Accepting request 299064 from home:stroeder:branches:Base:System

Update to 2.4. Please review carefully. I'm not sure whether the security fix 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch is really needed. But hostapd-2.4/src/ contains the whole wpa_supplicant code and I wanted to be sure. OBS-URL: https://build.opensuse.org/request/show/299064 OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=31
2015-05-07 21:29:29 +00:00 · 2015-05-07 21:29:29 +00:00 · 1ee765c85c
commit 1ee765c85c
parent 83ca20bae1
6 changed files with 119 additions and 17 deletions
--- a/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+++ b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
@ -0,0 +1,42 @@
+From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Tue, 7 Apr 2015 11:32:11 +0300
+Subject: [PATCH] P2P: Validate SSID element length before copying it
+ (CVE-2015-1863)
+
+This fixes a possible memcpy overflow for P2P dev->oper_ssid in
+p2p_add_device(). The length provided by the peer device (0..255 bytes)
+was used without proper bounds checking and that could have resulted in
+arbitrary data of up to 223 bytes being written beyond the end of the
+dev->oper_ssid[] array (of which about 150 bytes would be beyond the
+heap allocation) when processing a corrupted management frame for P2P
+peer discovery purposes.
+
+This could result in corrupted state in heap, unexpected program
+behavior due to corrupted P2P peer device information, denial of service
+due to process crash, exposure of memory contents during GO Negotiation,
+and potentially arbitrary code execution.
+
+Thanks to Google security team for reporting this issue and smart
+hardware research group of Alibaba security team for discovering it.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ src/p2p/p2p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index f584fae..a45fe73 100644
+--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
+@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
+ 	if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
+ 		os_memcpy(dev->interface_addr, addr, ETH_ALEN);
+ 	if (msg.ssid &&
+	    msg.ssid[1] <= sizeof(dev->oper_ssid) &&
+ 	    (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
+ 	     os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
+ 	     != 0)) {
+-- 
+1.9.1
+
--- a/hostapd-2.3.tar.gz
+++ b/hostapd-2.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c94c2b76876fad4c80a1063a06f958a2189ba5003475016fa7658a1ca49bb4df
-size 1592480
--- a/hostapd-2.4-defconfig.patch
+++ b/hostapd-2.4-defconfig.patch
@ -1,6 +1,6 @@
--- hostapd/defconfig.orig	2015-01-05 20:43:43.726052529 +0100
-+++ hostapd/defconfig	2015-01-05 20:48:46.758264105 +0100
-@@ -32,7 +32,7 @@
+--- hostapd/defconfig.orig	2015-04-23 22:09:41.502518110 +0200
+++ hostapd/defconfig	2015-04-23 22:15:09.225421010 +0200
+@@ -28,7 +28,7 @@
 #CONFIG_LIBNL20=y
 
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
@ -9,7 +9,7 @@
 
 
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
-@@ -43,7 +43,7 @@
+@@ -39,7 +39,7 @@
 #LIBS_c += -L/usr/local/lib
 
 # Driver interface for no driver (e.g., RADIUS server only)
@ -18,7 +18,7 @@
 
 # IEEE 802.11F/IAPP
 CONFIG_IAPP=y
-@@ -79,50 +79,50 @@
+@@ -78,50 +78,50 @@
 CONFIG_EAP_TTLS=y
 
 # EAP-SIM for the integrated EAP server
@ -84,7 +84,7 @@
 
 # EAP-EKE for the integrated EAP server
 #CONFIG_EAP_EKE=y
-@@ -133,27 +133,27 @@
+@@ -132,27 +132,27 @@
 
 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
@ -99,7 +99,7 @@
 +CONFIG_IEEE80211R=y
 
 # Use the hostapd's IEEE 802.11 authentication (ACL), but without
- # the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211)
+ # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
 -#CONFIG_DRIVER_RADIUS_ACL=y
 +CONFIG_DRIVER_RADIUS_ACL=y
 
@ -118,7 +118,7 @@
 
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
-@@ -181,7 +181,7 @@
+@@ -180,7 +180,7 @@
 
 # Enable support for fully dynamic VLANs. This enables hostapd to
 # automatically create bridge and VLAN interfaces if necessary.
@ -127,7 +127,7 @@
 
