diff --git a/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch deleted file mode 100644 index ccb2d2e..0000000 --- a/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Tue, 7 Apr 2015 11:32:11 +0300 -Subject: [PATCH] P2P: Validate SSID element length before copying it - (CVE-2015-1863) - -This fixes a possible memcpy overflow for P2P dev->oper_ssid in -p2p_add_device(). The length provided by the peer device (0..255 bytes) -was used without proper bounds checking and that could have resulted in -arbitrary data of up to 223 bytes being written beyond the end of the -dev->oper_ssid[] array (of which about 150 bytes would be beyond the -heap allocation) when processing a corrupted management frame for P2P -peer discovery purposes. - -This could result in corrupted state in heap, unexpected program -behavior due to corrupted P2P peer device information, denial of service -due to process crash, exposure of memory contents during GO Negotiation, -and potentially arbitrary code execution. - -Thanks to Google security team for reporting this issue and smart -hardware research group of Alibaba security team for discovering it. - -Signed-off-by: Jouni Malinen ---- - src/p2p/p2p.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c -index f584fae..a45fe73 100644 ---- a/src/p2p/p2p.c -+++ b/src/p2p/p2p.c -@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq, - if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) - os_memcpy(dev->interface_addr, addr, ETH_ALEN); - if (msg.ssid && -+ msg.ssid[1] <= sizeof(dev->oper_ssid) && - (msg.ssid[1] != P2P_WILDCARD_SSID_LEN || - os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) - != 0)) { --- -1.9.1 - diff --git a/hostapd-2.4.tar.gz b/hostapd-2.4.tar.gz deleted file mode 100644 index 5eadfea..0000000 --- a/hostapd-2.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6fe0eb6bd1c9cbd24952ece8586b6f7bd14ab358edfda99794e79b9b9dbd657f -size 1658872 diff --git a/hostapd-2.4-defconfig.patch b/hostapd-2.5-defconfig.patch similarity index 88% rename from hostapd-2.4-defconfig.patch rename to hostapd-2.5-defconfig.patch index 90a84f4..7c15a43 100644 --- a/hostapd-2.4-defconfig.patch +++ b/hostapd-2.5-defconfig.patch @@ -1,5 +1,5 @@ ---- hostapd/defconfig.orig 2015-04-23 22:09:41.502518110 +0200 -+++ hostapd/defconfig 2015-04-23 22:15:09.225421010 +0200 +--- ./hostapd/defconfig.orig 2015-10-18 15:11:32.152380752 +0200 ++++ ./hostapd/defconfig 2015-10-18 15:18:07.240441471 +0200 @@ -28,7 +28,7 @@ #CONFIG_LIBNL20=y @@ -18,7 +18,7 @@ # IEEE 802.11F/IAPP CONFIG_IAPP=y -@@ -78,50 +78,50 @@ +@@ -78,53 +78,53 @@ CONFIG_EAP_TTLS=y # EAP-SIM for the integrated EAP server @@ -83,7 +83,11 @@ +CONFIG_EAP_TNC=y # EAP-EKE for the integrated EAP server - #CONFIG_EAP_EKE=y +-#CONFIG_EAP_EKE=y ++CONFIG_EAP_EKE=y + + # PKCS#12 (PFX) support (used to read private key and certificate file from + # a file that usually has extension .p12 or .pfx) @@ -132,27 +132,27 @@ # RADIUS authentication server. This provides access to the integrated EAP @@ -127,7 +131,13 @@ # Use netlink-based kernel API for VLAN operations instead of ioctl() # Note: This requires libnl 3.1 or newer. -@@ -250,11 +250,11 @@ +@@ -251,16 +251,16 @@ + # gnutls = GnuTLS + # internal = Internal TLSv1 implementation (experimental) + # none = Empty template +-#CONFIG_TLS=openssl ++CONFIG_TLS=openssl + # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) # can be enabled to get a stronger construction of messages when block ciphers # are used. @@ -141,7 +151,7 @@ # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of -@@ -275,13 +275,13 @@ +@@ -281,13 +281,13 @@ # Interworking (IEEE 802.11u) # This can be used to enable functionality to improve interworking with # external networks. @@ -156,5 +166,5 @@ -#CONFIG_SQLITE=y +CONFIG_SQLITE=y - # Testing options - # This can be used to enable some testing options (see also the example + # Enable Fast Session Transfer (FST) + #CONFIG_FST=y diff --git a/hostapd-2.5.tar.gz b/hostapd-2.5.tar.gz new file mode 100644 index 0000000..93f6acd --- /dev/null +++ b/hostapd-2.