Package: wpa / 1.0-3+deb7u3

Metadata

Package Version Patches format
wpa 1.0-3+deb7u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01_use_pkg config_for_pcsc lite_module.patch | (download)

wpa_supplicant/Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use pkg-config for libpcsclite linkage flags
 At least in debian, we can rely on pkg-config being available and
 returning more accurate ldflags.
02_dbus_group_policy.patch | (download)

wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 debian does not use pam_console but uses group membership
 to control access to D-Bus. Activating both options in the conf file
 makes it work on Debian and Ubuntu.
06_wpa_gui_menu_exec_path.patch | (download)

wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debian specific patch to desktop meny entry, so that we may exec
 wpa_gui which being in /usr/sbin may not be in the PATH
07_dbus_service_syslog.patch | (download)

wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in | 2 1 + 1 - 0 !
wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in | 2 1 + 1 - 0 !
wpa_supplicant/systemd/wpa_supplicant.service.in | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 tweak d-bus/systemd service activation configuration files:
 * log wpa_supplicant messages to syslog
 * activate control socket interface so that wpa_cli can be used by D-Bus
   activated wpa_supplicant daemon
11_wpa_gui_ftbfs_gcc_4_7.patch | (download)

wpa_supplicant/wpa_gui-qt4/wpagui.cpp | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 fix ftbfs with gcc/g++ 4.7
12_wpa_gui_knotify_support.patch | (download)

wpa_supplicant/wpa_gui-qt4/wpagui.cpp | 18 16 + 2 - 0 !
1 file changed, 16 insertions(+), 2 deletions(-)

 use kde's knotify when running under kde
13_human_readable_signal.patch | (download)

wpa_supplicant/wpa_gui-qt4/scanresults.cpp | 4 3 + 1 - 0 !
wpa_supplicant/wpa_gui-qt4/signalbar.cpp | 64 64 + 0 - 0 !
wpa_supplicant/wpa_gui-qt4/signalbar.h | 34 34 + 0 - 0 !
wpa_supplicant/wpa_gui-qt4/wpa_gui.pro | 2 2 + 0 - 0 !
4 files changed, 103 insertions(+), 1 deletion(-)

 display signal strength in dbm with visual indicator in the form
 of a bar for scan results displayed by wpa_gui-qt4. Any signal > -35dBm is
 treated as full signal bar, signals between range of -95<->-35dBm are
 displayed linearly. Convert WEXT signal level value to scale that nl80211
libnl3 includes.patch | (download)

src/drivers/drivers.mak | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
EAP TLS server_fix TLS Message length validation.patch | (download)

src/eap_server/eap_server_tls_common.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 eap-tls server: fix tls message length validation
CVE 2014 3686/0001 Add os_exec helper to run external programs.patch | (download)

src/utils/os.h | 9 9 + 0 - 0 !
src/utils/os_unix.c | 55 55 + 0 - 0 !
src/utils/os_win32.c | 6 6 + 0 - 0 !
3 files changed, 70 insertions(+)

 [patch 1/3] add os_exec() helper to run external programs

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

CVE 2014 3686/0002 wpa_cli Use os_exec for action script execution.patch | (download)

wpa_supplicant/wpa_cli.c | 25 8 + 17 - 0 !
1 file changed, 8 insertions(+), 17 deletions(-)

 [patch 2/3] wpa_cli: use os_exec() for action script execution

Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

CVE 2014 3686/0003 hostapd_cli Use os_exec for action script execution.patch | (download)

hostapd/hostapd_cli.c | 25 8 + 17 - 0 !
1 file changed, 8 insertions(+), 17 deletions(-)

 [patch 3/3] hostapd_cli: use os_exec() for action script execution

Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

wpasupplicant_P2P Validate SSID element length before copying it C.patch | (download)

src/p2p/p2p.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] p2p: validate ssid element length before copying it
 (CVE-2015-1863)

This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

2015 2/0001 WPS Fix HTTP chunked transfer encoding parser.patch | (download)

src/wps/httpread.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch] wps: fix http chunked transfer encoding parser

strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.

This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).

Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 3/0001 AP WMM Fix integer underflow in WMM Action frame par.patch | (download)

src/ap/wmm.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] ap wmm: fix integer underflow in wmm action frame parser

The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.

This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 4/0001 EAP pwd peer Fix payload length validation for Commi.patch | (download)

src/eap_peer/eap_pwd.c | 30 30 + 0 - 0 !
1 file changed, 30 insertions(+)

 [patch 1/5] eap-pwd peer: fix payload length validation for commit
 and Confirm

The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 4/0002 EAP pwd server Fix payload length validation for Com.patch | (download)

src/eap_server/eap_server_pwd.c | 20 20 + 0 - 0 !
1 file changed, 20 insertions(+)

 [patch 2/5] eap-pwd server: fix payload length validation for commit
 and Confirm

The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

2015 5/0001 NFC Fix payload length validation in NDEF record par.patch | (download)

src/wps/ndef.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] nfc: fix payload length validation in ndef record parser

It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().

Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received records. While such validation is likely done in the NFC stack
that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant better be prepared for any data being included
here.

Fix this by validating record->payload_length value in a way that
detects integer overflow. (CID 122668)

Signed-off-by: Jouni Malinen <j@w1.fi>