Date: Sun, 31 May 2015 14:37:43 -0400 (EDT) From: cve-assign@...re.org To: j@...fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: vulnerability in wpa_supplicant and hostapd -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> There are currently 5 sets of advisories+patches at: >> http://w1.fi/security/ > No CVE has been requested for 2015- prior to this 2015-2 has one CVE ID, 2015-3 has one CVE ID, and 2015-4 has four CVE IDs, for a total of six. See below. > http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt > http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch > Vulnerable versions ... hostapd v0.7.0-v2.4 ... wpa_supplicant v0.7.0-v2.4 > The HTTP implementation used for the UPnP operations uses a signed > integer for storing the length of a HTTP chunk when the chunked > transfer encoding and may end up using a negative value Use CVE-2015-4141. > http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt > http://w1.fi/security/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch > Vulnerable versions ... hostapd v0.5.5-v2.4 ... wpa_supplicant v0.7.0-v2.4 > The frame length is previously verified to be large enough to include > the IEEE 802.11 header, but the couple of additional bytes after this > header are not explicitly verified and as a result of this, there may > be an integer underflow Use CVE-2015-4142. > http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt > Vulnerable versions ... hostapd v1.0-v2.4 ... wpa_supplicant v1.0-v2.4 Use CVE-2015-4143 for the "The length of the received Commit and Confirm message payloads was not checked before reading them. This could result in a buffer read overflow when processing an invalid message." issues in both 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch and 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch. Use CVE-2015-4144 for "The remaining number of bytes in the message could be smaller than the Total-Length field size, so the length needs to be explicitly checked prior to reading the field and decrementing the len variable. This could have resulted in the remaining length becoming negative and interpreted as a huge positive integer." in both 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch. Use CVE-2015-4145 for "check that there is no already started fragment in progress before allocating a new buffer for reassembling fragments. This avoid a potential memory leak when processing invalid message." in both 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch. Use CVE-2015-4146 for 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVa1RZAAoJEKllVAevmvmsb4EIAKreo8c4uu04HwgAZLyRAHy5 yUnVt5iFEmEtyhK1rs58oKYEx0oEX9hgcPLUcdPyo49PFBtOCyrXgMap1KlW5YCD 5EryeqRLbnOinjGPBoRWrpGN+/zQleCSeMmZq9y1groeIFQpLFdJxOKMwDxOnuf5 LiDhxr/PeRyed9qttCZEVExLNY/HsoZPm6bAcUuGmDpy4ES49ge2vslLtOs7xfBx NzzGuNGELtr2h7uEIXHA/glXE42A3h9y4IzznfPb0c2yURKU3TQ7ljkdpv/hYK8u bWN3186dkvTgi6FiKQojM7m9DNEt/V6grPGhbu9/m19IdMW6apCwG9BHbkeqYL8= =TOs/ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