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8e272d954dc0d7026c264b79b15389ec2b2c555b32970de39f506b9f463ec74a +size 1720783 diff --git a/hostapd.changes b/hostapd.changes index 6af69cc..df06dbe 100644 --- a/hostapd.changes +++ b/hostapd.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Sun Oct 18 12:59:02 UTC 2015 - michael@stroeder.com + +- update to upstream release 2.5 +- removed 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch + (CVE-2015-1863) because it's fixed in upstream release 2.5 +- rebased hostapd-2.4-defconfig.patch -> hostapd-2.5-defconfig.patch + +ChangeLog for hostapd since 2.4: + +2015-09-27 - v2.5 + * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding + [http://w1.fi/security/2015-2/] (CVE-2015-4141 bsc#930077) + * fixed WMM Action frame parser + [http://w1.fi/security/2015-3/] (CVE-2015-4142 bsc#930078) + * fixed EAP-pwd server missing payload length validation + [http://w1.fi/security/2015-4/] + (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, bsc#930079) + * fixed validation of WPS and P2P NFC NDEF record payload length + [http://w1.fi/security/2015-5/] + * nl80211: + - fixed vendor command handling to check OUI properly + * fixed hlr_auc_gw build with OpenSSL + * hlr_auc_gw: allow Milenage RES length to be reduced + * disable HT for a station that does not support WMM/QoS + * added support for hashed password (NtHash) in EAP-pwd server + * fixed and extended dynamic VLAN cases + * added EAP-EKE server support for deriving Session-Id + * set Acct-Session-Id to a random value to make it more likely to be + unique even if the device does not have a proper clock + * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan + * modified SAE routines to be more robust and PWE generation to be + stronger against timing attacks + * added support for Brainpool Elliptic Curves with SAE + * increases maximum value accepted for cwmin/cwmax + * added support for CCMP-256 and GCMP-256 as group ciphers with FT + * added Fast Session Transfer (FST) module + * removed optional fields from RSNE when using FT with PMF + (workaround for interoperability issues with iOS 8.4) + * added EAP server support for TLS session resumption + * fixed key derivation for Suite B 192-bit AKM (this breaks + compatibility with the earlier version) + * added mechanism to track unconnected stations and do minimal band + steering + * number of small fixes + ------------------------------------------------------------------- Thu Apr 23 19:45:41 UTC 2015 - michael@stroeder.com diff --git a/hostapd.spec b/hostapd.spec index aa57f9e..0c71584 100644 --- a/hostapd.spec +++ b/hostapd.spec @@ -26,15 +26,13 @@ BuildRequires: pkgconfig(systemd) Summary: Turns Your WLAN Card into a WPA capable Access Point License: GPL-2.0 or BSD-3-Clause Group: Hardware/Wifi -Version: 2.4 +Version: 2.5 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://w1.fi/ Source: http://w1.fi/releases/hostapd-%{version}.tar.gz Source1: hostapd.service -Patch0: hostapd-2.4-defconfig.patch -# CVE-2015-1863 -Patch1: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch +Patch0: hostapd-2.5-defconfig.patch %{?systemd_requires} %description @@ -49,7 +47,6 @@ authentication via any ethernet driver. %prep %setup -q -n hostapd-%{version} %patch0 -p0 -%patch1 -p1 cd hostapd cp defconfig .config