Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 31 May 2015 14:37:43 -0400 (EDT)
From: cve-assign@...re.org
To: j@...fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: vulnerability in wpa_supplicant and hostapd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> There are currently 5 sets of advisories+patches at:
>> http://w1.fi/security/

> No CVE has been requested for 2015-[234] prior to this

2015-2 has one CVE ID, 2015-3 has one CVE ID, and 2015-4 has four CVE
IDs, for a total of six. See below.

> http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt
> http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
> Vulnerable versions ... hostapd v0.7.0-v2.4 ... wpa_supplicant v0.7.0-v2.4

> The HTTP implementation used for the UPnP operations uses a signed
> integer for storing the length of a HTTP chunk when the chunked
> transfer encoding and may end up using a negative value

Use CVE-2015-4141.


> http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt
> http://w1.fi/security/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
> Vulnerable versions ... hostapd v0.5.5-v2.4 ... wpa_supplicant v0.7.0-v2.4

> The frame length is previously verified to be large enough to include
> the IEEE 802.11 header, but the couple of additional bytes after this
> header are not explicitly verified and as a result of this, there may
> be an integer underflow

Use CVE-2015-4142.


> http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
> Vulnerable versions ... hostapd v1.0-v2.4 ... wpa_supplicant v1.0-v2.4

Use CVE-2015-4143 for the "The length of the received Commit and
Confirm message payloads was not checked before reading them. This
could result in a buffer read overflow when processing an invalid
message." issues in both
0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch and
0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch.

Use CVE-2015-4144 for "The remaining number of bytes in the message
could be smaller than the Total-Length field size, so the length needs
to be explicitly checked prior to reading the field and decrementing
the len variable. This could have resulted in the remaining length
becoming negative and interpreted as a huge positive integer." in both
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch.

Use CVE-2015-4145 for "check that there is no already started fragment
in progress before allocating a new buffer for reassembling fragments.
This avoid a potential memory leak when processing invalid message."
in both
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch.

Use CVE-2015-4146 for
0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVa1RZAAoJEKllVAevmvmsb4EIAKreo8c4uu04HwgAZLyRAHy5
yUnVt5iFEmEtyhK1rs58oKYEx0oEX9hgcPLUcdPyo49PFBtOCyrXgMap1KlW5YCD
5EryeqRLbnOinjGPBoRWrpGN+/zQleCSeMmZq9y1groeIFQpLFdJxOKMwDxOnuf5
LiDhxr/PeRyed9qttCZEVExLNY/HsoZPm6bAcUuGmDpy4ES49ge2vslLtOs7xfBx
NzzGuNGELtr2h7uEIXHA/glXE42A3h9y4IzznfPb0c2yURKU3TQ7ljkdpv/hYK8u
bWN3186dkvTgi6FiKQojM7m9DNEt/V6grPGhbu9/m19IdMW6apCwG9BHbkeqYL8=
=TOs/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.