[Karmic] mac80211: Fix remotly triggerable problems in the stack

Bug #491301 reported by Stefan Bader on 2009-12-02
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Stefan Bader

Bug Description

The following two patches (might come with 2.6.31.7) fix problems which might get triggered remotely and this are relevant to security. We should add them to the currently prepared update.

commit 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7
Author: Johannes Berg <email address hidden>
Date: Sun Nov 22 12:28:41 2009 +0100

    mac80211: fix spurious delBA handling

commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51
Author: Johannes Berg <email address hidden>
Date: Fri Nov 20 09:15:51 2009 +0100

    mac80211: fix two remote exploits

Stefan Bader (smb) on 2009-12-02
Changed in linux (Ubuntu):
assignee: nobody → Stefan Bader (stefan-bader-canonical)
importance: Undecided → High
status: New → Fix Committed
Stefan Bader (smb) on 2009-12-02
visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

commit 827d42c9 was assigned with CVE-2009-4026.
the other commit's CVE number is pending.

Marc Deslauriers (mdeslaur) wrote :

There is some confusion regarding the CVE numbers. Here is Red Hat's explanation:

Commits 4253119a and 827d42c9 (first problem) = CVE-2009-4026
Commit 827d42c9 (second problem) = CVE-2009-4027

Marc Deslauriers (mdeslaur) wrote :

Mitre's explanation:

We associated CVE-2009-4026 with commit
827d42c9ac91ddd728e4f4a31fefb906ef2ceff7, and we associated CVE-2009-4027
with commit d92684e66091c0f0101819619b315b4bb8b5bcc5.

Andy Whitcroft (apw) on 2009-12-03
tags: added: kernel-series-unknown
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-16.52

---------------
linux (2.6.31-16.52) karmic-security; urgency=low

  [ Leann Ogasawara ]

  * [SCSI] megaraid_sas: remove sysfs poll_mode_io world writeable
    permissions
    - CVE-2009-3939

  [ Upstream Kernel Changes ]

  * fs: pipe.c null pointer dereference
    - CVE-2009-3547
  * netlink: fix typo in initialization
    - CVE-2009-3612
  * drm/r128: Add test for initialisation to all ioctls that require it
    - CVE-2009-3620
  * AF_UNIX: Fix deadlock on connecting to shutdown socket
    - CVE-2009-3621
  * nfsd4: use common rpc_cred for all callbacks
    - CVE-2009-3623
  * KEYS: get_instantiation_keyring() should inc the keyring refcount in
    all cases
    - CVE-2009-3624
  * connector: Keep the skb in cn_callback_data
    - CVE-2009-3725
  * connector: Provide the sender's credentials to the callback
    - CVE-2009-3725
  * connector: Fix incompatible pointer type warning
    - CVE-2009-3725
  * uvesafb/connector: Disallow unpliviged users to send netlink packets
    - CVE-2009-3725
  * pohmelfs/connector: Disallow unpliviged users to configure pohmelfs
    - CVE-2009-3725
  * dst/connector: Disallow unpliviged users to configure dst
    - CVE-2009-3725
  * dm/connector: Only process connector packages from privileged processes
    - CVE-2009-3725
  * NOMMU: Don't pass NULL pointers to fput() in do_mmap_pgoff()
    - CVE-2009-3888
  * isdn: hfc_usb: Fix read buffer overflow
    - CVE-2009-4005
  * gdth: Prevent negative offsets in ioctl CVE-2009-3080
    - CVE-2009-3080
  * mac80211: fix spurious delBA handling
    - LP: #491301
  * mac80211: fix two remote exploits
    - LP: #491301
  * ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c
    - LP: #491301
 -- Leann Ogasawara <email address hidden> Mon, 23 Nov 2009 13:57:30 -0800

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers