summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/wpa-supplicant
diff options
context:
space:
mode:
authorZheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>2016-12-13 15:49:44 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-12-17 09:57:03 +0000
commitb5189f4d7f98670fd5f47b51153916030a7d6625 (patch)
treea7d041575f6304baeb0300494e730d2537f18c88 /meta/recipes-connectivity/wpa-supplicant
parent9d1403e23cae56ae81e6b802586e16680679e519 (diff)
downloadpoky-b5189f4d7f98670fd5f47b51153916030a7d6625.tar.gz
wpa-supplicant: 2.5 -> 2.6
1)Upgrade wpa-supplicant from 2.5 to 2.6. 2)Delete 5 patches below, since they are integrated upstream. 0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch 0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch 0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch 0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch 0003-Reject-SET-commands-with-newline-characters-in-the-s.patch 3)License checksum changes are not related to license changes. (From OE-Core rev: 878d411eb53e96bf78e902cc2345eccda8807bfc) (From OE-Core rev: 8751dbde2736a4dbea83f6f581fe90f0c60def76) Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant')
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch55
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch86
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch66
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch86
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch54
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb (renamed from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb)15
6 files changed, 5 insertions, 357 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
deleted file mode 100644
index dd7d5f7267..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Fri, 4 Mar 2016 18:46:41 +0200
4Subject: [PATCH 1/3] Reject psk parameter set with invalid passphrase
5 character
6
7WPA/WPA2-Personal passphrase is not allowed to include control
8characters. Reject a passphrase configuration attempt if that passphrase
9includes an invalid passphrase.
10
11This fixes an issue where wpa_supplicant could have updated the
12configuration file psk parameter with arbitrary data from the control
13interface or D-Bus interface. While those interfaces are supposed to be
14accessible only for trusted users/applications, it may be possible that
15an untrusted user has access to a management software component that
16does not validate the passphrase value before passing it to
17wpa_supplicant.
18
19This could allow such an untrusted user to inject up to 63 characters of
20almost arbitrary data into the configuration file. Such configuration
21file could result in wpa_supplicant trying to load a library (e.g.,
22opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
23load_dynamic_eap) from user controlled location when starting again.
24This would allow code from that library to be executed under the
25wpa_supplicant process privileges.
26
27Upstream-Status: Backport
28
29CVE: CVE-2016-4477
30
31Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
32Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
33---
34 wpa_supplicant/config.c | 6 ++++++
35 1 file changed, 6 insertions(+)
36
37diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
38index b1c7870..fdd9643 100644
39--- a/wpa_supplicant/config.c
40+++ b/wpa_supplicant/config.c
41@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data,
42 }
43 wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
44 (u8 *) value, len);
45+ if (has_ctrl_char((u8 *) value, len)) {
46+ wpa_printf(MSG_ERROR,
47+ "Line %d: Invalid passphrase character",
48+ line);
49+ return -1;
50+ }
51 if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
52 os_memcmp(ssid->passphrase, value, len) == 0) {
53 /* No change to the previously configured value */
54--
551.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
deleted file mode 100644
index db222e41d4..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
+++ /dev/null
@@ -1,86 +0,0 @@
1From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Fri, 4 Mar 2016 17:20:18 +0200
4Subject: [PATCH 1/2] WPS: Reject a Credential with invalid passphrase
5
6WPA/WPA2-Personal passphrase is not allowed to include control
7characters. Reject a Credential received from a WPS Registrar both as
8STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
9WPA2PSK authentication type and includes an invalid passphrase.
10
11This fixes an issue where hostapd or wpa_supplicant could have updated
12the configuration file PSK/passphrase parameter with arbitrary data from
13an external device (Registrar) that may not be fully trusted. Should
14such data include a newline character, the resulting configuration file
15could become invalid and fail to be parsed.
16
17Upstream-Status: Backport
18
19CVE: CVE-2016-4476
20
21Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
22Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
23---
24 src/utils/common.c | 12 ++++++++++++
25 src/utils/common.h | 1 +
26 src/wps/wps_attr_process.c | 10 ++++++++++
27 3 files changed, 23 insertions(+)
28
29diff --git a/src/utils/common.c b/src/utils/common.c
30index 450e2c6..27b7c02 100644
31--- a/src/utils/common.c
32+++ b/src/utils/common.c
33@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
34 }
35
36
37+int has_ctrl_char(const u8 *data, size_t len)
38+{
39+ size_t i;
40+
41+ for (i = 0; i < len; i++) {
42+ if (data[i] < 32 || data[i] == 127)
43+ return 1;
44+ }
45+ return 0;
46+}
47+
48+
49 size_t merge_byte_arrays(u8 *res, size_t res_len,
50 const u8 *src1, size_t src1_len,
51 const u8 *src2, size_t src2_len)
52diff --git a/src/utils/common.h b/src/utils/common.h
53index 701dbb2..a972240 100644
54--- a/src/utils/common.h
55+++ b/src/utils/common.h
56@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
57
58 char * wpa_config_parse_string(const char *value, size_t *len);
59 int is_hex(const u8 *data, size_t len);
60+int has_ctrl_char(const u8 *data, size_t len);
61 size_t merge_byte_arrays(u8 *res, size_t res_len,
62 const u8 *src1, size_t src1_len,
63 const u8 *src2, size_t src2_len);
64diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
65index eadb22f..e8c4579 100644
66--- a/src/wps/wps_attr_process.c
67+++ b/src/wps/wps_attr_process.c
68@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
69 cred->key_len--;
70 #endif /* CONFIG_WPS_STRICT */
71 }
72+
73+
74+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
75+ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
76+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
77+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
78+ cred->key, cred->key_len);
79+ return -1;
80+ }
81+
82 return 0;
83 }
84
85--
861.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch
deleted file mode 100644
index cad7425c36..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch
+++ /dev/null
@@ -1,66 +0,0 @@
1From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Tue, 5 Apr 2016 23:33:10 +0300
4Subject: [PATCH 2/3] Reject SET_CRED commands with newline characters in the
5 string values
6
7Most of the cred block parameters are written as strings without
8filtering and if there is an embedded newline character in the value,
9unexpected configuration file data might be written.
