Adding more security patches from bug #548744

Package-Manager: portage-2.2.18/cvs/Linux x86_64
Manifest-Sign-Key: 0x15AE484C

5 files changed, 110 insertions, 7 deletions

diff --git a/net-wireless/hostapd/ChangeLog b/net-wireless/hostapd/ChangeLog
index 34e9edf6d40f..6805797eba08 100644
--- a/net-wireless/hostapd/ChangeLog
+++ b/net-wireless/hostapd/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for net-wireless/hostapd
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/ChangeLog,v 1.155 2015/05/08 18:14:59 gurligebis Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/ChangeLog,v 1.156 2015/05/11 14:47:56 gurligebis Exp $
+
+*hostapd-2.4-r2 (11 May 2015)
+
+  11 May 2015; <gurligebis@gentoo.org> -hostapd-2.4-r1.ebuild,
+  +hostapd-2.4-r2.ebuild,
+  +files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch,
+  +files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
+  :
+  Adding more security patches from bug #548744
 
 *hostapd-2.4-r1 (08 May 2015)
 
diff --git a/net-wireless/hostapd/Manifest b/net-wireless/hostapd/Manifest
index e3d414382f91..a48c5920facb 100644
--- a/net-wireless/hostapd/Manifest
+++ b/net-wireless/hostapd/Manifest
@@ -1,6 +1,8 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX 2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch 1832 SHA256 eb63d845fdc38b6310c527ad1705b6fe3b74f90e263188da2aca97468cc55142 SHA512 4633a96a91e151407e4c62b74b4e78d37e4fba586278c6ae4340ce149bee0c644a4d62675256839c3130374a4dc7531beaeed8282946e7dcd3faf1ed74bf99be WHIRLPOOL 731f2f67a42045075cfeba3af5e9dd96a8b9d99849a8e3c124a636a9708796a7e381a1a4cf59494a84d291836d19710d430a4cb4ea446518db7094519ef0ef21
+AUX 2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch 1381 SHA256 cc6c488afab4ccfdaedd9e224989b5fe713d6b0415ea94579190bd8ba60c9be5 SHA512 dc561d90f3f329ebb201abbb53eea161603fb2abba6b2fc5c79298d97c84f2d65d401608cd7bb2fb82abf909661c56699bf4bcbf902f6f8c7d5b1853b0277353 WHIRLPOOL 7f7d44f5f6a457e481a6ec8dadf11469899a5cc14699e6b0fa609c35994abea08685f827a1fe05ffc07a29e90acffa8e98e7eb8f29e3d1426df6e0bba43c75a6
 AUX 2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 2410 SHA256 a204bc37f52e5346780a306c01706689eb46263dedcdcb1eb2f4c0b291a0db93 SHA512 9440f8d9d18d20b95d236c1a4467d86dfbbc17d8f26b0caa48d6737c6231d1ff14793c6fc8a1e4508f3ad38c9a5d710fd49b85c7de16634dbe6685af05f44f7c WHIRLPOOL 815f07465f0bab5a0de6e1e91dd2c54062d5501f1657b06142936bbdbdf57103932e896f3fe659aa2ee20fe0f2659736273a5e9e19ac9d4028306c6f23dd37cb
 AUX 2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 2359 SHA256 298fc3b89f987922fb2600d0c95e8c868d6da30d24643748afd47bcd30da7b44 SHA512 0887017bfdb4632baa49bb849b732eed7eec9a498247fdd5ef8448e4a6df10380c06d68fa706e0b2624c04eb6f5a327cdb71c5c71c3476dc383f889ee7372702 WHIRLPOOL 057d7d38734cd323bb0df957ff7bb719ba8b7ccd885bbb85114bfa348363a3e7f752e3b652e22969616ae812444edbe8fceb7b62bd500d69d3bcb44d146a10a4
 AUX 2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 1859 SHA256 2fd42fb53be793c54343aa18a84afebe4603aa6ce8b6969ad6b3a8d327c6b142 SHA512 341901aa94c44ae725b6d4dddac2a52b6457234189554fc282c9cf5fa0254125d7323553a7b8118f9a3e2020f039267ed4c912f84ac6f2cb12670b40c28ac652 WHIRLPOOL 3e3b4cab765f373713fc41448ef65e8931a83449438fb7a8e3ab0a34c728a4a5772f996a04ee4b747b292044b1452a0821609e419a15dd681c70c063a125dcc0
@@ -14,13 +16,13 @@ AUX hostapd.service 213 SHA256 16f0612c192fb5d7e7de716f25fdfc2ccecc35a00ff745ae6
 DIST hostapd-2.0.tar.gz 1376203 SHA256 262ce394b930bccc3d65fb99ee380f28d36444978f524c845a98e8e29f4e9d35 SHA512 25fddaaddb22903078cfaae29a1e955b60955f9f5542b52962a6a8d4c65146ca102e9ac085118ce422843c55349a74a019220dfd4926895e301d506dbc97b967 WHIRLPOOL e5ae2e760770d2f307b1c4235c9b0c9d25e1719a1d174efa30ce6bbbc07b5c46d5f7babc087b8f450f3b485fb640728ddd23761fb292bcd535ef38dc10ac1d45
