From 1ee765c85c5b9b465689dc6cedaf5579eccab8502495f76273d580e65538ddaf Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 7 May 2015 21:29:29 +0000 Subject: [PATCH 1/2] Accepting request 299064 from home:stroeder:branches:Base:System Update to 2.4. Please review carefully. I'm not sure whether the security fix 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch is really needed. But hostapd-2.4/src/ contains the whole wpa_supplicant code and I wanted to be sure. OBS-URL: https://build.opensuse.org/request/show/299064 OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=31 --- ...D-element-length-before-copying-it-C.patch | 42 ++++++++++++++ hostapd-2.3.tar.gz | 3 - ...onfig.patch => hostapd-2.4-defconfig.patch | 20 +++---- hostapd-2.4.tar.gz | 3 + hostapd.changes | 55 +++++++++++++++++++ hostapd.spec | 13 +++-- 6 files changed, 119 insertions(+), 17 deletions(-) create mode 100644 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch delete mode 100644 hostapd-2.3.tar.gz rename hostapd-2.3-defconfig.patch => hostapd-2.4-defconfig.patch (92%) create mode 100644 hostapd-2.4.tar.gz diff --git a/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch new file mode 100644 index 0000000..ccb2d2e --- /dev/null +++ b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch @@ -0,0 +1,42 @@ +From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 7 Apr 2015 11:32:11 +0300 +Subject: [PATCH] P2P: Validate SSID element length before copying it + (CVE-2015-1863) + +This fixes a possible memcpy overflow for P2P dev->oper_ssid in +p2p_add_device(). The length provided by the peer device (0..255 bytes) +was used without proper bounds checking and that could have resulted in +arbitrary data of up to 223 bytes being written beyond the end of the +dev->oper_ssid[] array (of which about 150 bytes would be beyond the +heap allocation) when processing a corrupted management frame for P2P +peer discovery purposes. + +This could result in corrupted state in heap, unexpected program +behavior due to corrupted P2P peer device information, denial of service +due to process crash, exposure of memory contents during GO Negotiation, +and potentially arbitrary code execution. + +Thanks to Google security team for reporting this issue and smart +hardware research group of Alibaba security team for discovering it. + +Signed-off-by: Jouni Malinen +--- + src/p2p/p2p.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index f584fae..a45fe73 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq, + if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) + os_memcpy(dev->interface_addr, addr, ETH_ALEN); + if (msg.ssid && ++ msg.ssid[1] <= sizeof(dev->oper_ssid) && + (msg.ssid[1] != P2P_WILDCARD_SSID_LEN || + os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) + != 0)) { +-- +1.9.1 + diff --git a/hostapd-2.3.tar.gz b/hostapd-2.3.tar.gz deleted file mode 100644 index d5dbd33..0000000 --- a/hostapd-2.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c94c2b76876fad4c80a1063a06f958a2189ba5003475016fa7658a1ca49bb4df -size 1592480 diff --git a/hostapd-2.3-defconfig.patch b/hostapd-2.4-defconfig.patch similarity index 92% rename from hostapd-2.3-defconfig.patch rename to hostapd-2.4-defconfig.patch index 044b25b..90a84f4 100644 --- a/hostapd-2.3-defconfig.patch +++ b/hostapd-2.4-defconfig.patch @@ -1,6 +1,6 @@ ---- hostapd/defconfig.orig 2015-01-05 20:43:43.726052529 +0100 -+++ hostapd/defconfig 2015-01-05 20:48:46.758264105 +0100 -@@ -32,7 +32,7 @@ +--- hostapd/defconfig.orig 2015-04-23 22:09:41.502518110 +0200 ++++ hostapd/defconfig 2015-04-23 22:15:09.225421010 +0200 +@@ -28,7 +28,7 @@ #CONFIG_LIBNL20=y # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) @@ -9,7 +9,7 @@ # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) -@@ -43,7 +43,7 @@ +@@ -39,7 +39,7 @@ #LIBS_c += -L/usr/local/lib # Driver interface for no driver (e.g., RADIUS server only) @@ -18,7 +18,7 @@ # IEEE 802.11F/IAPP CONFIG_IAPP=y -@@ -79,50 +79,50 @@ +@@ -78,50 +78,50 @@ CONFIG_EAP_TTLS=y # EAP-SIM for the integrated EAP server @@ -84,7 +84,7 @@ # EAP-EKE for the integrated EAP server #CONFIG_EAP_EKE=y -@@ -133,27 +133,27 @@ +@@ -132,27 +132,27 @@ # RADIUS authentication server. This provides access to the integrated EAP # server from external hosts using RADIUS. @@ -99,7 +99,7 @@ +CONFIG_IEEE80211R=y # Use the hostapd's IEEE 802.11 authentication (ACL), but without - # the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211) + # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) -#CONFIG_DRIVER_RADIUS_ACL=y +CONFIG_DRIVER_RADIUS_ACL=y @@ -118,7 +118,7 @@ # Remove debugging code that is printing out debug messages to stdout. # This can be used to reduce the size of the hostapd considerably if debugging -@@ -181,7 +181,7 @@ +@@ -180,7 +180,7 @@ # Enable support for fully dynamic VLANs. This enables hostapd to # automatically create bridge and VLAN interfaces if necessary. @@ -127,7 +127,7 @@ # Use netlink-based kernel API for VLAN operations instead of ioctl() # Note: This requires libnl 3.1 or newer. -@@ -251,11 +251,11 @@ +@@ -250,11 +250,11 @@ # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) # can be enabled to get a stronger construction of messages when block ciphers # are used. @@ -141,7 +141,7 @@ # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of -@@ -276,13 +276,13 @@ +@@ -275,13 +275,13 @@ # Interworking (IEEE 802.11u) # This can be used to enable functionality to improve interworking with # external networks. diff --git a/hostapd-2.4.tar.gz b/hostapd-2.4.tar.gz new file mode 100644 index 0000000..5eadfea --- /dev/null +++ b/hostapd-2.