diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-06-05 08:51:25 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-06-05 08:55:48 +0000 |
commit | 4c63d15964419d85bba90df9bfeb8f6af833b40b (patch) | |
tree | 565487c60435222b6cf043f8639c34ba179d7eed | |
parent | 71e80d98081071b4d10324039fe65145316ec81c (diff) |
main/hostapd: security fix (CVE-2019-9496)
Fixes #10335
-rw-r--r-- | main/hostapd/APKBUILD | 6 | ||||
-rw-r--r-- | main/hostapd/CVE-2019-9496.patch | 57 |
2 files changed, 62 insertions, 1 deletions
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD index bd03dcc392b..1a510d26fb1 100644 --- a/main/hostapd/APKBUILD +++ b/main/hostapd/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=hostapd pkgver=2.6 -pkgrel=4 +pkgrel=5 pkgdesc="daemon for wireless software access points" url="http://hostap.epitest.fi/hostapd/" arch="all" @@ -17,6 +17,7 @@ patches="CVE-2012-4445.patch 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch 0006-TDLS-Reject-TPK-TK-reconfiguration.patch 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch + CVE-2019-9496.patch 0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch " @@ -28,6 +29,8 @@ options="!check" #no testsuite builddir="$srcdir"/$pkgname-$pkgver/hostapd # secfixes: +# 2.6-r5: +# - CVE-2019-9496 # 2.6-r4: # - CVE-2019-11555 # 2.6-r2: @@ -109,6 +112,7 @@ a6382d8e84b4829be33c46bf2f4c6f3232c9d924a4547a21dfe023bf5be8ee1c635920295f52be28 8707a123cd78149dfee9f5bd791761ee1eca605ef96580167044c2339c896920cf0e030b184a5afa9e310f5755afb30bef8ebd4522fc52753f3fbd6acead2cdf 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch 37d050b2e4a3598484912667d8b2705fbe84c5c562267f900d42b0c7b606fb1fed09ddca8b80e2131768baa8f3690aab6ba7a232dee6ff1e66150fdb8816c927 0006-TDLS-Reject-TPK-TK-reconfiguration.patch fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed792bef1887dcc8c4626586465d78dd0258edb83dcd50a65a 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch +90981a52d6cb2e91f67a9bc830d3db02da6fde4bea0cf512b22111da6c8ab151f5dd171a2f2e409d9ff75e388e72c2314dd023a98fdabf16248b11a950bde881 CVE-2019-9496.patch 7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch 99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd diff --git a/main/hostapd/CVE-2019-9496.patch b/main/hostapd/CVE-2019-9496.patch new file mode 100644 index 00000000000..6d4fa8699ee --- /dev/null +++ b/main/hostapd/CVE-2019-9496.patch @@ -0,0 +1,57 @@ +From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 5 Mar 2019 23:43:25 +0200 +Subject: SAE: Fix confirm message validation in error cases + +Explicitly verify that own and peer commit scalar/element are available +when trying to check SAE confirm message. It could have been possible to +hit a NULL pointer dereference if the peer element could not have been +parsed. (CVE-2019-9496) + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/common/sae.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/common/sae.c b/src/common/sae.c +index eaf825d..5a50294 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -1487,23 +1487,31 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len) + + wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data)); + +- if (sae->tmp == NULL) { ++ if (!sae->tmp || !sae->peer_commit_scalar || ++ !sae->tmp->own_commit_scalar) { + wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available"); + return -1; + } + +- if (sae->tmp->ec) ++ if (sae->tmp->ec) { ++ if (!sae->tmp->peer_commit_element_ecc || ++ !sae->tmp->own_commit_element_ecc) ++ return -1; + sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, + sae->tmp->peer_commit_element_ecc, + sae->tmp->own_commit_scalar, + sae->tmp->own_commit_element_ecc, + verifier); +- else ++ } else { ++ if (!sae->tmp->peer_commit_element_ffc || ++ !sae->tmp->own_commit_element_ffc) ++ return -1; + sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, + sae->tmp->peer_commit_element_ffc, + sae->tmp->own_commit_scalar, + sae->tmp->own_commit_element_ffc, + verifier); ++ } + + if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) { + wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch"); +-- +cgit v0.12 + |