Bug#769285: unblock aircrack-ng/1:1.2-0~beta3-2

[Carlos Alberto Lopez Perez <clopez@igalia.com>]

Subject: unblock: aircrack-ng/1:1.2-0~beta3-2
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: important
X-Debbugs-CC: carnil@debian.org


Please unblock package aircrack-ng

It fixes 4 security vulnerabilities. (#767979)

https://security-tracker.debian.org/tracker/CVE-2014-8321
https://security-tracker.debian.org/tracker/CVE-2014-8322
https://security-tracker.debian.org/tracker/CVE-2014-8323
https://security-tracker.debian.org/tracker/CVE-2014-8324

Attached is the debdiff against the package in testing.


unblock aircrack-ng/1:1.2-0~beta3-2

diff -Nru aircrack-ng-1.2-0~beta3/debian/changelog aircrack-ng-1.2-0~beta3/debian/changelog
--- aircrack-ng-1.2-0~beta3/debian/changelog	2014-05-30 19:40:13.000000000 +0200
+++ aircrack-ng-1.2-0~beta3/debian/changelog	2014-11-12 00:16:47.000000000 +0100
@@ -1,3 +1,14 @@
+aircrack-ng (1:1.2-0~beta3-2) unstable; urgency=high
+
+  * Fix the following security vulnerabilities: (Closes: #767979)
+    * CVE-2014-8321 - GPS stack overflow.
+    * CVE-2014-8322 - tcp_test stack overflow.
+    * CVE-2014-8323 - buddy-ng missing checkin data format.
+    * CVE-2014-8324 - net_get missing check for invalid values.
+  * Add missing dh-python package to Build-Depends.
+
+ -- Carlos Alberto Lopez Perez <clopez@igalia.com>  Tue, 11 Nov 2014 23:41:52 +0100
+
 aircrack-ng (1:1.2-0~beta3-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru aircrack-ng-1.2-0~beta3/debian/control aircrack-ng-1.2-0~beta3/debian/control
--- aircrack-ng-1.2-0~beta3/debian/control	2014-05-30 18:39:20.000000000 +0200
+++ aircrack-ng-1.2-0~beta3/debian/control	2014-11-12 00:15:54.000000000 +0100
@@ -5,6 +5,7 @@
 Homepage: http://www.aircrack-ng.org/
 Build-Depends:
  debhelper (>= 9),
+ dh-python,
  libgcrypt20-dev | libgcrypt11-dev,
  libnl-genl-3-dev [linux-any],
  libpcap0.8-dev,
diff -Nru aircrack-ng-1.2-0~beta3/debian/patches/004-CVE-2014-8321.diff aircrack-ng-1.2-0~beta3/debian/patches/004-CVE-2014-8321.diff
--- aircrack-ng-1.2-0~beta3/debian/patches/004-CVE-2014-8321.diff	1970-01-01 01:00:00.000000000 +0100
+++ aircrack-ng-1.2-0~beta3/debian/patches/004-CVE-2014-8321.diff	2014-11-11 23:52:09.000000000 +0100
@@ -0,0 +1,26 @@
+From ff70494dd389ba570dbdbf36f217c28d4381c6b5 Mon Sep 17 00:00:00 2001
+From: Thomas d'Otreppe <tdotreppe@aircrack-ng.org>
+Date: Fri, 3 Oct 2014 01:51:21 +0000
+Subject: [PATCH] Airodump-ng: Fixed GPS stack overflow (Closes #13 on GitHub).
+
+git-svn-id: http://svn.aircrack-ng.org/trunk@2416 28c6078b-6c39-48e3-add9-af49d547ecab
+---
+ src/airodump-ng.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/airodump-ng.c b/src/airodump-ng.c
+index 6cec912..222492c 100644
+--- a/src/airodump-ng.c
++++ b/src/airodump-ng.c
+@@ -4497,7 +4497,7 @@ void gps_tracker( void )
+         	}
+ 
+         	// New version, JSON
+-        	if( recv( gpsd_sock, line + pos, sizeof( line ) - 1, 0 ) <= 0 )
++        	if( recv( gpsd_sock, line + pos, sizeof( line ) - pos - 1, 0 ) <= 0 )
+         		return;
+ 
+         	// search for TPV class: {"class":"TPV"
+-- 
+2.0.0.rc2
+
diff -Nru aircrack-ng-1.2-0~beta3/debian/patches/005-CVE-2014-8322.diff aircrack-ng-1.2-0~beta3/debian/patches/005-CVE-2014-8322.diff
--- aircrack-ng-1.2-0~beta3/debian/patches/005-CVE-2014-8322.diff	1970-01-01 01:00:00.000000000 +0100
+++ aircrack-ng-1.2-0~beta3/debian/patches/005-CVE-2014-8322.diff	2014-11-11 23:52:57.000000000 +0100
@@ -0,0 +1,27 @@
+From 091b153f294b9b695b0b2831e65936438b550d7b Mon Sep 17 00:00:00 2001
+From: Thomas d'Otreppe <tdotreppe@aircrack-ng.org>
+Date: Fri, 3 Oct 2014 01:53:50 +0000