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6fe0eb6bd1c9cbd24952ece8586b6f7bd14ab358edfda99794e79b9b9dbd657f +size 1658872 diff --git a/hostapd.changes b/hostapd.changes index c3ee1fe..e6f991e 100644 --- a/hostapd.changes +++ b/hostapd.changes @@ -1,3 +1,58 @@ +------------------------------------------------------------------- +Thu Apr 23 19:45:41 UTC 2015 - michael@stroeder.com + +- update version 2.4 +- added 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch + for CVE-2015-1863 +- updated URLs +- require pkg-config and libnl3-devel during build + +ChangeLog for hostapd since 2.3: + +2015-03-15 - v2.4 + * allow OpenSSL cipher configuration to be set for internal EAP server + (openssl_ciphers parameter) + * fixed number of small issues based on hwsim test case failures and + static analyzer reports + * fixed Accounting-Request to not include duplicated Acct-Session-Id + * add support for Acct-Multi-Session-Id in RADIUS Accounting messages + * add support for PMKSA caching with SAE + * add support for generating BSS Load element (bss_load_update_period) + * fixed channel switch from VHT to HT + * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events + * add support for learning STA IPv4/IPv6 addresses and configuring + ProxyARP support + * dropped support for the madwifi driver interface + * add support for Suite B (128-bit and 192-bit level) key management and + cipher suites + * fixed a regression with driver=wired + * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce + * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management + Request frames and BSS-TM-RESP event to indicate response to such + frame + * add support for EAP Re-Authentication Protocol (ERP) + * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled + * fixed a regression in HT 20/40 coex Action frame parsing + * set stdout to be line-buffered + * add support for vendor specific VHT extension to enable 256 QAM rates + (VHT-MCS 8 and 9) on 2.4 GHz band + * RADIUS DAS: + - extend Disconnect-Request processing to allow matching of multiple + sessions + - support Acct-Multi-Session-Id as an identifier + - allow PMKSA cache entry to be removed without association + * expire hostapd STA entry if kernel does not have a matching entry + * allow chanlist to be used to specify a subset of channels for ACS + * improve ACS behavior on 2.4 GHz band and allow channel bias to be + configured with acs_chan_bias parameter + * do not reply to a Probe Request frame that includes DSS Parameter Set + element in which the channel does not match the current operating + channel + * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon + frame contents to be updated and to start beaconing on an interface + that used start_disabled=1 + * fixed some RADIUS server failover cases + ------------------------------------------------------------------- Mon Jan 5 19:23:24 UTC 2015 - michael@stroeder.com diff --git a/hostapd.spec b/hostapd.spec index 3ce9417..1712f27 100644 --- a/hostapd.spec +++ b/hostapd.spec @@ -19,18 +19,22 @@ Name: hostapd BuildRequires: openssl-devel BuildRequires: sqlite3-devel +BuildRequires: libnl3-devel +BuildRequires: pkg-config BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(systemd) Summary: Turns Your WLAN Card into a WPA capable Access Point License: GPL-2.0 or BSD-3-Clause Group: Hardware/Wifi -Version: 2.3 +Version: 2.4 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build -Url: http://hostap.epitest.fi/ -Source: http://hostap.epitest.fi/releases/hostapd-%{version}.tar.gz +Url: http://w1.fi/ +Source: http://w1.fi/releases/hostapd-%{version}.tar.gz Source1: hostapd.service -Patch0: hostapd-2.3-defconfig.patch +Patch0: hostapd-2.4-defconfig.patch +# CVE-2015-1863 +Patch1: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch %{?systemd_requires} %description @@ -45,6 +49,7 @@ authentication via any ethernet driver. %prep %setup -q -n hostapd-%{version} %patch0 -p0 +%patch1 -p1 cd hostapd cp defconfig .config From 1686b1cbe440c8a4b0ff43f965d7ac0151161fd3e320f906ed1debea028fe32f Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 7 May 2015 22:42:21 +0000 Subject: [PATCH 2/2] - replaced hostapd-2.3-defconfig.patch by hostapd-2.4-defconfig.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=32 --- hostapd.changes | 1 + hostapd.spec | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/hostapd.changes b/hostapd.changes index e6f991e..6af69cc 100644 --- a/hostapd.changes +++ b/hostapd.changes @@ -6,6 +6,7 @@ Thu Apr 23 19:45:41 UTC 2015 - michael@stroeder.com for CVE-2015-1863 - updated URLs - require pkg-config and libnl3-devel during build +- replaced hostapd-2.3-defconfig.patch by hostapd-2.4-defconfig.patch ChangeLog for hostapd since 2.3: diff --git a/hostapd.spec b/hostapd.spec index 1712f27..aa57f9e 100644 --- a/hostapd.spec +++ b/hostapd.spec @@ -1,7 +1,7 @@ # # spec file for package hostapd # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,10 +17,10 @@ Name: hostapd -BuildRequires: openssl-devel -BuildRequires: sqlite3-devel BuildRequires: libnl3-devel +BuildRequires: openssl-devel BuildRequires: pkg-config +BuildRequires: sqlite3-devel BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(systemd) Summary: Turns Your WLAN Card into a WPA capable Access Point