summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBjarke Istrup Pedersen <gurligebis@gentoo.org>2015-05-11 14:53:43 +0000
committerBjarke Istrup Pedersen <gurligebis@gentoo.org>2015-05-11 14:53:43 +0000
commitfd7e0d2997c759e4e483ed42e33ecb1e85b62456 (patch)
tree965d4cf02c343f34a7bda3790ae72d90aa9f743c /net-wireless/wpa_supplicant/files
parentAdding more security patches from bug #548744 (diff)
downloadhistorical-fd7e0d2997c759e4e483ed42e33ecb1e85b62456.tar.gz
historical-fd7e0d2997c759e4e483ed42e33ecb1e85b62456.tar.bz2
historical-fd7e0d2997c759e4e483ed42e33ecb1e85b62456.zip
Adding more security patches from bug #548742 and fixing patch from bug #544036
Package-Manager: portage-2.2.18/cvs/Linux x86_64 Manifest-Sign-Key: 0x15AE484C
Diffstat (limited to 'net-wireless/wpa_supplicant/files')
-rw-r--r--net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch (renamed from net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch)13
-rw-r--r--net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch49
-rw-r--r--net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch41
-rw-r--r--net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch35
4 files changed, 122 insertions, 16 deletions
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
index e417bf22b3db..de1964ca7697 100644
--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch
+++ b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
@@ -1,7 +1,8 @@
From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 07 Apr 2015 08:32:11 +0000
-Subject: P2P: Validate SSID element length before copying it (CVE-2015-1863)
+Date: Tue, 7 Apr 2015 11:32:11 +0300
+Subject: [PATCH] P2P: Validate SSID element length before copying it
+ (CVE-2015-1863)
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
@@ -21,6 +22,9 @@ hardware research group of Alibaba security team for discovering it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
+ src/p2p/p2p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index f584fae..a45fe73 100644
--- a/src/p2p/p2p.c
@@ -33,5 +37,6 @@ index f584fae..a45fe73 100644
(msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
!= 0)) {
---
-cgit v0.9.2
+--
+1.9.1
+
diff --git a/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
new file mode 100644
index 000000000000..36b4ca294699
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
@@ -0,0 +1,49 @@
+From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 28 Apr 2015 17:08:33 +0300
+Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser
+
+strtoul() return value may end up overflowing the int h->chunk_size and
+resulting in a negative value to be stored as the chunk_size. This could
+result in the following memcpy operation using a very large length
+argument which would result in a buffer overflow and segmentation fault.
+
+This could have been used to cause a denial service by any device that
+has been authorized for network access (either wireless or wired). This
+would affect both the WPS UPnP functionality in a WPS AP (hostapd with
+upnp_iface parameter set in the configuration) and WPS ER
+(wpa_supplicant with WPS_ER_START control interface command used).
+
+Validate the parsed chunk length value to avoid this. In addition to
+rejecting negative values, we can also reject chunk size that would be
+larger than the maximum configured body length.
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/wps/httpread.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/wps/httpread.c b/src/wps/httpread.c
+index 2f08f37..d2855e3 100644
+--- a/src/wps/httpread.c
++++ b/src/wps/httpread.c
+@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
+ if (!isxdigit(*cbp))
+ goto bad;
+ h->chunk_size = strtoul(cbp, NULL, 16);
++ if (h->chunk_size < 0 ||
++ h->chunk_size > h->max_bytes) {
++ wpa_printf(MSG_DEBUG,
++ "httpread: Invalid chunk size %d",
++ h->chunk_size);
++ goto bad;
++ }
+ /* throw away chunk header
+ * so we have only real data
+ */
+--
+1.9.1
+
diff --git a/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
new file mode 100644
index 000000000000..79c5af8906fa
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
@@ -0,0 +1,41 @@
+From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 29 Apr 2015 02:21:53 +0300
+Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
+
+The length of the WMM Action frame was not properly validated and the
+length of the information elements (int left) could end up being
+negative. This would result in reading significantly past the stack
+buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
+so, resulting in segmentation fault.
+
+This can result in an invalid frame being used for a denial of service
+attack (hostapd process killed) against an AP with a driver that uses
+hostapd for management frame processing (e.g., all mac80211-based
+drivers).