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
-@@ -251,11 +251,11 @@
+@@ -250,11 +250,11 @@
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
@ -141,7 +141,7 @@
 
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
-@@ -276,13 +276,13 @@
+@@ -275,13 +275,13 @@
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
--- a/hostapd-2.4.tar.gz
+++ b/hostapd-2.4.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6fe0eb6bd1c9cbd24952ece8586b6f7bd14ab358edfda99794e79b9b9dbd657f
+size 1658872
--- a/hostapd.changes
+++ b/hostapd.changes
@ -1,3 +1,58 @@
+-------------------------------------------------------------------
+Thu Apr 23 19:45:41 UTC 2015 - michael@stroeder.com
+
+- update version 2.4
+- added 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+  for CVE-2015-1863
+- updated URLs
+- require pkg-config and libnl3-devel during build
+
+ChangeLog for hostapd since 2.3:
+
+2015-03-15 - v2.4
+        * allow OpenSSL cipher configuration to be set for internal EAP server
+          (openssl_ciphers parameter)
+        * fixed number of small issues based on hwsim test case failures and
+          static analyzer reports
+        * fixed Accounting-Request to not include duplicated Acct-Session-Id
+        * add support for Acct-Multi-Session-Id in RADIUS Accounting messages
+        * add support for PMKSA caching with SAE
+        * add support for generating BSS Load element (bss_load_update_period)
+        * fixed channel switch from VHT to HT
+        * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events
+        * add support for learning STA IPv4/IPv6 addresses and configuring
+          ProxyARP support
+        * dropped support for the madwifi driver interface
+        * add support for Suite B (128-bit and 192-bit level) key management and
+          cipher suites
+        * fixed a regression with driver=wired
+        * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
+        * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management
+          Request frames and BSS-TM-RESP event to indicate response to such
+          frame
+        * add support for EAP Re-Authentication Protocol (ERP)
+        * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled
+        * fixed a regression in HT 20/40 coex Action frame parsing
+        * set stdout to be line-buffered
+        * add support for vendor specific VHT extension to enable 256 QAM rates
+          (VHT-MCS 8 and 9) on 2.4 GHz band
+        * RADIUS DAS:
+          - extend Disconnect-Request processing to allow matching of multiple
+            sessions
+          - support Acct-Multi-Session-Id as an identifier
+          - allow PMKSA cache entry to be removed without association
+        * expire hostapd STA entry if kernel does not have a matching entry
+        * allow chanlist to be used to specify a subset of channels for ACS
+        * improve ACS behavior on 2.4 GHz band and allow channel bias to be
+          configured with acs_chan_bias parameter
+        * do not reply to a Probe Request frame that includes DSS Parameter Set
+          element in which the channel does not match the current operating
+          channel
+        * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon
+          frame contents to be updated and to start beaconing on an interface
+          that used start_disabled=1
+        * fixed some RADIUS server failover cases
+
 -------------------------------------------------------------------
 Mon Jan  5 19:23:24 UTC 2015 - michael@stroeder.com

--- a/hostapd.spec
+++ b/hostapd.spec
@ -19,18 +19,22 @@
 Name:           hostapd
 BuildRequires:  openssl-devel
 BuildRequires:  sqlite3-devel
+BuildRequires:  libnl3-devel
+BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(systemd)
 Summary:        Turns Your WLAN Card into a WPA capable Access Point
 License:        GPL-2.0 or BSD-3-Clause
 Group:          Hardware/Wifi
-Version:        2.3
+Version:        2.4
 Release:        0
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Url:            http://hostap.epitest.fi/
-Source:         http://hostap.epitest.fi/releases/hostapd-%{version}.tar.gz
+Url:            http://w1.fi/
+Source:         http://w1.fi/releases/hostapd-%{version}.tar.gz
 Source1:        hostapd.service
-Patch0:         hostapd-2.3-defconfig.patch
+Patch0:         hostapd-2.4-defconfig.patch
+# CVE-2015-1863
+Patch1:         0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
 %{?systemd_requires}

 %description
@ -45,6 +49,7 @@ authentication via any ethernet driver.
 %prep
 %setup -q -n hostapd-%{version}
 %patch0 -p0
+%patch1 -p1

 cd hostapd
 cp defconfig .config