1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
new file mode 100644
index 0000000000..5375db74b3
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
@@ -0,0 +1,54 @@
+From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Tue, 5 Apr 2016 23:55:48 +0300
+Subject: [PATCH 3/3] Reject SET commands with newline characters in the
+ string values
+Many of the global configuration parameters are written as strings
+without filtering and if there is an embedded newline character in the
+value, unexpected configuration file data might be written.
+This fixes an issue where wpa_supplicant could have updated the
+configuration file global parameter with arbitrary data from the control
+interface or D-Bus interface. While those interfaces are supposed to be
+accessible only for trusted users/applications, it may be possible that
+an untrusted user has access to a management software component that
+does not validate the value of a parameter before passing it to
+wpa_supplicant.
+This could allow such an untrusted user to inject almost arbitrary data
+into the configuration file. Such configuration file could result in
+wpa_supplicant trying to load a library (e.g., opensc_engine_path,
+pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
+controlled location when starting again. This would allow code from that
+library to be executed under the wpa_supplicant process privileges.
+Upstream-Status: Backport
+CVE: CVE-2016-4477
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
+---
+ wpa_supplicant/config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index 69152ef..d9a1603 100644
+--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
+@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
+                return -1;
+        }
+ 
+       if (has_newline(pos)) {
+               wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
+                          line, data->name);
+               return -1;
+       }
+
+        tmp = os_strdup(pos);
+        if (tmp == NULL)
+                return -1;
+-- 
+1.9.1

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch new file mode 100644 index 0000000000..5375db74b3 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-Reject-SET-commands-with-newline-characters-in-the-s.patch
@@ -0,0 +1,54 @@
	1	From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@qca.qualcomm.com>
	3	Date: Tue, 5 Apr 2016 23:55:48 +0300
	4	Subject: [PATCH 3/3] Reject SET commands with newline characters in the
	5	string values
	6
	7	Many of the global configuration parameters are written as strings
	8	without filtering and if there is an embedded newline character in the
	9	value, unexpected configuration file data might be written.
	10
	11	This fixes an issue where wpa_supplicant could have updated the
	12	configuration file global parameter with arbitrary data from the control
	13	interface or D-Bus interface. While those interfaces are supposed to be
	14	accessible only for trusted users/applications, it may be possible that
	15	an untrusted user has access to a management software component that
	16	does not validate the value of a parameter before passing it to
	17	wpa_supplicant.
	18
	19	This could allow such an untrusted user to inject almost arbitrary data
	20	into the configuration file. Such configuration file could result in
	21	wpa_supplicant trying to load a library (e.g., opensc_engine_path,
	22	pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
	23	controlled location when starting again. This would allow code from that
	24	library to be executed under the wpa_supplicant process privileges.
	25
	26	Upstream-Status: Backport
	27
	28	CVE: CVE-2016-4477
	29
	30	Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
	31	Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
	32	---
	33	wpa_supplicant/config.c \| 6 ++++++
	34	1 file changed, 6 insertions(+)
	35
	36	diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
	37	index 69152ef..d9a1603 100644
	38	--- a/wpa_supplicant/config.c
	39	+++ b/wpa_supplicant/config.c
	40	@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
	41	return -1;
	42	}
	43
	44	+ if (has_newline(pos)) {
	45	+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
	46	+ line, data->name);
	47	+ return -1;
	48	+ }
	49	+
	50	tmp = os_strdup(pos);
	51	if (tmp == NULL)
	52	return -1;
	53	--
	54	1.9.1