+Subject: [PATCH] Aireplay-ng: Fixed tcp_test stack overflow (Closes #14 on
+ GitHub).
+
+git-svn-id: http://svn.aircrack-ng.org/trunk@2417 28c6078b-6c39-48e3-add9-af49d547ecab
+---
+ src/aireplay-ng.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/aireplay-ng.c b/src/aireplay-ng.c
+index 7335442..b397015 100644
+--- a/src/aireplay-ng.c
++++ b/src/aireplay-ng.c
+@@ -5398,6 +5398,8 @@ int tcp_test(const char* ip_str, const short port)
+         if( (unsigned)caplen == sizeof(nh))
+         {
+             len = ntohl(nh.nh_len);
++            if (len > 1024 || len < 0)
++                continue;
+             if( nh.nh_type == 1 && i==0 )
+             {
+                 i=1;
+-- 
+2.0.0.rc2
+
diff -Nru aircrack-ng-1.2-0~beta3/debian/patches/006-CVE-2014-8323.diff aircrack-ng-1.2-0~beta3/debian/patches/006-CVE-2014-8323.diff
--- aircrack-ng-1.2-0~beta3/debian/patches/006-CVE-2014-8323.diff	1970-01-01 01:00:00.000000000 +0100
+++ aircrack-ng-1.2-0~beta3/debian/patches/006-CVE-2014-8323.diff	2014-11-11 23:53:42.000000000 +0100
@@ -0,0 +1,26 @@
+From da087238963c1239fdabd47dc1b65279605aca70 Mon Sep 17 00:00:00 2001
+From: Thomas d'Otreppe <tdotreppe@aircrack-ng.org>
+Date: Fri, 3 Oct 2014 01:58:02 +0000
+Subject: [PATCH] Buddy-ng: Fixed segmentation fault (Closes #15 on GitHub).
+
+git-svn-id: http://svn.aircrack-ng.org/trunk@2418 28c6078b-6c39-48e3-add9-af49d547ecab
+---
+ src/buddy-ng.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/buddy-ng.c b/src/buddy-ng.c
+index 8a7927c..8da8996 100644
+--- a/src/buddy-ng.c
++++ b/src/buddy-ng.c
+@@ -83,6 +83,8 @@ int handle(int s, unsigned char* data, int len, struct sockaddr_in *s_in)
+ 	*cmd++ = htons(S_CMD_PACKET);
+ 	*cmd++ = *pid;
+ 	plen = len - 2;
++    if (plen < 0)
++        return 0;
+ 
+ 	last_id = ntohs(*pid);
+ 	if (last_id > 20000)
+-- 
+2.0.0.rc2
+
diff -Nru aircrack-ng-1.2-0~beta3/debian/patches/007-CVE-2014-8324.diff aircrack-ng-1.2-0~beta3/debian/patches/007-CVE-2014-8324.diff
--- aircrack-ng-1.2-0~beta3/debian/patches/007-CVE-2014-8324.diff	1970-01-01 01:00:00.000000000 +0100
+++ aircrack-ng-1.2-0~beta3/debian/patches/007-CVE-2014-8324.diff	2014-11-11 23:54:55.000000000 +0100
@@ -0,0 +1,27 @@
+From 88702a3ce4c28a973bf69023cd0312f412f6193e Mon Sep 17 00:00:00 2001
+From: Thomas d'Otreppe <tdotreppe@aircrack-ng.org>
+Date: Fri, 3 Oct 2014 02:00:34 +0000
+Subject: [PATCH] OSdep: Fixed segmentation fault that happens with a malicious
+ server sending a negative length (Closes #16 on GitHub).
+
+git-svn-id: http://svn.aircrack-ng.org/trunk@2419 28c6078b-6c39-48e3-add9-af49d547ecab
+---
+ src/osdep/network.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/osdep/network.c b/src/osdep/network.c
+index 4f0f8b2..4ebfaf4 100644
+--- a/src/osdep/network.c
++++ b/src/osdep/network.c
+@@ -131,7 +131,7 @@ int net_get(int s, void *arg, int *len)
+ 	if (!(plen <= *len))
+ 		printf("PLEN %d type %d len %d\n",
+ 			plen, nh.nh_type, *len);
+-	assert(plen <= *len); /* XXX */
++	assert(plen <= *len && plen > 0); /* XXX */
+ 
+ 	*len = plen;
+ 	if ((*len) && (net_read_exact(s, arg, *len) == -1))
+-- 
+2.0.0.rc2
+
diff -Nru aircrack-ng-1.2-0~beta3/debian/patches/series aircrack-ng-1.2-0~beta3/debian/patches/series
--- aircrack-ng-1.2-0~beta3/debian/patches/series	2014-05-20 20:31:44.000000000 +0200
+++ aircrack-ng-1.2-0~beta3/debian/patches/series	2014-11-11 23:59:00.000000000 +0100
@@ -2,3 +2,7 @@
 001-Airodump_whitespace_oui.diff
 002-fix-libnl-detection.diff
 003-dont-abort-libnl-nolinux.diff
+004-CVE-2014-8321.diff
+005-CVE-2014-8322.diff
+006-CVE-2014-8323.diff
+007-CVE-2014-8324.diff

Attachment: signature.asc
Description: OpenPGP digital signature