10
11This fixes an issue where wpa_supplicant could have updated the
12configuration file cred parameter with arbitrary data from the control
13interface or D-Bus interface. While those interfaces are supposed to be
14accessible only for trusted users/applications, it may be possible that
15an untrusted user has access to a management software component that
16does not validate the credential value before passing it to
17wpa_supplicant.
18
19This could allow such an untrusted user to inject almost arbitrary data
20into the configuration file. Such configuration file could result in
21wpa_supplicant trying to load a library (e.g., opensc_engine_path,
22pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
23controlled location when starting again. This would allow code from that
24library to be executed under the wpa_supplicant process privileges.
25
26Upstream-Status: Backport
27
28CVE: CVE-2016-4477
29
30Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
31Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
32---
33 wpa_supplicant/config.c | 9 ++++++++-
34 1 file changed, 8 insertions(+), 1 deletion(-)
35
36diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
37index eb97cd5..69152ef 100644
38--- a/wpa_supplicant/config.c
39+++ b/wpa_supplicant/config.c
40@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
41
42 if (os_strcmp(var, "password") == 0 &&
43 os_strncmp(value, "ext:", 4) == 0) {
44+ if (has_newline(value))
45+ return -1;
46 str_clear_free(cred->password);
47 cred->password = os_strdup(value);
48 cred->ext_password = 1;
49@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
50 }
51
52 val = wpa_config_parse_string(value, &len);
53- if (val == NULL) {
54+ if (val == NULL ||
55+ (os_strcmp(var, "excluded_ssid") != 0 &&
56+ os_strcmp(var, "roaming_consortium") != 0 &&
57+ os_strcmp(var, "required_roaming_consortium") != 0 &&
58+ has_newline(val))) {
59 wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
60 "value '%s'.", line, var, value);
61+ os_free(val);
62 return -1;
63 }
64
65--
661.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch
deleted file mode 100644
index cc7b01ad57..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch
+++ /dev/null
@@ -1,86 +0,0 @@
1From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
2From: Paul Stewart <pstew@google.com>
3Date: Thu, 3 Mar 2016 15:40:19 -0800
4Subject: [PATCH 2/2] Remove newlines from wpa_supplicant config network
5 output
6
7Spurious newlines output while writing the config file can corrupt the
8wpa_supplicant configuration. Avoid writing these for the network block
9parameters. This is a generic filter that cover cases that may not have
10been explicitly addressed with a more specific commit to avoid control
11characters in the psk parameter.
