LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > MEPIS
User Name
Password
MEPIS This forum is for the discussion of MEPIS Linux.

Notices


Reply
  Search this Thread
Old 04-15-2007, 12:25 PM   #1
fpd
Member
 
Registered: Aug 2004
Distribution: Mepis
Posts: 70

Rep: Reputation: 15
MadWiFi security threat...


It seems a lot of folks here recommend MadWiFi, and I saw this while surfing:
http://www.pcworld.com/article/id,13...1/article.html
I have not seen any updates from Synaptic fixing this security breach.

Conspiracy theory: MSBill is covertly throwing wrenches into the Linux machine just to say, "S-s-se-see! Linux has security problems, t-t-t-too!" Anyone as paranoid as I am?
 
Old 04-15-2007, 12:59 PM   #2
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 78
AFAIK, this was taken care of last December. You can see the changes here and here.
 
Old 04-15-2007, 01:37 PM   #3
fpd
Member
 
Registered: Aug 2004
Distribution: Mepis
Posts: 70

Original Poster
Rep: Reputation: 15
I see your links show it was fixed, but the article states that some distros could be vulnerable by not adding the fix. Do you know if the fix was included in Mepis, or in the updates distributed via apt-get and synaptic?
 
Old 04-15-2007, 06:53 PM   #4
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 78
I don’t know any about the repositories for any specific distros, but it seems like the security fix is in version 0.9.2.1 and greater, and the oops fix is in 0.9.3 and greater. Your package manager should use the same version numbers so you should be able to figure it out from there.
 
Old 04-17-2007, 04:24 PM   #5
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
For a quick check run:
Code:
$ apt-cache showpkg madwifi-tools
Package: madwifi-tools
Versions:
1:0.9.2+dfsg-1 ...
Note the "1:" before the true ver. #, ignore it -- it is a Debianism that I can't explain.

& BTW, I'm still running 3.3.2 on this box, so of course the ver. looks out of date.
 
Old 04-17-2007, 06:52 PM   #6
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Nearly all wireless drivers have been found vulnerable since a year or so, independently of the OS.

http://www.schneier.com/blog/archive...river_att.html
 
Old 04-18-2007, 10:31 PM   #7
fpd
Member
 
Registered: Aug 2004
Distribution: Mepis
Posts: 70

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by osor
I don’t know any about the repositories for any specific distros, but it seems like the security fix is in version 0.9.2.1 and greater, and the oops fix is in 0.9.3 and greater. Your package manager should use the same version numbers so you should be able to figure it out from there.
I did an apt-get policy madwifi-tools and received this:
Code:
madwifi-tools:
  Installed: 1:0.9.2+dfsg-1
  Candidate: 1:0.9.2+dfsg-1
  Version table:
 *** 1:0.9.2+dfsg-1 0
        990 http://apt.mepis.org mepis/main Packages
        100 /var/lib/dpkg/status
So, I tried apt-get install madwifi-tools (after an apt-get update) and received this:
Code:
Reading package lists... Done
Building dependency tree... Done
madwifi-tools is already the newest version.
Is there a way to get 0.9.3 through apt-get or synaptic, or must I download and install the package?
 
Old 04-19-2007, 09:58 AM   #8
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 78
Sorry I haven’t replied in awhile, but I do not think the “madwifi-tools” package contains the affected code…

I don’t know about Mepis, but for Debian, see here. As you can see the version number (1:0.9.2+r1842.20061207-2) states that it is from the 0.9.2 branch, with svn revision 1842 (the aforementioned security fix) and was packaged on 20061207. Why they don’t use the package maintainers’ version number is beyond me. I also don’t know why they split up the code.

Bottom line: if your apt-style distro has the package madwifi-source with version number 1:0.9.2+r1842.20061207-2 or similar, you’re not vulnerable to the mentioned security threat.
 
Old 04-19-2007, 10:23 AM   #9
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
And if you click on Changelog on the page given by osor, you see:

Quote:
madwifi (1:0.9.2+r1842.20061207-2) unstable; urgency=high

* Add upstream revision 1847 as a new dpatch to completely fix
CVE-2006-6332; thanks Luk Claes; closes: #402836.

-- Loic Minier <lool@dooz.org> Thu, 14 Dec 2006 20:44:37 +0100
madwifi (1:0.9.2+r1842.20061207-1) unstable; urgency=medium

* New upstream SVN snapshot
- buffer overflow exploit fixed (CVE-2006-6332)
* Urgency medium to allow security fix to propogate to testing asap.

-- Kel Modderman <kelmo@kanotixguide.org> Fri, 8 Dec 2006 08:06:01 +1000
Check your changelog
/usr/share/doc/xxx/changelogxxx
 
Old 04-29-2007, 01:41 PM   #10
angryfirelord
Member
 
Registered: Dec 2005
Distribution: Fedora, CentOS
Posts: 515

Rep: Reputation: 66
I'm not that paranoid, but if you want the newest madwifi, you could temporarily enable a Debian unstable repo & use module-assistant to build a new driver. (I have absolutely no idea if that would work on mepis)

http://packages.debian.org/unstable/net/madwifi-source
http://packages.debian.org/unstable/net/madwifi-tools
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security threat with the echo command uma_mahesh_2005 Linux - Security 8 05-04-2006 06:14 AM
Is LimeWire a security threat? BajaNick Linux - Security 3 01-08-2006 02:37 AM
Limewire a security threat? JCdude2525 Linux - Security 2 02-06-2005 09:25 AM
Is this a security threat? ifm Linux - Security 3 06-14-2002 10:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > MEPIS

All times are GMT -5. The time now is 08:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration