Adding more security patches from bug #548742 and fixing patch from bug #544036

(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 15AE484C)
author: Bjarke Istrup Pedersen <gurligebis@gentoo.org> 2015-05-11 14:53:41 +0000
committer: Bjarke Istrup Pedersen <gurligebis@gentoo.org> 2015-05-11 14:53:41 +0000
commit: 9eaaf26e9d55d8299015240e7f71afb4f50cc07d (patch)
tree: 91faac59ce3750c0acafea80c9c836e3b0c2ad63 /net-wireless/wpa_supplicant
parent: Adding more security patches from bug #548744 (diff)
download: gentoo-2-9eaaf26e9d55d8299015240e7f71afb4f50cc07d.tar.gz
gentoo-2-9eaaf26e9d55d8299015240e7f71afb4f50cc07d.tar.bz2
gentoo-2-9eaaf26e9d55d8299015240e7f71afb4f50cc07d.zip
7 files changed, 142 insertions, 22 deletions
diff --git a/net-wireless/wpa_supplicant/ChangeLog b/net-wireless/wpa_supplicant/ChangeLog
index c17cc1e2c129..e78efed15a0b 100644
--- a/net-wireless/wpa_supplicant/ChangeLog
+++ b/net-wireless/wpa_supplicant/ChangeLog
@@ -1,6 +1,19 @@
 # ChangeLog for net-wireless/wpa_supplicant
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/ChangeLog,v 1.238 2015/05/08 17:58:51 gurligebis Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/ChangeLog,v 1.239 2015/05/11 14:53:41 gurligebis Exp $
+
+*wpa_supplicant-2.4-r3 (11 May 2015)
+
+  11 May 2015; <gurligebis@gentoo.org> wpa_supplicant-2.4-r1.ebuild,
+  -wpa_supplicant-2.4-r2.ebuild, +wpa_supplicant-2.4-r3.ebuild,
+  +files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+  , -files/wpa_supplicant-2.4-cve-2015-1863.patch,
+  files/wpa_supplicant-2.4-generate-libeap-peer.patch,
+  +files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch,
+  +files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
+  :
+  Adding more security patches from bug #548742 and fixing patch from bug
+  #544036
 
 *wpa_supplicant-2.4-r2 (08 May 2015)
 
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
index e417bf22b3db..de1964ca7697 100644
--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-cve-2015-1863.patch
+++ b/net-wireless/wpa_supplicant/files/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
@@ -1,7 +1,8 @@
 From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
 From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 07 Apr 2015 08:32:11 +0000
-Subject: P2P: Validate SSID element length before copying it (CVE-2015-1863)
+Date: Tue, 7 Apr 2015 11:32:11 +0300
+Subject: [PATCH] P2P: Validate SSID element length before copying it
+ (CVE-2015-1863)
 
 This fixes a possible memcpy overflow for P2P dev->oper_ssid in
 p2p_add_device(). The length provided by the peer device (0..255 bytes)
@@ -21,6 +22,9 @@ hardware research group of Alibaba security team for discovering it.
 
