summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2016-09-22 15:54:27 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 14:56:39 +0100
commit8381125e53cc1b15c584f59d7c72affa28b1fd0e (patch)
tree5d2a7b6857f9333e67a5c77fa3753c7f79c347c5
parent9b78237363b4812c3b9509959fc931e9f0c17674 (diff)
downloadpoky-8381125e53cc1b15c584f59d7c72affa28b1fd0e.tar.gz
wpa_supplicant: Security Advisory-CVE-2016-4477
Add CVE-2016-4477 patch for avoiding \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation. Patches came from http://w1.fi/security/2016-1/ (From OE-Core rev: d4d4ed5f31c687b2b2b716ff0fb8ca6c7aa29853) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch55
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch66
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch54
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb3
4 files changed, 178 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
new file mode 100644
index 0000000000..dd7d5f7267
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
@@ -0,0 +1,55 @@
1From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Fri, 4 Mar 2016 18:46:41 +0200
4Subject: [PATCH 1/3] Reject psk parameter set with invalid passphrase
5 character
6
7WPA/WPA2-Personal passphrase is not allowed to include control
8characters. Reject a passphrase configuration attempt if that passphrase
9includes an invalid passphrase.
10
11This fixes an issue where wpa_supplicant could have updated the
12configuration file psk parameter with arbitrary data from the control
13interface or D-Bus interface. While those interfaces are supposed to be
14accessible only for trusted users/applications, it may be possible that
15an untrusted user has access to a management software component that
16does not validate the passphrase value before passing it to
17wpa_supplicant.
18
19This could allow such an untrusted user to inject up to 63 characters of
20almost arbitrary data into the configuration file. Such configuration
21file could result in wpa_supplicant trying to load a library (e.g.,
22opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
23load_dynamic_eap) from user controlled location when starting again.
24This would allow code from that library to be executed under the
25wpa_supplicant process privileges.
26
27Upstream-Status: Backport
28
29CVE: CVE-2016-4477
30
31Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
32Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
33---
34 wpa_supplicant/config.c | 6 ++++++
35 1 file changed, 6 insertions(+)
36
37diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
38index b1c7870..fdd9643 100644
39--- a/wpa_supplicant/config.c
40+++ b/wpa_supplicant/config.c
41@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data,
42 }
43 wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
44 (u8 *) value, len);
45+ if (has_ctrl_char((u8 *) value, len)) {
46+ wpa_printf(MSG_ERROR,
47+ "Line %d: Invalid passphrase character",
48+ line);
49+ return -1;
50+ }
51 if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
52 os_memcmp(ssid->passphrase, value, len) == 0) {
53 /* No change to the previously configured value */
54--
551.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch
new file mode 100644
index 0000000000..cad7425c36
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch
@@ -0,0 +1,66 @@
1From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Tue, 5 Apr 2016 23:33:10 +0300
4Subject: [PATCH 2/3] Reject SET_CRED commands with newline characters in the
5 string values
6
7Most of the cred block parameters are written as strings without
8filtering and if there is an embedded newline character in the value,
9unexpected configuration file data might be written.
10
11This fixes an issue where wpa_supplicant could have updated the
12configuration file cred parameter with arbitrary data from the control
13interface or D-Bus interface. While those interfaces are supposed to be
14accessible only for trusted users/applications, it may be possible that
15an untrusted user has access to a management software component that
16does not validate the credential value before passing it to
17wpa_supplicant.
18
19This could allow such an untrusted user to inject almost arbitrary data
20into the configuration file. Such configuration file could result in
21wpa_supplicant trying to load a library (e.g., opensc_engine_path,
22pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
23controlled location when starting again. This would allow code from that
24library to be executed under the wpa_supplicant process privileges.
25
26Upstream-Status: Backport
27
28CVE: CVE-2016-4477
29
30Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
31Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
32---
33 wpa_supplicant/config.c | 9 ++++++++-
34 1 file changed, 8 insertions(+), 1 deletion(-)
35
36diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
37index eb97cd5..69152ef 100644
38--- a/wpa_supplicant/config.c
39+++ b/wpa_supplicant/config.c
40@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
41
42 if (os_strcmp(var, "password") == 0 &&
43 os_strncmp(value, "ext:", 4) == 0) {
44+ if (has_newline(value))
45+ return -1;
46 str_clear_free(cred->password);
47 cred->password = os_strdup(value);
48 cred->ext_password = 1;
49@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
50 }
51
52 val = wpa_config_parse_string(value, &len);
53- if (val == NULL) {
54+ if (val == NULL ||
55+ (os_strcmp(var, "excluded_ssid") != 0 &&
56+ os_strcmp(var, "roaming_consortium") != 0 &&
57+ os_strcmp(var, "required_roaming_consortium") != 0 &&
58+ has_newline(val))) {
59 wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
60 "value '%s'.", line, var, value);
61+ os_free(val);
62 return -1;
63 }
64
65--
661.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
new file mode 100644
index 0000000000..5375db74b3
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
@@ -0,0 +1,54 @@
1From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Tue, 5 Apr 2016 23:55:48 +0300
4Subject: [PATCH 3/3] Reject SET commands with newline characters in the
5 string values
6
7Many of the global configuration parameters are written as strings
8without filtering and if there is an embedded newline character in the
9value, unexpected configuration file data might be written.
10
11This fixes an issue where wpa_supplicant could have updated the
12configuration file global parameter with arbitrary data from the control
13interface or D-Bus interface. While those interfaces are supposed to be
14accessible only for trusted users/applications, it may be possible that
15an untrusted user has access to a management software component that
16does not validate the value of a parameter before passing it to
17wpa_supplicant.
18
19This could allow such an untrusted user to inject almost arbitrary data
20into the configuration file. Such configuration file could result in
21wpa_supplicant trying to load a library (e.g., opensc_engine_path,
22pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
23controlled location when starting again. This would allow code from that
24library to be executed under the wpa_supplicant process privileges.
25
26Upstream-Status: Backport
27
28CVE: CVE-2016-4477
29
30Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
31Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
32---
33 wpa_supplicant/config.c | 6 ++++++
34 1 file changed, 6 insertions(+)
35
36diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
37index 69152ef..d9a1603 100644
38--- a/wpa_supplicant/config.c
39+++ b/wpa_supplicant/config.c
40@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
41 return -1;
42 }
43
44+ if (has_newline(pos)) {
45+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
46+ line, data->name);
47+ return -1;
48+ }
49+
50 tmp = os_strdup(pos);
51 if (tmp == NULL)
52 return -1;
53--
541.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
index bfcc6cca63..a4160e1c5c 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
@@ -26,6 +26,9 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
26 file://99_wpa_supplicant \ 26 file://99_wpa_supplicant \
27 file://0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch \ 27 file://0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch \
28 file://0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch \ 28 file://0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch \
29 file://0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch \
30 file://0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch \
31 file://0003-Reject-SET-commands-with-newline-characters-in-the-s.patch \
29 " 32 "
30SRC_URI[md5sum] = "96ff75c3a514f1f324560a2376f13110" 33SRC_URI[md5sum] = "96ff75c3a514f1f324560a2376f13110"
31SRC_URI[sha256sum] = "cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316" 34SRC_URI[sha256sum] = "cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316"