Critical Security Hole in Linux Wi-Fi

thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."

First reported December 2006

[QuietLagoon]

Here is a reference to a more informative report.

I am a bit confused...

[Skiron]

... this was fixed 4 months ago?

http://madwifi.org/changeset/1842

Re:Oh, madwifi. Surprise! Closed source still suck

The bug was in the open source portion of the driver, the closed-source HAL merely locks the range of radio frequencies and transmit powers allowed.

madwifi links.

[Erris]

The madwifi howto is here. It seems that you can type, "lsmod | grep ath_pci" to find out if you are running the supposedly exploited module. My simple Etch system does not have this or wlanconfig tools by default, though those tools look very nice and I'm sure this little problem will be fixed quickly.

I have to agree with you about the uselessness of the PC World article. Besides not having any useful information, it's filled with FUD about free software wifi and confused "popularity argument" babble. In short it's more of a, "everyone else has these problems too, so Windoze away," pacifier than it is a news article.

Fixed Dec 15th on my box

[swillden]

... this was fixed 4 months ago?

It looks that way to me.

Unless this is a different vulnerability, Debian applied the fix over four months ago, two days after the patch was available, and eight days after the vulnerability was first reported

I saw the article and immediately started aptitude to get the fix, only to discover that I already got it, two weeks before Christmas. Nice.

Re:In other news..

[TheRealMindChild]

they all contains buffer overflows

Actually, this kind of crap goes away when you stop using NULL terminated strings and put in size checks.

• Start using a BSTR or std::string or christ, even CString.
• If you're going to use a char * as a string, stop using strcpy/strcat/sprintf/strfindthelawngnome and start using strncpy/strncat/snprintf/strfoundthelawngnome
• If you have to pass a char * as a parameter of some function, also add a parameter that indicates the size of the memory (EX: 'bool IsStringSexy(char *mystring, ULONG mystringlen)')
• Don't rely that a setting read from some arbitrary place (registry, file) is undeniably correct to laying out structures of memory [LOOKING AT YOU IE AND FIREFOX AND WORD AND EVERY OTHER APP THAT CRASHED DUE TO A MALFORMED DOCUMENT]

Re:patched already

[FauxPasIII]

> MadWiFi source code can be found here.

Or rather, a small open-source Linux compatibility shim around the actual, binary only driver.

Look further into that link you pasted:

http://madwifi.org/browser/trunk/hal/public

Those .uu files are binary objects stored as text, and they make up the majority of the driver. This same binary driver is also used by some of the BSDs, with a different open-source shim.

> The module in question is found here. (slow to load)

Ah, so the flaw is in the open source shim part. Fooey. =/

As an aside, and as I suspect you might already know, there is an effort to replace the binary-only part of that driver with Free software, and the Madwifi people have cooperated as much as they're able. They even host the development in their own repository:

http://madwifi.org/browser/branches/madwifi-old-op enhal

Cheers!

Re:Fixed! -not!

[LibertarianWackJob]

Hi "Joe"
You won't be getting any updates for FC3 since the Fedora Project has dropped support for that. If you like the Fedora distribution you can go with FC6 or wait for May 24 when FC7 is due to be released. Otherwise, Ubuntu is a fine distribution.

Try this:

su -

crontab -e

# cron for root
# update system at 4AM daily
0 4 * * * /usr/bin/yum update