* [Buildroot] [PATCH] package/wpa_supplicant: add upstream 2020-2 security fix
@ 2021-02-05 12:13 Peter Korsgaard
2021-02-05 12:45 ` Yann E. MORIN
2021-02-10 18:54 ` Peter Korsgaard
0 siblings, 2 replies; 4+ messages in thread
From: Peter Korsgaard @ 2021-02-05 12:13 UTC (permalink / raw)
To: buildroot
Fixes the following security issue:
- wpa_supplicant P2P group information processing vulnerability (no CVE yet)
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners. The actual
parsing of that information validates field lengths appropriately, but
processing of the parsed information misses a length check when storing a
copy of the secondary device types. This can result in writing attacker
controlled data into the peer entry after the area assigned for the
secondary device type. The overflow can result in corrupting pointers
for heap allocations. This can result in an attacker within radio range
of the device running P2P discovery being able to cause unexpected
behavior, including termination of the wpa_supplicant process and
potentially arbitrary code execution.
For more details, see the advisory:
https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/wpa_supplicant/wpa_supplicant.hash | 1 +
package/wpa_supplicant/wpa_supplicant.mk | 2 ++
2 files changed, 3 insertions(+)
diff --git a/package/wpa_supplicant/wpa_supplicant.hash b/package/wpa_supplicant/wpa_supplicant.hash
index ff5a2edb34..cce465d849 100644
--- a/package/wpa_supplicant/wpa_supplicant.hash
+++ b/package/wpa_supplicant/wpa_supplicant.hash
@@ -1,3 +1,4 @@
# Locally calculated
sha256 fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17 wpa_supplicant-2.9.tar.gz
sha256 9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761 README
+sha256 c4d65cc13863e0237d0644198558e2c47b4ed91e2b2be4516ff590724187c4a5 0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 9e8282b8ef..43baff6bbe 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -11,6 +11,8 @@ WPA_SUPPLICANT_LICENSE_FILES = README
WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
WPA_SUPPLICANT_SUBDIR = wpa_supplicant
+WPA_SUPPLICANT_PATCH = \
+ https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
WPA_SUPPLICANT_DBUS_NEW_SERVICE = fi.w1.wpa_supplicant1
WPA_SUPPLICANT_CFLAGS = $(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/libnl3/
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] package/wpa_supplicant: add upstream 2020-2 security fix
2021-02-05 12:13 [Buildroot] [PATCH] package/wpa_supplicant: add upstream 2020-2 security fix Peter Korsgaard
@ 2021-02-05 12:45 ` Yann E. MORIN
2021-02-05 13:09 ` Peter Korsgaard
2021-02-10 18:54 ` Peter Korsgaard
1 sibling, 1 reply; 4+ messages in thread
From: Yann E. MORIN @ 2021-02-05 12:45 UTC (permalink / raw)
To: buildroot
Peter, All,
On 2021-02-05 13:13 +0100, Peter Korsgaard spake thusly:
> Fixes the following security issue:
>
> - wpa_supplicant P2P group information processing vulnerability (no CVE yet)
>
> A vulnerability was discovered in how wpa_supplicant processing P2P
> (Wi-Fi Direct) group information from active group owners. The actual
> parsing of that information validates field lengths appropriately, but
> processing of the parsed information misses a length check when storing a
> copy of the secondary device types. This can result in writing attacker
> controlled data into the peer entry after the area assigned for the
> secondary device type. The overflow can result in corrupting pointers
> for heap allocations. This can result in an attacker within radio range
> of the device running P2P discovery being able to cause unexpected
> behavior, including termination of the wpa_supplicant process and
> potentially arbitrary code execution.
>
> For more details, see the advisory:
> https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
(I just moved the _PATCH near _VERSION and _SITE to keep similar things
together)
Regards,
Yann E. MORIN.)
> ---
> package/wpa_supplicant/wpa_supplicant.hash | 1 +
> package/wpa_supplicant/wpa_supplicant.mk | 2 ++
> 2 files changed, 3 insertions(+)
>
> diff --git a/package/wpa_supplicant/wpa_supplicant.hash b/package/wpa_supplicant/wpa_supplicant.hash
> index ff5a2edb34..cce465d849 100644
> --- a/package/wpa_supplicant/wpa_supplicant.hash
> +++ b/package/wpa_supplicant/wpa_supplicant.hash
> @@ -1,3 +1,4 @@
> # Locally calculated
> sha256 fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17 wpa_supplicant-2.9.tar.gz
> sha256 9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761 README
> +sha256 c4d65cc13863e0237d0644198558e2c47b4ed91e2b2be4516ff590724187c4a5 0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
> diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
> index 9e8282b8ef..43baff6bbe 100644
> --- a/package/wpa_supplicant/wpa_supplicant.mk
> +++ b/package/wpa_supplicant/wpa_supplicant.mk
> @@ -11,6 +11,8 @@ WPA_SUPPLICANT_LICENSE_FILES = README
> WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
> WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
> WPA_SUPPLICANT_SUBDIR = wpa_supplicant
> +WPA_SUPPLICANT_PATCH = \
> + https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
> WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
> WPA_SUPPLICANT_DBUS_NEW_SERVICE = fi.w1.wpa_supplicant1
> WPA_SUPPLICANT_CFLAGS = $(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/libnl3/
> --
> 2.20.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] package/wpa_supplicant: add upstream 2020-2 security fix
2021-02-05 12:45 ` Yann E. MORIN
@ 2021-02-05 13:09 ` Peter Korsgaard
0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2021-02-05 13:09 UTC (permalink / raw)
To: buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> Peter, All,
> On 2021-02-05 13:13 +0100, Peter Korsgaard spake thusly:
>> Fixes the following security issue:
>>
>> - wpa_supplicant P2P group information processing vulnerability (no CVE yet)
>>
>> A vulnerability was discovered in how wpa_supplicant processing P2P
>> (Wi-Fi Direct) group information from active group owners. The actual
>> parsing of that information validates field lengths appropriately, but
>> processing of the parsed information misses a length check when storing a
>> copy of the secondary device types. This can result in writing attacker
>> controlled data into the peer entry after the area assigned for the
>> secondary device type. The overflow can result in corrupting pointers
>> for heap allocations. This can result in an attacker within radio range
>> of the device running P2P discovery being able to cause unexpected
>> behavior, including termination of the wpa_supplicant process and
>> potentially arbitrary code execution.
>>
>> For more details, see the advisory:
>> https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
>>
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> Applied to master, thanks.
Thanks.
> (I just moved the _PATCH near _VERSION and _SITE to keep similar things
> together)
Fine. I did it like this for consistency with hostapd.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] package/wpa_supplicant: add upstream 2020-2 security fix
2021-02-05 12:13 [Buildroot] [PATCH] package/wpa_supplicant: add upstream 2020-2 security fix Peter Korsgaard
2021-02-05 12:45 ` Yann E. MORIN
@ 2021-02-10 18:54 ` Peter Korsgaard
1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2021-02-10 18:54 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issue:
> - wpa_supplicant P2P group information processing vulnerability (no CVE yet)
> A vulnerability was discovered in how wpa_supplicant processing P2P
> (Wi-Fi Direct) group information from active group owners. The actual
> parsing of that information validates field lengths appropriately, but
> processing of the parsed information misses a length check when storing a
> copy of the secondary device types. This can result in writing attacker
> controlled data into the peer entry after the area assigned for the
> secondary device type. The overflow can result in corrupting pointers
> for heap allocations. This can result in an attacker within radio range
> of the device running P2P discovery being able to cause unexpected
> behavior, including termination of the wpa_supplicant process and
> potentially arbitrary code execution.
> For more details, see the advisory:
> https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2020.02.x and 2020.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-02-10 18:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-05 12:13 [Buildroot] [PATCH] package/wpa_supplicant: add upstream 2020-2 security fix Peter Korsgaard
2021-02-05 12:45 ` Yann E. MORIN
2021-02-05 13:09 ` Peter Korsgaard
2021-02-10 18:54 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.