12
13Upstream-Status: Backport
14
15CVE: CVE-2016-4476
16
17Signed-off-by: Paul Stewart <pstew@google.com>
18Signed-off-by: Zhixiong Chi <Zhixiong.Chi.wrs.com>
19---
20 src/utils/common.c | 11 +++++++++++
21 src/utils/common.h | 1 +
22 wpa_supplicant/config.c | 15 +++++++++++++--
23 3 files changed, 25 insertions(+), 2 deletions(-)
24
25diff --git a/src/utils/common.c b/src/utils/common.c
26index 27b7c02..9856463 100644
27--- a/src/utils/common.c
28+++ b/src/utils/common.c
29@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len)
30 }
31
32
33+int has_newline(const char *str)
34+{
35+ while (*str) {
36+ if (*str == '\n' || *str == '\r')
37+ return 1;
38+ str++;
39+ }
40+ return 0;
41+}
42+
43+
44 size_t merge_byte_arrays(u8 *res, size_t res_len,
45 const u8 *src1, size_t src1_len,
46 const u8 *src2, size_t src2_len)
47diff --git a/src/utils/common.h b/src/utils/common.h
48index a972240..d19927b 100644
49--- a/src/utils/common.h
50+++ b/src/utils/common.h
51@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
52 char * wpa_config_parse_string(const char *value, size_t *len);
53 int is_hex(const u8 *data, size_t len);
54 int has_ctrl_char(const u8 *data, size_t len);
55+int has_newline(const char *str);
56 size_t merge_byte_arrays(u8 *res, size_t res_len,
57 const u8 *src1, size_t src1_len,
58 const u8 *src2, size_t src2_len);
59diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
60index fdd9643..eb97cd5 100644
61--- a/wpa_supplicant/config.c
62+++ b/wpa_supplicant/config.c
63@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char *var)
64
65 for (i = 0; i < NUM_SSID_FIELDS; i++) {
66 const struct parse_data *field = &ssid_fields[i];
67- if (os_strcmp(var, field->name) == 0)
68- return field->writer(field, ssid);
69+ if (os_strcmp(var, field->name) == 0) {
70+ char *ret = field->writer(field, ssid);
71+
72+ if (ret && has_newline(ret)) {
73+ wpa_printf(MSG_ERROR,
74+ "Found newline in value for %s; not returning it",
75+ var);
76+ os_free(ret);
77+ ret = NULL;
78+ }
79+
80+ return ret;
81+ }
82 }
83
84 return NULL;
85--
861.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
deleted file mode 100644
index 5375db74b3..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
+++ /dev/null
@@ -1,54 +0,0 @@
1From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@qca.qualcomm.com>
3Date: Tue, 5 Apr 2016 23:55:48 +0300
4Subject: [PATCH 3/3] Reject SET commands with newline characters in the
5 string values
6
7Many of the global configuration parameters are written as strings
8without filtering and if there is an embedded newline character in the
9value, unexpected configuration file data might be written.
10
11This fixes an issue where wpa_supplicant could have updated the
12configuration file global parameter with arbitrary data from the control
13interface or D-Bus interface. While those interfaces are supposed to be
14accessible only for trusted users/applications, it may be possible that
15an untrusted user has access to a management software component that
16does not validate the value of a parameter before passing it to
17wpa_supplicant.
18
19This could allow such an untrusted user to inject almost arbitrary data
20into the configuration file. Such configuration file could result in
21wpa_supplicant trying to load a library (e.g., opensc_engine_path,
22pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
23controlled location when starting again. This would allow code from that
24library to be executed under the wpa_supplicant process privileges.
25
26Upstream-Status: Backport
27
28CVE: CVE-2016-4477
29
30Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
31Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
32---
33 wpa_supplicant/config.c | 6 ++++++
34 1 file changed, 6 insertions(+)
35
36diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
37index 69152ef..d9a1603 100644
38--- a/wpa_supplicant/config.c
39+++ b/wpa_supplicant/config.c
40@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
41 return -1;
42 }
43
44+ if (has_newline(pos)) {
45+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
46+ line, data->name);
47+ return -1;
48+ }
49+
50 tmp = os_strdup(pos);
51 if (tmp == NULL)
52 return -1;
53--
541.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
index a4160e1c5c..b96f9d2a48 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.5.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
@@ -3,9 +3,9 @@ HOMEPAGE = "http://w1.fi/wpa_supplicant/"
3BUGTRACKER = "http://w1.fi/security/" 3BUGTRACKER = "http://w1.fi/security/"
4SECTION = "network" 4SECTION = "network"
5LICENSE = "BSD" 5LICENSE = "BSD"
6LIC_FILES_CHKSUM = "file://COPYING;md5=36b27801447e0662ee0138d17fe93880 \ 6LIC_FILES_CHKSUM = "file://COPYING;md5=292eece3f2ebbaa25608eed8464018a3 \
7 file://README;beginline=1;endline=56;md5=7f393579f8b109fe91f3b9765d26c7d3 \ 7 file://README;beginline=1;endline=56;md5=3f01d778be8f953962388307ee38ed2b \
8 file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=3430fda79f2ba1dd545f0b3c4d6e4d24" 8 file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=4061612fc5715696134e3baf933e8aba"
9DEPENDS = "dbus libnl" 9DEPENDS = "dbus libnl"
10RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" 10RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
11 11
@@ -24,14 +24,9 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
24 file://wpa_supplicant.conf \ 24 file://wpa_supplicant.conf \
25 file://wpa_supplicant.conf-sane \ 25 file://wpa_supplicant.conf-sane \
26 file://99_wpa_supplicant \ 26 file://99_wpa_supplicant \
27 file://0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch \
28 file://0002-Remove-newlines-from-wpa_supplicant-config-network-o.patch \
29 file://0001-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch \
30 file://0002-Reject-SET_CRED-commands-with-newline-characters-in-.patch \
31 file://0003-Reject-SET-commands-with-newline-characters-in-the-s.patch \
32 " 27 "
33SRC_URI[md5sum] = "96ff75c3a514f1f324560a2376f13110" 28SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c"
34SRC_URI[sha256sum] = "cce55bae483b364eae55c35ba567c279be442ed8bab5b80a3c7fb0d057b9b316" 29SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450"
35 30
36S = "${WORKDIR}/wpa_supplicant-${PV}" 31S = "${WORKDIR}/wpa_supplicant-${PV}"
37 32