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wmm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ap/wmm.c b/src/ap/wmm.c
+index 6d4177c..314e244 100644
+--- a/src/ap/wmm.c
++++ b/src/ap/wmm.c
+@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
+ return;
+ }
+
++ if (left < 0)
++ return; /* not a valid WMM Action frame */
++
+ /* extract the tspec info element */
+ if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
+ hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+--
+1.9.1
+
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch
index e66d5d4a2399..6f3605713353 100644
--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch
@@ -1,6 +1,6 @@
-diff -ur a/wpa_supplicant-2.4/src/eap_peer/Makefile b/wpa_supplicant-2.4/src/eap_peer/Makefile
---- a/wpa_supplicant-2.4/src/eap_peer/Makefile 2015-03-15 19:30:39.000000000 -0200
-+++ b/wpa_supplicant-2.4/src/eap_peer/Makefile 2015-04-26 14:40:49.987453098 -0200
+diff -Naurp a/src/eap_peer/Makefile b/src/eap_peer/Makefile
+--- a/src/eap_peer/Makefile 2012-05-15 08:23:17.152386964 +0000
++++ b/src/eap_peer/Makefile 2012-05-15 08:23:57.403389760 +0000
@@ -1,11 +1,192 @@
-all:
- @echo Nothing to be made.
@@ -202,9 +202,9 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/Makefile b/wpa_supplicant-2.4/src/eap
- install -d $(DESTDIR)$(LIBDIR)/wpa_supplicant && \
- cp *.so $(DESTDIR)$(LIBDIR)/wpa_supplicant \
- ; fi
-diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c b/wpa_supplicant-2.4/src/eap_peer/eap_methods.c
---- a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c 2015-03-15 19:30:39.000000000 -0200
-+++ b/wpa_supplicant-2.4/src/eap_peer/eap_methods.c 2015-04-26 14:39:58.247099942 -0200
+diff -Naurp a/src/eap_peer/eap_methods.c b/src/eap_peer/eap_methods.c
+--- a/src/eap_peer/eap_methods.c 2012-05-15 08:23:17.151386999 +0000
++++ b/src/eap_peer/eap_methods.c 2012-05-15 08:23:57.403389760 +0000
@@ -336,6 +336,120 @@
@@ -326,10 +326,9 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c b/wpa_supplicant-2.4/sr
* eap_peer_unregister_methods - Unregister EAP peer methods
*
* This function is called at program termination to unregister all EAP peer
-Only in b/wpa_supplicant-2.4/src/eap_peer: eap_methods.c.orig
-diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h b/wpa_supplicant-2.4/src/eap_peer/eap_methods.h
---- a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h 2015-03-15 19:30:39.000000000 -0200
-+++ b/wpa_supplicant-2.4/src/eap_peer/eap_methods.h 2015-04-26 14:39:58.248099929 -0200
+diff -Naurp a/src/eap_peer/eap_methods.h b/src/eap_peer/eap_methods.h
+--- a/src/eap_peer/eap_methods.h 2012-05-15 08:23:17.151386999 +0000
++++ b/src/eap_peer/eap_methods.h 2012-05-15 08:23:57.404389735 +0000
@@ -26,6 +26,7 @@
const char * eap_get_name(int vendor, EapType type);
size_t eap_get_names(char *buf, size_t buflen);
@@ -338,5 +337,17 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h b/wpa_supplicant-2.4/sr
void eap_peer_unregister_methods(void);
#else /* IEEE8021X_EAPOL */
-Only in b/wpa_supplicant-2.4/src/eap_peer: eap_methods.h.orig
-Only in b/wpa_supplicant-2.4/src/eap_peer: libeap0.pc
+diff -Naurp a/src/eap_peer/libeap0.pc b/src/eap_peer/libeap0.pc
+--- a/src/eap_peer/libeap0.pc 1970-01-01 00:00:00.000000000 +0000
++++ b/src/eap_peer/libeap0.pc 2012-05-15 08:23:57.404389735 +0000
+@@ -0,0 +1,10 @@
++prefix=/usr
++exec_prefix=/usr
++libdir=${exec_prefix}/lib
++includedir=${prefix}/include/eap_peer
++
++Name: libeap0
++Description: EAP Peer Library API
++Version: 0.7.2
++Libs: -L${libdir} -leap
++Cflags: -I${includedir}