aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-06-05 08:51:25 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-06-05 08:58:44 +0000
commit091dec18c2b06659b1b4778559ab25cd06829630 (patch)
treeaf48c48cd6a2ee6729116b6f25d0ea758718c63e
parent4bfdab93d6fae0cd9f7577631790dcab0ac595e7 (diff)
main/hostapd: security fix (CVE-2019-9496)
Fixes #10336
-rw-r--r--main/hostapd/APKBUILD6
-rw-r--r--main/hostapd/CVE-2019-9496.patch57
2 files changed, 62 insertions, 1 deletions
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD
index 4ac414f20c3..ce583b3cb3a 100644
--- a/main/hostapd/APKBUILD
+++ b/main/hostapd/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.6
-pkgrel=2
+pkgrel=3
pkgdesc="daemon for wireless software access points"
url="http://hostap.epitest.fi/hostapd/"
arch="all"
@@ -19,6 +19,7 @@ patches="CVE-2012-4445.patch
0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
0006-TDLS-Reject-TPK-TK-reconfiguration.patch
0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+ CVE-2019-9496.patch
"
source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz
$patches
@@ -28,6 +29,8 @@ source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
+# 2.6-r3:
+# - CVE-2019-9496
# 2.6-r2:
# - CVE-2017-13077
# - CVE-2017-13078
@@ -109,5 +112,6 @@ a6382d8e84b4829be33c46bf2f4c6f3232c9d924a4547a21dfe023bf5be8ee1c635920295f52be28
8707a123cd78149dfee9f5bd791761ee1eca605ef96580167044c2339c896920cf0e030b184a5afa9e310f5755afb30bef8ebd4522fc52753f3fbd6acead2cdf 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
37d050b2e4a3598484912667d8b2705fbe84c5c562267f900d42b0c7b606fb1fed09ddca8b80e2131768baa8f3690aab6ba7a232dee6ff1e66150fdb8816c927 0006-TDLS-Reject-TPK-TK-reconfiguration.patch
fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed792bef1887dcc8c4626586465d78dd0258edb83dcd50a65a 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+90981a52d6cb2e91f67a9bc830d3db02da6fde4bea0cf512b22111da6c8ab151f5dd171a2f2e409d9ff75e388e72c2314dd023a98fdabf16248b11a950bde881 CVE-2019-9496.patch
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd"
diff --git a/main/hostapd/CVE-2019-9496.patch b/main/hostapd/CVE-2019-9496.patch
new file mode 100644
index 00000000000..6d4fa8699ee
--- /dev/null
+++ b/main/hostapd/CVE-2019-9496.patch
@@ -0,0 +1,57 @@
+From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 5 Mar 2019 23:43:25 +0200
+Subject: SAE: Fix confirm message validation in error cases
+
+Explicitly verify that own and peer commit scalar/element are available
+when trying to check SAE confirm message. It could have been possible to
+hit a NULL pointer dereference if the peer element could not have been
+parsed. (CVE-2019-9496)
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/common/sae.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index eaf825d..5a50294 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -1487,23 +1487,31 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
+
+ wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
+
+- if (sae->tmp == NULL) {
++ if (!sae->tmp || !sae->peer_commit_scalar ||
++ !sae->tmp->own_commit_scalar) {
+ wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
+ return -1;
+ }
+
+- if (sae->tmp->ec)
++ if (sae->tmp->ec) {
++ if (!sae->tmp->peer_commit_element_ecc ||
++ !sae->tmp->own_commit_element_ecc)
++ return -1;
+ sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
+ sae->tmp->peer_commit_element_ecc,
+ sae->tmp->own_commit_scalar,
+ sae->tmp->own_commit_element_ecc,
+ verifier);
+- else
++ } else {
++ if (!sae->tmp->peer_commit_element_ffc ||
++ !sae->tmp->own_commit_element_ffc)
++ return -1;
+ sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
+ sae->tmp->peer_commit_element_ffc,
+ sae->tmp->own_commit_scalar,
+ sae->tmp->own_commit_element_ffc,
+ verifier);
++ }
+
+ if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
+ wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
+--
+cgit v0.12
+