 DIST hostapd-2.4.tar.gz 1658872 SHA256 6fe0eb6bd1c9cbd24952ece8586b6f7bd14ab358edfda99794e79b9b9dbd657f SHA512 37e648fe9cce92923ab1d1e23a4267e274c988785d7be5610f1affca425ffa86b438de81e37446926a0f9158d6b67ee83e6396c3f81d571545c973dddbf1ffe3 WHIRLPOOL 78484c7e09725ba967c8815c3d8b0ffcc0c56daaec4acc79bc15c7392084c8642a2b41156b2c6a6360badb7e9d23792699d452fe600b56e3d62dd569188b6c2c
 EBUILD hostapd-2.0-r1.ebuild 5283 SHA256 91a76c256b5b27043f159cbe40534e6b487751bc63c593aca55a298088541836 SHA512 ac30eaeb3754e77916a0f7f75124324f2e424af3e0e50ea1381ce0c9e2127d568f040f14dce21b877840721d12dae20e42119b26d3cce847976c41c48286a484 WHIRLPOOL afcdc6ce3ed32b1223716fea94b04f4ac6a18c6a1bacbfb1b92f2bcf9e733584454fa27b20287faf9d7a5fb70f0c9e988924d9c20608c763dff01ad2870ef7d5
-EBUILD hostapd-2.4-r1.ebuild 5943 SHA256 1b6ee3baf7a763722b61770dbcb8419a13a3769db3de8ecef970be5c0f5b43a4 SHA512 3e30931168475137475b44f73fa2fc9671da7c3dd7f798a9a43b1ebfa3fe3d58cd345082a1a284be5ceb88da867799c26cbd1dda8d1ccbf19cb5f73fc76d1fe3 WHIRLPOOL 303da4b98fb3b2ebe3af341c93de8f3291e18fa65283938884dca90257f2ed3557b195033aa8817825ec31a9f0d56671e15b09566808fb34b6eb6d7a33c5dc2c
-MISC ChangeLog 27474 SHA256 f6559ea5c626a3b05100832dd5f438ccbc025dd15736104dffcd84cd6c4e0259 SHA512 2e1cf8b3935283550925f9af9164b0aea430c10f15b32420bdb9335351c800af05416b210a16e730e816c6317d75e44092461c05475845677fbe5fd656ba3d24 WHIRLPOOL cfd89e501dd8437b4472c970c7da00b3c23b65ea880513baad4fa70b5303125a2e54a61d4647f3775c06259e8ec74475991a49f0aa321ffd7a4d2648b2ec4476
+EBUILD hostapd-2.4-r2.ebuild 6122 SHA256 7d63f6f3b724efbc306eb029ee3b87c66846b6920ae405b26516819ad707f453 SHA512 4707a52411f52d453aaecc9527c924e2d1b4e83cac6b4a79b2c7de7ff34e2156a84fc7c3d35716327ae6e962e45ae67f256c81f2b3a59cb6e27a485d05be0115 WHIRLPOOL cab84355bec0cf170ae56bf9acff38287cb7832d3bd6dc5cc805d6b416dd4ec6e6fdb55b7399ca679c3a73d63faf0cfd0be2a42a8152fd19e5f27dfeb871503e
+MISC ChangeLog 27801 SHA256 06fd670553c7b6630a843931ab48200ba2c4a6e0d4b95a7f3eddd1dbff31bb05 SHA512 61e84641bca761ebd1435981b8c6dcdb78bcec8b8daaba1280031282fed83e56222451858852d79c2f4b59dff2bef08b557f7d60e8510de46eb7ad069d8ba097 WHIRLPOOL f3f7b3422985de2846dd62b205d365fe1508e4259490a88d25eed4ac2cd6ac4e5e595c22ddf4fccd2ff54bd51c27762d196558c2d228b1cd140e933b8bca5dca
 MISC metadata.xml 860 SHA256 61963f6bf5911c90a644c8fd09477b1ceb5f7617e2f9521517d88b899e0021f0 SHA512 6706de2fdcadc5f7619cf2a42d349a5061a8fa1c7fa00c05bac0fe14583d6b5d99211e697c5255957f315c0de66dd10fbff6e450516321511e3fa7c9e4439d6b WHIRLPOOL dcdf07c188a486c59edd7d055f446575cf5162b06dc83a99fc60f2d261532a3f3e0438dbe9b8c3213913bef443898f79a5b61022fe6d6a9cd6d360bab2057fd4
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
-iEYEAREIAAYFAlVM/SQACgkQsR7PQhRXYEnv0ACeJTlrkOz/7b7fCZX6acjgDjdH
-z28An1iYzWfBUCtPAor7oEseFlEQcUAN
-=rImv
+iEYEAREIAAYFAlVQwR0ACgkQsR7PQhRXYEkY9gCeMyWT6Ua+IzEBCEt0gDK5k9Vt
+pLQAn2wIPZ7UfIx/UMFjnAvR8Tj8Immu
+=4Qzo
 -----END PGP SIGNATURE-----
diff --git a/net-wireless/hostapd/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/net-wireless/hostapd/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
new file mode 100644
index 000000000000..36b4ca294699
--- /dev/null
+++ b/net-wireless/hostapd/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
@@ -0,0 +1,49 @@
+From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 28 Apr 2015 17:08:33 +0300
+Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser
+
+strtoul() return value may end up overflowing the int h->chunk_size and
+resulting in a negative value to be stored as the chunk_size. This could
+result in the following memcpy operation using a very large length
