UI bug). Every time I connected to it using my intrepid amd64 laptop running ndiswrapper, I immediately began seeing kernel oopses, panics, freezes, etc. The same happened with the hardy kernel. I tracked the problem down to a collection of buffer overflows in ndiswrapper on 32-character ESSIDs.

Attached is a patch for the intrepid tree that fixes these issues and allows me to connect without problems.

Kees Cook (kees) wrote :

Is your patch inverted?

Changed in linux:
milestone: none → ubuntu-8.10-beta
Kees Cook (kees) wrote :

Ah, nevermind. I wasn't reading it right. Thanks for the patch -- I've notified the kernel team.

Anders Kaseorg (anders-kaseorg) wrote :

Should I report this to other distros, or will the security team take care of doing that?

Anders Kaseorg (anders-kaseorg) wrote :

There was a small mistake in the first hunk of my patch (some compiled-out debugging code). Here’s a corrected version.

Changed in linux:
assignee: nobody → ubuntu-kernel-team
importance: Undecided → Medium
status: New → Triaged
Kees Cook (kees) wrote :

I will forward this report to the private "<email address hidden>" mailing list so other vendors can review it. Thanks for the update; I will CC you on the report.

Kees Cook (kees) wrote :

CVE-2008-4395

Kees Cook (kees) on 2008-10-02
Changed in linux-ubuntu-modules-2.6.24:
assignee: nobody → ubuntu-kernel-team
status: New → Triaged
Changed in linux:
importance: Medium → Low
milestone: ubuntu-8.10-beta → ubuntu-8.10
Changed in linux-ubuntu-modules-2.6.24:
importance: Undecided → Low
Anders Kaseorg (anders-kaseorg) wrote :

This is apparently public now.
http://<email address hidden>/msg22366.html
https://bugs.gentoo.org/show_bug.cgi?id=239371

Changed in ndiswrapper:
status: Unknown → Confirmed
Kees Cook (kees) wrote :

This has been published in Intrepid: http://www.ubuntu.com/usn/usn-663-1

Prior releases will be published soon.

Changed in linux:
status: Triaged → Fix Released
milestone: ubuntu-8.10 → none
Kees Cook (kees) wrote :

Gah, typo in the URL. That should have been: http://www.ubuntu.com/usn/usn-662-1

Kees Cook (kees) wrote :

This has been published: http://www.ubuntu.com/usn/usn-662-2

Changed in linux-ubuntu-modules-2.6.24:
status: Triaged → Fix Released
Kees Cook (kees) wrote :

Fixed upstream already.

Changed in ndiswrapper:
status: New → Fix Released
Changed in ndiswrapper:
status: Confirmed → Fix Released
VICTOR (pacho-nurse) on 2009-01-18
Changed in linux:
status: Fix Released → Confirmed
status: Confirmed → Fix Released
O.Chr.Jensen (ochrj) on 2009-08-28
Changed in ndiswrapper:
status: Fix Released → Fix Committed

O.Chr.Jensen: This fix was released in ndiswrapper 1.54. What did you mean by your status change to “Fix Committed”?

Changed in ndiswrapper:
status: Fix Committed → Fix Released
Changed in ndiswrapper (Gentoo Linux):
importance: Unknown → High
Changed in ndiswrapper (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.