Package: wpa / 1.0-3+deb7u3
Metadata
Package | Version | Patches format |
---|---|---|
wpa | 1.0-3+deb7u3 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
01_use_pkg config_for_pcsc lite_module.patch | (download) |
wpa_supplicant/Makefile |
2 1 + 1 - 0 ! |
use pkg-config for libpcsclite linkage flags At least in debian, we can rely on pkg-config being available and returning more accurate ldflags. |
02_dbus_group_policy.patch | (download) |
wpa_supplicant/dbus/dbus-wpa_supplicant.conf |
8 8 + 0 - 0 ! |
debian does not use pam_console but uses group membership to control access to D-Bus. Activating both options in the conf file makes it work on Debian and Ubuntu. |
06_wpa_gui_menu_exec_path.patch | (download) |
wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop |
2 1 + 1 - 0 ! |
debian specific patch to desktop meny entry, so that we may exec wpa_gui which being in /usr/sbin may not be in the PATH |
07_dbus_service_syslog.patch | (download) |
wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in |
2 1 + 1 - 0 ! |
tweak d-bus/systemd service activation configuration files: * log wpa_supplicant messages to syslog * activate control socket interface so that wpa_cli can be used by D-Bus activated wpa_supplicant daemon |
11_wpa_gui_ftbfs_gcc_4_7.patch | (download) |
wpa_supplicant/wpa_gui-qt4/wpagui.cpp |
6 1 + 5 - 0 ! |
fix ftbfs with gcc/g++ 4.7 |
12_wpa_gui_knotify_support.patch | (download) |
wpa_supplicant/wpa_gui-qt4/wpagui.cpp |
18 16 + 2 - 0 ! |
use kde's knotify when running under kde |
13_human_readable_signal.patch | (download) |
wpa_supplicant/wpa_gui-qt4/scanresults.cpp |
4 3 + 1 - 0 ! |
display signal strength in dbm with visual indicator in the form of a bar for scan results displayed by wpa_gui-qt4. Any signal > -35dBm is treated as full signal bar, signals between range of -95<->-35dBm are displayed linearly. Convert WEXT signal level value to scale that nl80211 |
libnl3 includes.patch | (download) |
src/drivers/drivers.mak |
2 1 + 1 - 0 ! |
--- |
EAP TLS server_fix TLS Message length validation.patch | (download) |
src/eap_server/eap_server_tls_common.c |
8 8 + 0 - 0 ! |
eap-tls server: fix tls message length validation |
CVE 2014 3686/0001 Add os_exec helper to run external programs.patch | (download) |
src/utils/os.h |
9 9 + 0 - 0 ! |
[patch 1/3] add os_exec() helper to run external programs Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> |
CVE 2014 3686/0002 wpa_cli Use os_exec for action script execution.patch | (download) |
wpa_supplicant/wpa_cli.c |
25 8 + 17 - 0 ! |
[patch 2/3] wpa_cli: use os_exec() for action script execution Use os_exec() to run the action script operations to avoid undesired command line processing for control interface event strings. Previously, it could have been possible for some of the event strings to include unsanitized data which is not suitable for system() use. (CVE-2014-3686) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> |
CVE 2014 3686/0003 hostapd_cli Use os_exec for action script execution.patch | (download) |
hostapd/hostapd_cli.c |
25 8 + 17 - 0 ! |
[patch 3/3] hostapd_cli: use os_exec() for action script execution Use os_exec() to run the action script operations to avoid undesired command line processing for control interface event strings. Previously, it could have been possible for some of the event strings to include unsanitized data which is not suitable for system() use. (CVE-2014-3686) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> |
wpasupplicant_P2P Validate SSID element length before copying it C.patch | (download) |
src/p2p/p2p.c |
1 1 + 0 - 0 ! |
[patch] p2p: validate ssid element length before copying it (CVE-2015-1863) This fixes a possible memcpy overflow for P2P dev->oper_ssid in p2p_add_device(). The length provided by the peer device (0..255 bytes) was used without proper bounds checking and that could have resulted in arbitrary data of up to 223 bytes being written beyond the end of the dev->oper_ssid[] array (of which about 150 bytes would be beyond the heap allocation) when processing a corrupted management frame for P2P peer discovery purposes. This could result in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution. Thanks to Google security team for reporting this issue and smart hardware research group of Alibaba security team for discovering it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> |
2015 2/0001 WPS Fix HTTP chunked transfer encoding parser.patch | (download) |
src/wps/httpread.c |
7 7 + 0 - 0 ! |
