Hello community, here is the log from the commit of package madwifi checked in at Thu Dec 14 02:00:28 CET 2006. -------- --- arch/i386/madwifi/madwifi.changes 2006-07-31 12:36:41.000000000 +0200 +++ /mounts/work_src_done/STABLE/madwifi/madwifi.changes 2006-12-14 01:44:19.000000000 +0100 @@ -1,0 +2,10 @@ +Fri Dec 8 20:10:45 CET 2006 - jg@suse.de + +- fixed potential crash (bug 226821) + +------------------------------------------------------------------- +Fri Dec 8 10:03:26 CET 2006 - jg@suse.de + +- update to 0.9.2.1, fixes remote root exploit (bug 226821) + +------------------------------------------------------------------- Old: ---- madwifi-0.9.2.tar.bz2 New: ---- madwifi-0.9.2.1.tar.bz2 madwifi-crashfix.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ madwifi.spec ++++++ --- /var/tmp/diff_new_pack.cqXIzu/_old 2006-12-14 02:00:08.000000000 +0100 +++ /var/tmp/diff_new_pack.cqXIzu/_new 2006-12-14 02:00:08.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package madwifi (Version 0.9.2) +# spec file for package madwifi (Version 0.9.2.1) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -13,15 +13,16 @@ Name: madwifi BuildRequires: kernel-source kernel-syms sharutils Summary: Tools for configuring atheros cards -Version: 0.9.2 +Version: 0.9.2.1 Release: 1 Group: Hardware/Other -License: BSD +License: BSD License and BSD-like BuildRoot: %{_tmppath}/%{name}-%{version}-build URL: http://madwifi.org/ Autoreqprov: on Source: madwifi-%{version}.tar.bz2 Patch: madwifi.dif +Patch1: madwifi-crashfix.dif ExclusiveArch: %ix86 x86_64 %suse_kernel_module_package -n madwifi kdump um @@ -37,7 +38,7 @@ %package devel Group: Hardware/Other -License: BSD +License: BSD License and BSD-like Summary: Tools for configuring atheros cards %description devel @@ -52,7 +53,7 @@ %package -n madwifi-KMP Group: System/Kernel -License: Other License(s), see package, BSD +License: BSD License and BSD-like, Other License(s), see package Summary: kernel modules for atheros cards %description -n madwifi-KMP @@ -68,6 +69,7 @@ %prep %setup -n madwifi-%{version} %patch -p1 +%patch1 -p1 echo "#define SVNVERSION \"%{version}\"" > svnversion.h %build @@ -111,6 +113,10 @@ %{_includedir}/%{name}-%{version} %changelog -n madwifi +* Fri Dec 08 2006 - jg@suse.de +- fixed potential crash (bug 226821) +* Fri Dec 08 2006 - jg@suse.de +- update to 0.9.2.1, fixes remote root exploit (bug 226821) * Mon Jul 31 2006 - jg@suse.de - update to version 0.9.2: * several bugs related to scanning have been fixed ++++++ madwifi-0.9.2.tar.bz2 -> madwifi-0.9.2.1.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/madwifi-0.9.2/net80211/ieee80211_wireless.c new/madwifi-0.9.2.1/net80211/ieee80211_wireless.c --- old/madwifi-0.9.2/net80211/ieee80211_wireless.c 2006-07-06 05:23:08.000000000 +0200 +++ new/madwifi-0.9.2.1/net80211/ieee80211_wireless.c 2006-12-07 14:47:17.000000000 +0100 @@ -33,7 +33,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF * THE POSSIBILITY OF SUCH DAMAGES. * - * $Id: ieee80211_wireless.c 1676 2006-07-06 03:23:08Z brian $ + * $Id: ieee80211_wireless.c 1843 2006-12-07 13:47:17Z mrenzmann $ */ /* @@ -1555,6 +1555,8 @@ memcpy(p, leader, leader_len); bufsize -= leader_len; p += leader_len; + if (bufsize < ielen) + return 0; for (i = 0; i < ielen && bufsize > 2; i++) p += sprintf(p, "%02x", ie[i]); return (i == ielen ? p - (u_int8_t *)buf : 0); @@ -1576,7 +1578,8 @@ char *current_ev = req->current_ev; char *end_buf = req->end_buf; #if WIRELESS_EXT > 14 - char buf[64 * 2 + 30]; +#define MAX_IE_LENGTH 64 * 2 + 30 + char buf[MAX_IE_LENGTH]; #endif struct iw_event iwe; char *current_val; @@ -1678,6 +1681,8 @@ if (se->se_rsn_ie != NULL) { #ifdef IWEVGENIE memset(&iwe, 0, sizeof(iwe)); + if ((se->se_rsn_ie[1] + 2) > MAX_IE_LENGTH) + return; memcpy(buf, se->se_rsn_ie, se->se_rsn_ie[1] + 2); iwe.cmd = IWEVGENIE; iwe.u.data.length = se->se_rsn_ie[1] + 2; @@ -1698,6 +1703,8 @@ if (se->se_wpa_ie != NULL) { #ifdef IWEVGENIE memset(&iwe, 0, sizeof(iwe)); + if ((se->se_wpa_ie[1] + 2) > MAX_IE_LENGTH) + return; memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2); iwe.cmd = IWEVGENIE; iwe.u.data.length = se->se_wpa_ie[1] + 2; diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/madwifi-0.9.2/release.h new/madwifi-0.9.2.1/release.h --- old/madwifi-0.9.2/release.h 2006-07-27 14:25:13.000000000 +0200 +++ new/madwifi-0.9.2.1/release.h 2006-12-07 14:47:17.000000000 +0100 @@ -33,7 +33,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF * THE POSSIBILITY OF SUCH DAMAGES. * - * $Id: release.h 1694 2006-07-27 12:25:13Z mrenzmann $ + * $Id: release.h 1843 2006-12-07 13:47:17Z mrenzmann $ */ #define RELEASE_TYPE "RELEASE" @@ -41,5 +41,5 @@ #ifdef SVNVERSION #define RELEASE_VERSION SVNVERSION #else -#define RELEASE_VERSION "0.9.2" +#define RELEASE_VERSION "0.9.2.1" #endif ++++++ madwifi-crashfix.dif ++++++ Index: madwifi-0.9.2.1/net80211/ieee80211_wireless.c =================================================================== --- madwifi-0.9.2.1.orig/net80211/ieee80211_wireless.c +++ madwifi-0.9.2.1/net80211/ieee80211_wireless.c @@ -1555,10 +1555,10 @@ encode_ie(void *buf, size_t bufsize, con memcpy(p, leader, leader_len); bufsize -= leader_len; p += leader_len; - if (bufsize < ielen) - return 0; - for (i = 0; i < ielen && bufsize > 2; i++) + for (i = 0; i < ielen && bufsize > 2; i++) { p += sprintf(p, "%02x", ie[i]); + bufsize -= 2; + } return (i == ielen ? p - (u_int8_t *)buf : 0); } #endif /* WIRELESS_EXT > 14 */ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org