aboutsummaryrefslogtreecommitdiffstats
path: root/main/wpa_supplicant/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2016-05-30 19:17:31 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2016-05-30 17:21:32 +0000
commit2806116f403724817d994e53a2ab9cc9dd330867 (patch)
tree1848c6f66a4f2b8ab9649110855b46fa04d9e5f9 /main/wpa_supplicant/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
parentd089f392f1b48a8facd3f415e911f14d3c696d6a (diff)
downloadaports-2806116f403724817d994e53a2ab9cc9dd330867.tar.bz2
aports-2806116f403724817d994e53a2ab9cc9dd330867.tar.xz
main/wpa_supplicant: security fix for CVE-2016-4476, CVE-2016-4477
fixes #5638
Diffstat (limited to 'main/wpa_supplicant/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch')
-rw-r--r--main/wpa_supplicant/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch62
1 files changed, 62 insertions, 0 deletions
diff --git a/main/wpa_supplicant/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch b/main/wpa_supplicant/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
new file mode 100644
index 0000000000..2dd38fee31
--- /dev/null
+++ b/main/wpa_supplicant/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
@@ -0,0 +1,62 @@
+From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Tue, 5 Apr 2016 23:33:10 +0300
+Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the
+ string values
+
+Most of the cred block parameters are written as strings without
+filtering and if there is an embedded newline character in the value,
+unexpected configuration file data might be written.
+
+This fixes an issue where wpa_supplicant could have updated the
+configuration file cred parameter with arbitrary data from the control
+interface or D-Bus interface. While those interfaces are supposed to be
+accessible only for trusted users/applications, it may be possible that
+an untrusted user has access to a management software component that
+does not validate the credential value before passing it to
+wpa_supplicant.
+
+This could allow such an untrusted user to inject almost arbitrary data
+into the configuration file. Such configuration file could result in
+wpa_supplicant trying to load a library (e.g., opensc_engine_path,
+pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
+controlled location when starting again. This would allow code from that
+library to be executed under the wpa_supplicant process privileges.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ wpa_supplicant/config.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index eb97cd5..69152ef 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
+
+ if (os_strcmp(var, "password") == 0 &&
+ os_strncmp(value, "ext:", 4) == 0) {
++ if (has_newline(value))
++ return -1;
+ str_clear_free(cred->password);
+ cred->password = os_strdup(value);
+ cred->ext_password = 1;
+@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
+ }
+
+ val = wpa_config_parse_string(value, &len);
+- if (val == NULL) {
++ if (val == NULL ||
++ (os_strcmp(var, "excluded_ssid") != 0 &&
++ os_strcmp(var, "roaming_consortium") != 0 &&
++ os_strcmp(var, "required_roaming_consortium") != 0 &&
++ has_newline(val))) {
+ wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
+ "value '%s'.", line, var, value);
++ os_free(val);
+ return -1;
+ }
+
+--
+1.9.1
+