diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-09-17 13:14:27 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-09-17 13:19:25 +0000 |
| commit | bd6d17a7934c019dabff6ce2c6b2d18c31e58fb0 (patch) | |
| tree | 9798514308a6657aa9a019fba0c06f065746c8d2 | |
| parent | 739c0b7c400092582bb275a05bcecb7fe68c341a (diff) | |
| download | aports-bd6d17a7934c019dabff6ce2c6b2d18c31e58fb0.tar.bz2 aports-bd6d17a7934c019dabff6ce2c6b2d18c31e58fb0.tar.xz | |
main/wpa_supplicant: security fix (CVE-2019-16275)
closes #10800
| -rw-r--r-- | main/wpa_supplicant/APKBUILD | 6 | ||||
| -rw-r--r-- | main/wpa_supplicant/CVE-2019-16275.patch | 73 |
2 files changed, 78 insertions, 1 deletions
diff --git a/main/wpa_supplicant/APKBUILD b/main/wpa_supplicant/APKBUILD index 3378a74fe1..55524416e8 100644 --- a/main/wpa_supplicant/APKBUILD +++ b/main/wpa_supplicant/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=wpa_supplicant pkgver=2.6 -pkgrel=10 +pkgrel=11 pkgdesc="A utility providing key negotiation for WPA wireless networks" url="https://w1.fi/wpa_supplicant/" arch="all" @@ -21,6 +21,7 @@ source="http://w1.fi/releases/$pkgname-$pkgver.tar.gz rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch 0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch + CVE-2019-16275.patch wpa_supplicant.initd wpa_supplicant.confd @@ -31,6 +32,8 @@ source="http://w1.fi/releases/$pkgname-$pkgver.tar.gz wpa_cli.sh" # secfixes: +# 2.6-r16: +# - CVE-2019-16275 # 2.6-r10: # - CVE-2019-11555 # 2.6-r9: @@ -103,6 +106,7 @@ fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed c275cb1a41901d3e5389ca301809baa16a73b40afdcd3a24b63b294e1b9e5eaead148b30742273deecbdd03c6b387a6b3da74de2ae6c49a499b5dd326ff4da9f rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch 7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch +63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch 11eed22f6e793f40c788d586c715deecae03c421d11761b7b4a376660bce812c54cc6f353c7d4d5da9c455aeffd778baefb9e76d380027a729574a756e54ddcc wpa_supplicant.initd 29103161ec2b9631fca9e8d9a97fafd60ffac3fe78cf613b834395ddcaf8be1e253c22e060d7d9f9b974b2d7ce794caa932a2125e29f6494b75bce475f7b30e1 wpa_supplicant.confd e98edc1ecec91335d515c50cac8816e3f6eef139aba574bcf0c6c20c131ef0de40aa657a33d07af09ab28245471a09cb6b3e29b306e48f46d335a0c47a0a56c4 libressl.patch diff --git a/main/wpa_supplicant/CVE-2019-16275.patch b/main/wpa_supplicant/CVE-2019-16275.patch new file mode 100644 index 0000000000..d764a9db01 --- /dev/null +++ b/main/wpa_supplicant/CVE-2019-16275.patch @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + |