aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-09-17 13:03:15 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-09-17 13:11:33 +0000
commitde40d9a237281b0e3a2ec4a0e2b8d9a825732828 (patch)
tree45fb0ca8afca43c28a4f6cfa3a7d13dacfa4dde0
parenta631766c739d92b83c30732831268f2e5cf0e919 (diff)
downloadaports-3.9-stable.tar.bz2
aports-3.9-stable.tar.xz
main/wpa_supplicant: security fix (CVE-2019-16275)3.9-stable
ref #10800
-rw-r--r--main/wpa_supplicant/APKBUILD6
-rw-r--r--main/wpa_supplicant/CVE-2019-16275.patch73
2 files changed, 78 insertions, 1 deletions
diff --git a/main/wpa_supplicant/APKBUILD b/main/wpa_supplicant/APKBUILD
index 6a13b28fdd..c177a73001 100644
--- a/main/wpa_supplicant/APKBUILD
+++ b/main/wpa_supplicant/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=wpa_supplicant
pkgver=2.7
-pkgrel=4
+pkgrel=5
pkgdesc="A utility providing key negotiation for WPA wireless networks"
url="https://w1.fi/wpa_supplicant/"
arch="all"
@@ -42,11 +42,14 @@ source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch
0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
+ CVE-2019-16275.patch
config
wpa_cli.sh"
# secfixes:
+# 2.7-r5:
+# - CVE-2019-16275
# 2.7-r4:
# - CVE-2019-13377
# 2.7-r3:
@@ -166,5 +169,6 @@ bcae73930c35d441c5615970c305abb3dff293fdec16df50823e57419b22d1aac0e780970619e0c7
89ac9ee8b0a3521b135ea5075fcc01ee37b111ba129e75f58e4bb863aad0e782c0e1928c91cab2ab1859a7a52d66987e14018b0552c167c05dbaeed76f1b12dd 0023-EAP-pwd-Disallow-ECC-groups-with-a-prime-under-256-b.patch
da5f4248a0173cd7d07972b760631a8dc26f258e7b5be059c0d7de26e17f668945a62d2afce01ed1a1e9df6c55f9fd6ee344d4f006f5564b90a25e90e1e7c704 0024-SAE-Reject-unsuitable-groups-based-on-REVmd-changes.patch
4734a8ab8ba1e91fc9e3d729f34527c14c291df238b02adea5acc04b0361b41d4bffca2fb13a4f464e9f007fa624117af4f50d755cb41a3129b4868da91bdf9a 0025-dragonfly-Disable-use-of-groups-using-Brainpool-curv.patch
+63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch
6707991f9a071f2fcb09d164d31d12b1f52b91fbb5574b70b8d6f9727f72bbe42b03dd66d10fcc2126f5b7e49ac785657dec90e88b4bf54a9aa5638582f6e505 config
212c4265afce2e72b95a32cd785612d6c3e821b47101ead154136d184ac4add01434ada6c87edbb9a98496552e76e1a4d79c6b5840e3a5cfe5e6d602fceae576 wpa_cli.sh"
diff --git a/main/wpa_supplicant/CVE-2019-16275.patch b/main/wpa_supplicant/CVE-2019-16275.patch
new file mode 100644
index 0000000000..d764a9db01
--- /dev/null
+++ b/main/wpa_supplicant/CVE-2019-16275.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ "hostapd_notif_assoc: Skip event with no address");
+ return -1;
+ }
++
++ if (is_multicast_ether_addr(addr) ||
++ is_zero_ether_addr(addr) ||
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication silently",
++ __func__, MAC2STR(addr));
++ return 0;
++ }
++
+ random_add_randomness(addr, ETH_ALEN);
+
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ fc = le_to_host16(mgmt->frame_control);
+ stype = WLAN_FC_GET_STYPE(fc);
+
++ if (is_multicast_ether_addr(mgmt->sa) ||
++ is_zero_ether_addr(mgmt->sa) ||
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++ " in received frame - ignore this frame silently",
++ MAC2STR(mgmt->sa));
++ return 0;
++ }
++
+ if (stype == WLAN_FC_STYPE_BEACON) {
+ handle_beacon(hapd, mgmt, len, fi);
+ return 1;
+--
+2.20.1
+