|
Message-Id: <20151102225245.3B9DC42E007@smtpvbsrv1.mitre.org> Date: Mon, 2 Nov 2015 17:52:45 -0500 (EST) From: cve-assign@...re.org To: j@...fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: hostapd/wpa_supplicant - Incomplete WPS and P2P NFC NDEF record payload length validation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt >> Note: No NFC stack implementation has yet been identified with >> capability to pass the malformed NDEF record to >> hostapd/wpa_supplicant. As such, it is not known whether this issue can >> be triggered in practice. >> While such validation is likely done in the NFC >> stack that needs to parse the NFC messages before further processing, >> hostapd/wpa_supplicant should have (re)confirmed NDEF message validity >> properly. > https://w1.fi/cgit/hostap/commit/src/wps/ndef.c?id=df9079e72760ceb7ebe7fb11538200c516bdd886 >> It was possible for the 32-bit record->total_length value to end up >> wrapping around due to integer overflow if the longer form of payload >> length field is used and record->payload_length gets a value close to >> 2^32. Use CVE-2015-8041 for this integer overflow (with various possible impacts). The vendor's report is listed under "security advisories" on the http://w1.fi/security page, and it may be reasonable to interpret "hostapd/wpa_supplicant should have (re)confirmed NDEF message validity properly" to mean "hostapd/wpa_supplicant had a vulnerability because they did not (re)confirm NDEF message validity properly." In other words, although the issue is not exploitable with any known NFC implementation, the hostapd/wpa_supplicant design goal was to operate safely even if validation were missing in an NFC implementation. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWN+iXAAoJEL54rhJi8gl5WPQP/jCEUAEaL41RDQtIr+z8AQ9K 0eCZvwc3aenIJBe77KaU8f77VHbyM3pCatheArzv1KHOEyRvezr5KKscVcYxi6bj 20NnNXpWRTLoxduU0tz/2C6mUNv05VsZaRwFe1nsPHH+yDwMfzcOD6MB5esJ64l6 ZI+SbA6QMEGzq5oflWtIrijLif/YcevYyIlVJyDQjXrnvL/+g/ZfegnWruaJjWaU CUrkAfHdeXdfk260b1hVoqncPrqIASRm2GQGhR9EzpqNWDZNcF8iGtc8LBUzSlk7 2ZmRaID4Yw57MNlFXPgn+q6scCpGWuDPAXIeJ5uBNcp4V8VVQp3zPmE9KdRzDQ1c oypYxFfsu0/B7oW/q8nIfuz/UZge+2DZD+etPaN1jG5IpSOJhFCIgiJ8PNl6UlUU yJNwXAMUy5+xBLULHyBhlsPc6sjJppnzP4YD/vPnzQ0uhKAXXIF/rjfi2fhX0lF7 iGikGwCXqejP4uwqJ7zE/oOh6oEEkSVYN4sqERsHmnhdE5teLMF/XOodv5P8afNX sPbnrh67/G7PopFTCH6N4wXZrJPbi+YzETI+GXpgu1nEOkC5jtycYqV9lKnTBjQT e6wxWk0OGdXeettqRZUhB1LTNm7OIoEjBb/+63AEyl8P6z6aqM+xXUQlNLcQHU1m GDmrNOp6JAhzg1+xMggO =1n9O -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.