oss-sec mailing list archives
Re: CVE request: vulnerability in wpa_supplicant and hostapd
From: cve-assign () mitre org
Date: Sun, 31 May 2015 14:37:43 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There are currently 5 sets of advisories+patches at: http://w1.fi/security/
No CVE has been requested for 2015-[234] prior to this
2015-2 has one CVE ID, 2015-3 has one CVE ID, and 2015-4 has four CVE IDs, for a total of six. See below.
http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch Vulnerable versions ... hostapd v0.7.0-v2.4 ... wpa_supplicant v0.7.0-v2.4
The HTTP implementation used for the UPnP operations uses a signed integer for storing the length of a HTTP chunk when the chunked transfer encoding and may end up using a negative value
Use CVE-2015-4141.
http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt http://w1.fi/security/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch Vulnerable versions ... hostapd v0.5.5-v2.4 ... wpa_supplicant v0.7.0-v2.4
The frame length is previously verified to be large enough to include the IEEE 802.11 header, but the couple of additional bytes after this header are not explicitly verified and as a result of this, there may be an integer underflow
Use CVE-2015-4142.
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt Vulnerable versions ... hostapd v1.0-v2.4 ... wpa_supplicant v1.0-v2.4
Use CVE-2015-4143 for the "The length of the received Commit and Confirm message payloads was not checked before reading them. This could result in a buffer read overflow when processing an invalid message." issues in both 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch and 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch. Use CVE-2015-4144 for "The remaining number of bytes in the message could be smaller than the Total-Length field size, so the length needs to be explicitly checked prior to reading the field and decrementing the len variable. This could have resulted in the remaining length becoming negative and interpreted as a huge positive integer." in both 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch. Use CVE-2015-4145 for "check that there is no already started fragment in progress before allocating a new buffer for reassembling fragments. This avoid a potential memory leak when processing invalid message." in both 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch. Use CVE-2015-4146 for 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVa1RZAAoJEKllVAevmvmsb4EIAKreo8c4uu04HwgAZLyRAHy5 yUnVt5iFEmEtyhK1rs58oKYEx0oEX9hgcPLUcdPyo49PFBtOCyrXgMap1KlW5YCD 5EryeqRLbnOinjGPBoRWrpGN+/zQleCSeMmZq9y1groeIFQpLFdJxOKMwDxOnuf5 LiDhxr/PeRyed9qttCZEVExLNY/HsoZPm6bAcUuGmDpy4ES49ge2vslLtOs7xfBx NzzGuNGELtr2h7uEIXHA/glXE42A3h9y4IzznfPb0c2yURKU3TQ7ljkdpv/hYK8u bWN3186dkvTgi6FiKQojM7m9DNEt/V6grPGhbu9/m19IdMW6apCwG9BHbkeqYL8= =TOs/ -----END PGP SIGNATURE-----
Current thread:
- CVE request: vulnerability in wpa_supplicant and hostapd Martin Prpic (May 07)
- Re: CVE request: vulnerability in wpa_supplicant and hostapd Solar Designer (May 07)
- Re: CVE request: vulnerability in wpa_supplicant and hostapd Jouni Malinen (May 09)
- Re: CVE request: vulnerability in wpa_supplicant and hostapd cve-assign (May 31)
- Re: CVE request: vulnerability in wpa_supplicant and hostapd Jouni Malinen (May 09)
- Re: CVE request: vulnerability in wpa_supplicant and hostapd Tomas Hoger (May 27)
- Re: CVE request: vulnerability in wpa_supplicant and hostapd Jouni Malinen (May 09)
- Re: CVE request: vulnerability in wpa_supplicant and hostapd Solar Designer (May 07)