diff options
author | Bjarke Istrup Pedersen <gurligebis@gentoo.org> | 2015-05-11 14:53:43 +0000 |
---|---|---|
committer | Bjarke Istrup Pedersen <gurligebis@gentoo.org> | 2015-05-11 14:53:43 +0000 |
commit | fd7e0d2997c759e4e483ed42e33ecb1e85b62456 (patch) | |
tree | 965d4cf02c343f34a7bda3790ae72d90aa9f743c /net-wireless/wpa_supplicant/files | |
parent | Adding more security patches from bug #548744 (diff) | |
download | historical-fd7e0d2997c759e4e483ed42e33ecb1e85b62456.tar.gz historical-fd7e0d2997c759e4e483ed42e33ecb1e85b62456.tar.bz2 historical-fd7e0d2997c759e4e483ed42e33ecb1e85b62456.zip |
Adding more security patches from bug #548742 and fixing patch from bug #544036
Package-Manager: portage-2.2.18/cvs/Linux x86_64
Manifest-Sign-Key: 0x15AE484C
Diffstat (limited to 'net-wireless/wpa_supplicant/files')
-rw-r--r-- | net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch (renamed from net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch) | 13 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch | 49 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch | 41 | ||||
-rw-r--r-- | net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch | 35 |
4 files changed, 122 insertions, 16 deletions
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch index e417bf22b3db..de1964ca7697 100644 --- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch +++ b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch @@ -1,7 +1,8 @@ From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 From: Jouni Malinen <jouni@qca.qualcomm.com> -Date: Tue, 07 Apr 2015 08:32:11 +0000 -Subject: P2P: Validate SSID element length before copying it (CVE-2015-1863) +Date: Tue, 7 Apr 2015 11:32:11 +0300 +Subject: [PATCH] P2P: Validate SSID element length before copying it + (CVE-2015-1863) This fixes a possible memcpy overflow for P2P dev->oper_ssid in p2p_add_device(). The length provided by the peer device (0..255 bytes) @@ -21,6 +22,9 @@ hardware research group of Alibaba security team for discovering it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> --- + src/p2p/p2p.c | 1 + + 1 file changed, 1 insertion(+) + diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c index f584fae..a45fe73 100644 --- a/src/p2p/p2p.c @@ -33,5 +37,6 @@ index f584fae..a45fe73 100644 (msg.ssid[1] != P2P_WILDCARD_SSID_LEN || os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) != 0)) { --- -cgit v0.9.2 +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch new file mode 100644 index 000000000000..36b4ca294699 --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch @@ -0,0 +1,49 @@ +From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 28 Apr 2015 17:08:33 +0300 +Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser + +strtoul() return value may end up overflowing the int h->chunk_size and +resulting in a negative value to be stored as the chunk_size. This could +result in the following memcpy operation using a very large length +argument which would result in a buffer overflow and segmentation fault. + +This could have been used to cause a denial service by any device that +has been authorized for network access (either wireless or wired). This +would affect both the WPS UPnP functionality in a WPS AP (hostapd with +upnp_iface parameter set in the configuration) and WPS ER +(wpa_supplicant with WPS_ER_START control interface command used). + +Validate the parsed chunk length value to avoid this. In addition to +rejecting negative values, we can also reject chunk size that would be +larger than the maximum configured body length. + +Thanks to Kostya Kortchinsky of Google security team for discovering and +reporting this issue. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/wps/httpread.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/wps/httpread.c b/src/wps/httpread.c +index 2f08f37..d2855e3 100644 +--- a/src/wps/httpread.c ++++ b/src/wps/httpread.c +@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) + if (!isxdigit(*cbp)) + goto bad; + h->chunk_size = strtoul(cbp, NULL, 16); ++ if (h->chunk_size < 0 || ++ h->chunk_size > h->max_bytes) { ++ wpa_printf(MSG_DEBUG, ++ "httpread: Invalid chunk size %d", ++ h->chunk_size); ++ goto bad; ++ } + /* throw away chunk header + * so we have only real data + */ +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch new file mode 100644 index 000000000000..79c5af8906fa --- /dev/null +++ b/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch @@ -0,0 +1,41 @@ +From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 29 Apr 2015 02:21:53 +0300 +Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser + +The length of the WMM Action frame was not properly validated and the +length of the information elements (int left) could end up being +negative. This would result in reading significantly past the stack +buffer while parsing the IEs in ieee802_11_parse_elems() and while doing +so, resulting in segmentation fault. + +This can result in an invalid frame being used for a denial of service +attack (hostapd process killed) against an AP with a driver that uses +hostapd for management frame processing (e.g., all mac80211-based +drivers). + +Thanks to Kostya Kortchinsky of Google security team for discovering and +reporting this issue. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/ap/wmm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/ap/wmm.c b/src/ap/wmm.c +index 6d4177c..314e244 100644 +--- a/src/ap/wmm.c ++++ b/src/ap/wmm.c +@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd, + return; + } + ++ if (left < 0) ++ return; /* not a valid WMM Action frame */ ++ + /* extract the tspec info element */ + if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) { + hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, +-- +1.9.1 + diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch index e66d5d4a2399..6f3605713353 100644 --- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch +++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch @@ -1,6 +1,6 @@ -diff -ur a/wpa_supplicant-2.4/src/eap_peer/Makefile b/wpa_supplicant-2.4/src/eap_peer/Makefile ---- a/wpa_supplicant-2.4/src/eap_peer/Makefile 2015-03-15 19:30:39.000000000 -0200 -+++ b/wpa_supplicant-2.4/src/eap_peer/Makefile 2015-04-26 14:40:49.987453098 -0200 +diff -Naurp a/src/eap_peer/Makefile b/src/eap_peer/Makefile +--- a/src/eap_peer/Makefile 2012-05-15 08:23:17.152386964 +0000 ++++ b/src/eap_peer/Makefile 2012-05-15 08:23:57.403389760 +0000 @@ -1,11 +1,192 @@ -all: - @echo Nothing to be made. @@ -202,9 +202,9 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/Makefile b/wpa_supplicant-2.4/src/eap - install -d $(DESTDIR)$(LIBDIR)/wpa_supplicant && \ - cp *.so $(DESTDIR)$(LIBDIR)/wpa_supplicant \ - ; fi -diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c b/wpa_supplicant-2.4/src/eap_peer/eap_methods.c ---- a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c 2015-03-15 19:30:39.000000000 -0200 -+++ b/wpa_supplicant-2.4/src/eap_peer/eap_methods.c 2015-04-26 14:39:58.247099942 -0200 +diff -Naurp a/src/eap_peer/eap_methods.c b/src/eap_peer/eap_methods.c +--- a/src/eap_peer/eap_methods.c 2012-05-15 08:23:17.151386999 +0000 ++++ b/src/eap_peer/eap_methods.c 2012-05-15 08:23:57.403389760 +0000 @@ -336,6 +336,120 @@ @@ -326,10 +326,9 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c b/wpa_supplicant-2.4/sr * eap_peer_unregister_methods - Unregister EAP peer methods * * This function is called at program termination to unregister all EAP peer -Only in b/wpa_supplicant-2.4/src/eap_peer: eap_methods.c.orig -diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h b/wpa_supplicant-2.4/src/eap_peer/eap_methods.h ---- a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h 2015-03-15 19:30:39.000000000 -0200 -+++ b/wpa_supplicant-2.4/src/eap_peer/eap_methods.h 2015-04-26 14:39:58.248099929 -0200 +diff -Naurp a/src/eap_peer/eap_methods.h b/src/eap_peer/eap_methods.h +--- a/src/eap_peer/eap_methods.h 2012-05-15 08:23:17.151386999 +0000 ++++ b/src/eap_peer/eap_methods.h 2012-05-15 08:23:57.404389735 +0000 @@ -26,6 +26,7 @@ const char * eap_get_name(int vendor, EapType type); size_t eap_get_names(char *buf, size_t buflen); @@ -338,5 +337,17 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h b/wpa_supplicant-2.4/sr void eap_peer_unregister_methods(void); #else /* IEEE8021X_EAPOL */ -Only in b/wpa_supplicant-2.4/src/eap_peer: eap_methods.h.orig -Only in b/wpa_supplicant-2.4/src/eap_peer: libeap0.pc +diff -Naurp a/src/eap_peer/libeap0.pc b/src/eap_peer/libeap0.pc +--- a/src/eap_peer/libeap0.pc 1970-01-01 00:00:00.000000000 +0000 ++++ b/src/eap_peer/libeap0.pc 2012-05-15 08:23:57.404389735 +0000 +@@ -0,0 +1,10 @@ ++prefix=/usr ++exec_prefix=/usr ++libdir=${exec_prefix}/lib ++includedir=${prefix}/include/eap_peer ++ ++Name: libeap0 ++Description: EAP Peer Library API ++Version: 0.7.2 ++Libs: -L${libdir} -leap ++Cflags: -I${includedir} |