 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
 ---
+ src/p2p/p2p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
 diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
 index f584fae..a45fe73 100644
 --- a/src/p2p/p2p.c
@@ -33,5 +37,6 @@ index f584fae..a45fe73 100644
  	    (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
  	     os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
  	     != 0)) {
---
-cgit v0.9.2
+-- 
+1.9.1
+
diff --git a/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
new file mode 100644
index 000000000000..36b4ca294699
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
@@ -0,0 +1,49 @@
+From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 28 Apr 2015 17:08:33 +0300
+Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser
+
+strtoul() return value may end up overflowing the int h->chunk_size and
+resulting in a negative value to be stored as the chunk_size. This could
+result in the following memcpy operation using a very large length
+argument which would result in a buffer overflow and segmentation fault.
+
+This could have been used to cause a denial service by any device that
+has been authorized for network access (either wireless or wired). This
+would affect both the WPS UPnP functionality in a WPS AP (hostapd with
+upnp_iface parameter set in the configuration) and WPS ER
+(wpa_supplicant with WPS_ER_START control interface command used).
+
+Validate the parsed chunk length value to avoid this. In addition to
+rejecting negative values, we can also reject chunk size that would be
+larger than the maximum configured body length.
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/wps/httpread.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/wps/httpread.c b/src/wps/httpread.c
+index 2f08f37..d2855e3 100644
+--- a/src/wps/httpread.c
++++ b/src/wps/httpread.c
+@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
+ 					if (!isxdigit(*cbp))
+ 						goto bad;
+ 					h->chunk_size = strtoul(cbp, NULL, 16);
++					if (h->chunk_size < 0 ||
++					    h->chunk_size > h->max_bytes) {
++						wpa_printf(MSG_DEBUG,
++							   "httpread: Invalid chunk size %d",
++							   h->chunk_size);
++						goto bad;
++					}
+ 					/* throw away chunk header
+ 					 * so we have only real data
+ 					 */
+-- 
+1.9.1
+
diff --git a/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
new file mode 100644
index 000000000000..79c5af8906fa
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
@@ -0,0 +1,41 @@
+From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 29 Apr 2015 02:21:53 +0300
+Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
+
+The length of the WMM Action frame was not properly validated and the
+length of the information elements (int left) could end up being
+negative. This would result in reading significantly past the stack
+buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
+so, resulting in segmentation fault.
+
+This can result in an invalid frame being used for a denial of service
+attack (hostapd process killed) against an AP with a driver that uses
+hostapd for management frame processing (e.g., all mac80211-based
+drivers).
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wmm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ap/wmm.c b/src/ap/wmm.c
+index 6d4177c..314e244 100644
+--- a/src/ap/wmm.c
++++ b/src/ap/wmm.c
+@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
+ 		return;
+ 	}
+ 
++	if (left < 0)
++		return; /* not a valid WMM Action frame */
++
+ 	/* extract the tspec info element */
+ 	if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
+ 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+-- 
+1.9.1
+
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch
index e66d5d4a2399..6f3605713353 100644
--- a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.4-generate-libeap-peer.patch
@@ -1,6 +1,6 @@
-diff -ur a/wpa_supplicant-2.4/src/eap_peer/Makefile b/wpa_supplicant-2.4/src/eap_peer/Makefile
---- a/wpa_supplicant-2.4/src/eap_peer/Makefile	2015-03-15 19:30:39.000000000 -0200
-+++ b/wpa_supplicant-2.4/src/eap_peer/Makefile	2015-04-26 14:40:49.987453098 -0200
+diff -Naurp a/src/eap_peer/Makefile b/src/eap_peer/Makefile
+--- a/src/eap_peer/Makefile	2012-05-15 08:23:17.152386964 +0000
++++ b/src/eap_peer/Makefile	2012-05-15 08:23:57.403389760 +0000
 @@ -1,11 +1,192 @@
 -all:
 -	@echo Nothing to be made.
@@ -202,9 +202,9 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/Makefile b/wpa_supplicant-2.4/src/eap
 -		install -d $(DESTDIR)$(LIBDIR)/wpa_supplicant && \
 -		cp *.so $(DESTDIR)$(LIBDIR)/wpa_supplicant \
 -	; fi
-diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c b/wpa_supplicant-2.4/src/eap_peer/eap_methods.c
---- a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c	2015-03-15 19:30:39.000000000 -0200
-+++ b/wpa_supplicant-2.4/src/eap_peer/eap_methods.c	2015-04-26 14:39:58.247099942 -0200
+diff -Naurp a/src/eap_peer/eap_methods.c b/src/eap_peer/eap_methods.c
+--- a/src/eap_peer/eap_methods.c	2012-05-15 08:23:17.151386999 +0000
++++ b/src/eap_peer/eap_methods.c	2012-05-15 08:23:57.403389760 +0000
 @@ -336,6 +336,120 @@
  
  
@@ -326,10 +326,9 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.c b/wpa_supplicant-2.4/sr
   * eap_peer_unregister_methods - Unregister EAP peer methods
   *
   * This function is called at program termination to unregister all EAP peer
-Only in b/wpa_supplicant-2.4/src/eap_peer: eap_methods.c.orig
-diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h b/wpa_supplicant-2.4/src/eap_peer/eap_methods.h
---- a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h	2015-03-15 19:30:39.000000000 -0200
-+++ b/wpa_supplicant-2.4/src/eap_peer/eap_methods.h	2015-04-26 14:39:58.248099929 -0200
+diff -Naurp a/src/eap_peer/eap_methods.h b/src/eap_peer/eap_methods.h
+--- a/src/eap_peer/eap_methods.h	2012-05-15 08:23:17.151386999 +0000
++++ b/src/eap_peer/eap_methods.h	2012-05-15 08:23:57.404389735 +0000
 @@ -26,6 +26,7 @@
  const char * eap_get_name(int vendor, EapType type);
  size_t eap_get_names(char *buf, size_t buflen);
@@ -338,5 +337,17 @@ diff -ur a/wpa_supplicant-2.4/src/eap_peer/eap_methods.h b/wpa_supplicant-2.4/sr
  void eap_peer_unregister_methods(void);
  
