Attached is debdiff, have uploaded a package to mentors.debian.net: http://mentors.debian.net/debian/pool/main/n/ndiswrapper/ndiswrapper_1.53-2.dsc --- diff -u ndiswrapper-1.53/debian/changelog ndiswrapper-1.53/debian/changelog --- ndiswrapper-1.53/debian/changelog +++ ndiswrapper-1.53/debian/changelog @@ -1,3 +1,11 @@ +ndiswrapper (1.53-2) unstable; urgency=high + + * Add debian/patches/CVE-2008-4395.patch to fix a vulnerability in handling + of long ESSIDs which allows execution of code as root via remote attacker. + (Closes: #504696) + + -- Kel Modderman <[EMAIL PROTECTED]> Thu, 06 Nov 2008 21:06:38 +1000 + ndiswrapper (1.53-1) unstable; urgency=low [ Kel Modderman ] diff -u ndiswrapper-1.53/debian/patches/series ndiswrapper-1.53/debian/patches/series --- ndiswrapper-1.53/debian/patches/series +++ ndiswrapper-1.53/debian/patches/series @@ -1,0 +2 @@ +CVE-2008-4395.patch only in patch2: unchanged: --- ndiswrapper-1.53.orig/debian/patches/CVE-2008-4395.patch +++ ndiswrapper-1.53/debian/patches/CVE-2008-4395.patch @@ -0,0 +1,85 @@ +Anders Kaseorg discovered that ndiswrapper did not correctly handle long +ESSIDs. For a system using ndiswrapper, a physically near-by attacker +could generate specially crafted wireless network traffic and execute +arbitrary code with root privileges. (CVE-2008-4395) + +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/275860 +--- +--- a/driver/iw_ndis.c ++++ b/driver/iw_ndis.c +@@ -47,12 +47,7 @@ int set_essid(struct ndis_device *wnd, c + req.length = ssid_len; + if (ssid_len) + memcpy(&req.essid, ssid, ssid_len); +- DBG_BLOCK(2) { +- char buf[NDIS_ESSID_MAX_SIZE+1]; +- memcpy(buf, ssid, ssid_len); +- buf[ssid_len] = 0; +- TRACE2("ssid = '%s'", buf); +- } ++ TRACE2("ssid = '%.*s'", ssid_len, ssid); + + res = mp_set(wnd, OID_802_11_SSID, &req, sizeof(req)); + if (res) { +@@ -125,7 +120,6 @@ static int iw_get_essid(struct net_devic + EXIT2(return -EOPNOTSUPP); + } + memcpy(extra, req.essid, req.length); +- extra[req.length] = 0; + if (req.length > 0) + wrqu->essid.flags = 1; + else +@@ -1000,7 +994,7 @@ static int iw_set_nick(struct net_device + + if (wrqu->data.length > IW_ESSID_MAX_SIZE || wrqu->data.length <= 0) + return -EINVAL; +- memset(wnd->nick, 0, sizeof(wnd->nick)); ++ wnd->nick_len = wrqu->data.length; + memcpy(wnd->nick, extra, wrqu->data.length); + return 0; + } +@@ -1010,7 +1004,7 @@ static int iw_get_nick(struct net_device + { + struct ndis_device *wnd = netdev_priv(dev); + +- wrqu->data.length = strlen(wnd->nick); ++ wrqu->data.length = wnd->nick_len; + memcpy(extra, wnd->nick, wrqu->data.length); + return 0; + } +--- a/driver/ndis.h ++++ b/driver/ndis.h +@@ -878,6 +878,7 @@ struct ndis_device { + unsigned long scan_timestamp; + struct encr_info encr_info; + char nick[IW_ESSID_MAX_SIZE]; ++ size_t nick_len; + struct ndis_essid essid; + struct auth_encr_capa capa; + enum ndis_infrastructure_mode infrastructure_mode; +--- a/driver/proc.c ++++ b/driver/proc.c +@@ -97,10 +97,8 @@ static int procfs_read_ndis_encr(char *p + p += sprintf(p, "\n"); + + res = mp_query(wnd, OID_802_11_SSID, &essid, sizeof(essid)); +- if (!res) { +- essid.essid[essid.length] = '\0'; +- p += sprintf(p, "essid=%s\n", essid.essid); +- } ++ if (!res) ++ p += sprintf(p, "essid=%.*s\n", essid.length, essid.essid); + res = mp_query_int(wnd, OID_802_11_ENCRYPTION_STATUS, &encr_status); + if (!res) { + typeof(&wnd->encr_info.keys[0]) tx_key; +--- a/driver/wrapndis.c ++++ b/driver/wrapndis.c +@@ -2028,7 +2028,7 @@ static wstdcall NTSTATUS NdisAddDevice(s + wnd->attributes = 0; + wnd->dma_map_count = 0; + wnd->dma_map_addr = NULL; +- wnd->nick[0] = 0; ++ wnd->nick_len = 0; + init_timer(&wnd->hangcheck_timer); + wnd->scan_timestamp = 0; + init_timer(&wnd->iw_stats_timer); ---
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