[patch] wps: fix http chunked transfer encoding parser strtoul() return value may end up overflowing the int h->chunk_size and resulting in a negative value to be stored as the chunk_size. This could result in the following memcpy operation using a very large length argument which would result in a buffer overflow and segmentation fault. This could have been used to cause a denial service by any device that has been authorized for network access (either wireless or wired). This would affect both the WPS UPnP functionality in a WPS AP (hostapd with upnp_iface parameter set in the configuration) and WPS ER (wpa_supplicant with WPS_ER_START control interface command used). Validate the parsed chunk length value to avoid this. In addition to rejecting negative values, we can also reject chunk size that would be larger than the maximum configured body length. Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. Signed-off-by: Jouni Malinen <j@w1.fi> |
2015 3/0001 AP WMM Fix integer underflow in WMM Action frame par.patch | (download) |
src/ap/wmm.c |
3 3 + 0 - 0 ! |
[patch] ap wmm: fix integer underflow in wmm action frame parser The length of the WMM Action frame was not properly validated and the length of the information elements (int left) could end up being negative. This would result in reading significantly past the stack buffer while parsing the IEs in ieee802_11_parse_elems() and while doing so, resulting in segmentation fault. This can result in an invalid frame being used for a denial of service attack (hostapd process killed) against an AP with a driver that uses hostapd for management frame processing (e.g., all mac80211-based drivers). Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. Signed-off-by: Jouni Malinen <j@w1.fi> |
2015 4/0001 EAP pwd peer Fix payload length validation for Commi.patch | (download) |
src/eap_peer/eap_pwd.c |
30 30 + 0 - 0 ! |
[patch 1/5] eap-pwd peer: fix payload length validation for commit and Confirm The length of the received Commit and Confirm message payloads was not checked before reading them. This could result in a buffer read overflow when processing an invalid message. Fix this by verifying that the payload is of expected length before processing it. In addition, enforce correct state transition sequence to make sure there is no unexpected behavior if receiving a Commit/Confirm message before the previous exchanges have been completed. Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. Signed-off-by: Jouni Malinen <j@w1.fi> |
2015 4/0002 EAP pwd server Fix payload length validation for Com.patch | (download) |
src/eap_server/eap_server_pwd.c |
20 20 + 0 - 0 ! |
[patch 2/5] eap-pwd server: fix payload length validation for commit and Confirm The length of the received Commit and Confirm message payloads was not checked before reading them. This could result in a buffer read overflow when processing an invalid message. Fix this by verifying that the payload is of expected length before processing it. In addition, enforce correct state transition sequence to make sure there is no unexpected behavior if receiving a Commit/Confirm message before the previous exchanges have been completed. Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. Signed-off-by: Jouni Malinen <j@w1.fi> |
2015 5/0001 NFC Fix payload length validation in NDEF record par.patch | (download) |
src/wps/ndef.c |
5 4 + 1 - 0 ! |
[patch] nfc: fix payload length validation in ndef record parser It was possible for the 32-bit record->total_length value to end up wrapping around due to integer overflow if the longer form of payload length field is used and record->payload_length gets a value close to 2^32. This could result in ndef_parse_record() accepting a too large payload length value and the record type filter reading up to about 20 bytes beyond the end of the buffer and potentially killing the process. This could also result in an attempt to allocate close to 2^32 bytes of heap memory and if that were to succeed, a buffer read overflow of the same length which would most likely result in the process termination. In case of record->total_length ending up getting the value 0, there would be no buffer read overflow, but record parsing would result in an infinite loop in ndef_parse_records(). Any of these error cases could potentially be used for denial of service attacks over NFC by using a malformed NDEF record on an NFC Tag or sending them during NFC connection handover if the application providing the NDEF message to hostapd/wpa_supplicant did no validation of the received records. While such validation is likely done in the NFC stack that needs to parse the NFC messages before further processing, hostapd/wpa_supplicant better be prepared for any data being included here. Fix this by validating record->payload_length value in a way that detects integer overflow. (CID 122668) Signed-off-by: Jouni Malinen <j@w1.fi> |