  #else /* IEEE8021X_EAPOL */
-Only in b/wpa_supplicant-2.4/src/eap_peer: eap_methods.h.orig
-Only in b/wpa_supplicant-2.4/src/eap_peer: libeap0.pc
+diff -Naurp a/src/eap_peer/libeap0.pc b/src/eap_peer/libeap0.pc
+--- a/src/eap_peer/libeap0.pc	1970-01-01 00:00:00.000000000 +0000
++++ b/src/eap_peer/libeap0.pc	2012-05-15 08:23:57.404389735 +0000
+@@ -0,0 +1,10 @@
++prefix=/usr
++exec_prefix=/usr
++libdir=${exec_prefix}/lib
++includedir=${prefix}/include/eap_peer
++
++Name: libeap0
++Description: EAP Peer Library API
++Version: 0.7.2
++Libs: -L${libdir} -leap
++Cflags: -I${includedir}
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r1.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r1.ebuild
index 01f417174fa8..48eb372c972e 100644
--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r1.ebuild
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r1.ebuild,v 1.2 2015/04/27 18:29:34 zerochaos Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r1.ebuild,v 1.3 2015/05/11 14:53:41 gurligebis Exp $
 
 EAPI=5
 
@@ -115,7 +115,7 @@ src_prepare() {
 	# bug (374089)
 	#epatch "${FILESDIR}/${P}-dbus-WPAIE-fix.patch"
 
-	epatch "${FILESDIR}"/wpa_supplicant-2.4-cve-2015-1863.patch
+	epatch "${FILESDIR}/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch"
 }
 
 src_configure() {
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r2.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r3.ebuild
index 3f7c873281ed..c451d9e6fd79 100644
--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r2.ebuild
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r2.ebuild,v 1.1 2015/05/08 17:58:51 gurligebis Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-wireless/wpa_supplicant/wpa_supplicant-2.4-r3.ebuild,v 1.1 2015/05/11 14:53:41 gurligebis Exp $
 
 EAPI=5
 
@@ -107,6 +107,9 @@ src_prepare() {
 	fi
 
 	# bug (548742)
+	epatch "${FILESDIR}/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch"
+	epatch "${FILESDIR}/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch"
+	epatch "${FILESDIR}/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch"
 	epatch "${FILESDIR}/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch"
 	epatch "${FILESDIR}/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch"
 	epatch "${FILESDIR}/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch"
@@ -120,8 +123,6 @@ src_prepare() {
 	# SO WOULD BE NICE TO JUST DROP IT, IF IT IS NOT NEEDED.
 	# bug (374089)
 	#epatch "${FILESDIR}/${P}-dbus-WPAIE-fix.patch"
-
-	epatch "${FILESDIR}"/wpa_supplicant-2.4-cve-2015-1863.patch
 }
 
 src_configure() {
author	Bjarke Istrup Pedersen <gurligebis@gentoo.org>	2015-05-11 14:53:41 +0000
committer	Bjarke Istrup Pedersen <gurligebis@gentoo.org>	2015-05-11 14:53:41 +0000
commit	9eaaf26e9d55d8299015240e7f71afb4f50cc07d (patch)
tree	91faac59ce3750c0acafea80c9c836e3b0c2ad63 /net-wireless/wpa_supplicant
parent	Adding more security patches from bug #548744 (diff)
download	gentoo-2-9eaaf26e9d55d8299015240e7f71afb4f50cc07d.tar.gz gentoo-2-9eaaf26e9d55d8299015240e7f71afb4f50cc07d.tar.bz2 gentoo-2-9eaaf26e9d55d8299015240e7f71afb4f50cc07d.zip