[gentoo-announce] [ GLSA 200907-08 ] Multiple Ralink wireless drivers: Execution of arbitrary code - gentoo-announce

From:	Robert Buchholz <rbu@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200907-08 ] Multiple Ralink wireless drivers: Execution of arbitrary code
Date:	Sun, 12 Jul 2009 18:03:04
Message-Id:	`200907121941.19496.rbu@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200907-08

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: Multiple Ralink wireless drivers: Execution of arbitrary

9

            code

10

      Date: July 12, 2009

11

      Bugs: #257023

12

        ID: 200907-08

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

An integer overflow in multiple Ralink wireless drivers might lead to

20

the execution of arbitrary code with elevated privileges.

21

22

Background

23

==========

24

25

All listed packages are external kernel modules that provide drivers

26

for multiple Ralink devices. ralink-rt61 is released by ralinktech.com,

27

the other packages by the rt2x00.serialmonkey.com project.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package      /        Vulnerable        /              Unaffected

34

    -------------------------------------------------------------------

35

  1  rt2400              <= 1.2.2_beta3                    Vulnerable!

36

  2  rt2500          <= 1.1.0_pre2007071515                Vulnerable!

37

  3  rt2570                <= 20070209                     Vulnerable!

38

  4  rt61                <= 1.1.0_beta2                    Vulnerable!

39

  5  ralink-rt61           <= 1.1.1.0                      Vulnerable!

40

    -------------------------------------------------------------------

41

     NOTE: Certain packages are still vulnerable. Users should migrate

42

           to another package if one is available or wait for the

43

           existing packages to be marked stable by their

44

           architecture maintainers.

45

    -------------------------------------------------------------------

46

     5 affected packages on all of their supported architectures.

47

    -------------------------------------------------------------------

48

49

Description

50

===========

51

52

Aviv reported an integer overflow in multiple Ralink wireless card

53

drivers when processing a probe request packet with a long SSID,

54

possibly related to an integer signedness error.

55

56

Impact

57

======

58

59

A physically proximate attacker could send specially crafted packets to

60

a user who has wireless networking enabled, possibly resulting in the

61

execution of arbitrary code with root privileges.

62

63

Workaround

64

==========

65

66

Unload the kernel modules.

67

68

Resolution

69

==========

70

71

All external kernel modules have been masked and we recommend that

72

users unmerge those drivers. The Linux mainline kernel has equivalent

73

support for these devices and the vulnerability has been resolved in

74

stable versions of sys-kernel/gentoo-sources.

75

76

    # emerge --unmerge "net-wireless/rt2400"

77

    # emerge --unmerge "net-wireless/rt2500"

78

    # emerge --unmerge "net-wireless/rt2570"

79

    # emerge --unmerge "net-wireless/rt61"

80

    # emerge --unmerge "net-wireless/ralink-rt61"

81

82

References

83

==========

84

85

  [ 1 ] CVE-2009-0282

86

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0282

87

88

Availability

89

============

90

91

This GLSA and any updates to it are available for viewing at

92

the Gentoo Security Website:

93

94

  http://security.gentoo.org/glsa/glsa-200907-08.xml

95

96

Concerns?

97

=========

98

99

Security is a primary focus of Gentoo Linux and ensuring the

100

confidentiality and security of our users machines is of utmost

101

importance to us. Any security concerns should be addressed to

102

security@g.o or alternatively, you may file a bug at

103

http://bugs.gentoo.org.

104

105

License

106

=======

107

108

Copyright 2009 Gentoo Foundation, Inc; referenced text

109

belongs to its owner(s).

110

111

The contents of this document are licensed under the

112

Creative Commons - Attribution / Share Alike license.

113

114

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200907-08
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Multiple Ralink wireless drivers: Execution of arbitrary
9	code
10	Date: July 12, 2009
11	Bugs: #257023
12	ID: 200907-08
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	An integer overflow in multiple Ralink wireless drivers might lead to
20	the execution of arbitrary code with elevated privileges.
21
22	Background
23	==========
24
25	All listed packages are external kernel modules that provide drivers
26	for multiple Ralink devices. ralink-rt61 is released by ralinktech.com,
27	the other packages by the rt2x00.serialmonkey.com project.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 rt2400 <= 1.2.2_beta3 Vulnerable!
36	2 rt2500 <= 1.1.0_pre2007071515 Vulnerable!
37	3 rt2570 <= 20070209 Vulnerable!
38	4 rt61 <= 1.1.0_beta2 Vulnerable!
39	5 ralink-rt61 <= 1.1.1.0 Vulnerable!
40	-------------------------------------------------------------------
41	NOTE: Certain packages are still vulnerable. Users should migrate
42	to another package if one is available or wait for the
43	existing packages to be marked stable by their
44	architecture maintainers.
45	-------------------------------------------------------------------
46	5 affected packages on all of their supported architectures.
47	-------------------------------------------------------------------
48
49	Description
50	===========
51
52	Aviv reported an integer overflow in multiple Ralink wireless card
53	drivers when processing a probe request packet with a long SSID,
54	possibly related to an integer signedness error.
55
56	Impact
57	======
58
59	A physically proximate attacker could send specially crafted packets to
60	a user who has wireless networking enabled, possibly resulting in the
61	execution of arbitrary code with root privileges.
62
63	Workaround
64	==========
65
66	Unload the kernel modules.
67
68	Resolution
69	==========
70
71	All external kernel modules have been masked and we recommend that
72	users unmerge those drivers. The Linux mainline kernel has equivalent
73	support for these devices and the vulnerability has been resolved in
74	stable versions of sys-kernel/gentoo-sources.
75
76	# emerge --unmerge "net-wireless/rt2400"
77	# emerge --unmerge "net-wireless/rt2500"
78	# emerge --unmerge "net-wireless/rt2570"
79	# emerge --unmerge "net-wireless/rt61"
80	# emerge --unmerge "net-wireless/ralink-rt61"
81
82	References
83	==========
84
85	[ 1 ] CVE-2009-0282
86	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0282
87
88	Availability
89	============
90
91	This GLSA and any updates to it are available for viewing at
92	the Gentoo Security Website:
93
94	http://security.gentoo.org/glsa/glsa-200907-08.xml
95
96	Concerns?
97	=========
98
99	Security is a primary focus of Gentoo Linux and ensuring the
100	confidentiality and security of our users machines is of utmost
101	importance to us. Any security concerns should be addressed to
102	security@g.o or alternatively, you may file a bug at
103	http://bugs.gentoo.org.
104
105	License
106	=======
107
108	Copyright 2009 Gentoo Foundation, Inc; referenced text
109	belongs to its owner(s).
110
111	The contents of this document are licensed under the
112	Creative Commons - Attribution / Share Alike license.
113
114	http://creativecommons.org/licenses/by-sa/2.5