+argument which would result in a buffer overflow and segmentation fault.
+
+This could have been used to cause a denial service by any device that
+has been authorized for network access (either wireless or wired). This
+would affect both the WPS UPnP functionality in a WPS AP (hostapd with
+upnp_iface parameter set in the configuration) and WPS ER
+(wpa_supplicant with WPS_ER_START control interface command used).
+
+Validate the parsed chunk length value to avoid this. In addition to
+rejecting negative values, we can also reject chunk size that would be
+larger than the maximum configured body length.
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/wps/httpread.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/wps/httpread.c b/src/wps/httpread.c
+index 2f08f37..d2855e3 100644
+--- a/src/wps/httpread.c
++++ b/src/wps/httpread.c
+@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
+ 					if (!isxdigit(*cbp))
+ 						goto bad;
+ 					h->chunk_size = strtoul(cbp, NULL, 16);
++					if (h->chunk_size < 0 ||
++					    h->chunk_size > h->max_bytes) {
++						wpa_printf(MSG_DEBUG,
++							   "httpread: Invalid chunk size %d",
++							   h->chunk_size);
++						goto bad;
++					}
+ 					/* throw away chunk header
+ 					 * so we have only real data
+ 					 */
+-- 
+1.9.1
+
diff --git a/net-wireless/hostapd/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/net-wireless/hostapd/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
new file mode 100644
index 000000000000..79c5af8906fa
--- /dev/null
+++ b/net-wireless/hostapd/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
@@ -0,0 +1,41 @@
+From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 29 Apr 2015 02:21:53 +0300
+Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
+
+The length of the WMM Action frame was not properly validated and the
+length of the information elements (int left) could end up being
+negative. This would result in reading significantly past the stack
+buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
+so, resulting in segmentation fault.
+
+This can result in an invalid frame being used for a denial of service
+attack (hostapd process killed) against an AP with a driver that uses
+hostapd for management frame processing (e.g., all mac80211-based
+drivers).
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wmm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ap/wmm.c b/src/ap/wmm.c
+index 6d4177c..314e244 100644
+--- a/src/ap/wmm.c
++++ b/src/ap/wmm.c
+@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
+ 		return;
+ 	}
+ 
++	if (left < 0)
++		return; /* not a valid WMM Action frame */
++
+ 	/* extract the tspec info element */
+ 	if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
+ 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+-- 
+1.9.1
+
diff --git a/net-wireless/hostapd/hostapd-2.4-r1.ebuild b/net-wireless/hostapd/hostapd-2.4-r2.ebuild
index f8ff714f196f..536b30e49195 100644
--- a/net-wireless/hostapd/hostapd-2.4-r1.ebuild
+++ b/net-wireless/hostapd/hostapd-2.4-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/hostapd-2.4-r1.ebuild,v 1.1 2015/05/08 18:14:59 gurligebis Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/hostapd-2.4-r2.ebuild,v 1.1 2015/05/11 14:47:56 gurligebis Exp $
 
 EAPI="4"
 
@@ -31,6 +31,8 @@ src_prepare() {
 	cd ..
 
 	# bug (548744)
+	epatch "${FILESDIR}/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch"
+	epatch "${FILESDIR}/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch"
 	epatch "${FILESDIR}/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch"
 	epatch "${FILESDIR}/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch"
 	epatch "${FILESDIR}/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch"