aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-09-17 12:27:49 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-09-17 12:27:49 +0000
commitf1fd2a573425793de610a615092f210f1c50f0ad (patch)
treea5f37a989029125af762081b576740d993f2ea5e
parent5c5dd180a38049de2a1c41d29bfd0e2f8ddc029e (diff)
downloadaports-f1fd2a573425793de610a615092f210f1c50f0ad.tar.bz2
aports-f1fd2a573425793de610a615092f210f1c50f0ad.tar.xz
main/hostapd: security fix (CVE-2019-16275)
ref #10799
-rw-r--r--main/hostapd/APKBUILD12
-rw-r--r--main/hostapd/CVE-2012-4445.patch45
-rw-r--r--main/hostapd/CVE-2019-16275.patch73
3 files changed, 81 insertions, 49 deletions
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD
index 89a38abaec..098241c17e 100644
--- a/main/hostapd/APKBUILD
+++ b/main/hostapd/APKBUILD
@@ -1,22 +1,25 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=hostapd
pkgver=2.9
-pkgrel=0
+pkgrel=1
pkgdesc="daemon for wireless software access points"
url="https://w1.fi/hostapd/"
arch="all"
license="custom"
makedepends="openssl-dev libnl3-dev linux-headers"
subpackages="$pkgname-doc $pkgname-openrc"
-patches=""
-source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz
+patches="CVE-2019-16275.patch"
+source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
$patches
$pkgname.initd
- $pkgname.confd"
+ $pkgname.confd
+ "
options="!check" #no testsuite
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
+# 2.9-r1:
+# - CVE-2019-16275
# 2.8-r0:
# - CVE-2019-11555
# - CVE-2019-9496
@@ -92,5 +95,6 @@ package() {
"$pkgdir"/usr/share/man/man1/hostapd_cli
}
sha512sums="66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c hostapd-2.9.tar.gz
+63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38 CVE-2019-16275.patch
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd"
diff --git a/main/hostapd/CVE-2012-4445.patch b/main/hostapd/CVE-2012-4445.patch
deleted file mode 100644
index 552307d279..0000000000
--- a/main/hostapd/CVE-2012-4445.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300)
-Subject: EAP-TLS server: Fix TLS Message Length validation
-X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de
-
-EAP-TLS server: Fix TLS Message Length validation
-
-EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
-Message Length value properly and could end up trying to store more
-information into the message buffer than the allocated size if the first
-fragment is longer than the indicated size. This could result in hostapd
-process terminating in wpabuf length validation. Fix this by rejecting
-messages that have invalid TLS Message Length value.
-
-This would affect cases that use the internal EAP authentication server
-in hostapd either directly with IEEE 802.1X or when using hostapd as a
-RADIUS authentication server and when receiving an incorrectly
-constructed EAP-TLS message. Cases where hostapd uses an external
-authentication are not affected.
-
-Thanks to Timo Warns for finding and reporting this issue.
-
-Signed-hostap: Jouni Malinen <j@w1.fi>
-intended-for: hostap-1
----
-
-diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
-index 31be2ec..46f282b 100644
---- a/src/eap_server/eap_server_tls_common.c
-+++ b/src/eap_server/eap_server_tls_common.c
-@@ -228,6 +228,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
- return -1;
- }
-
-+ if (len > message_length) {
-+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
-+ "first fragment of frame (TLS Message "
-+ "Length %d bytes)",
-+ (int) len, (int) message_length);
-+ return -1;
-+ }
-+
- data->tls_in = wpabuf_alloc(message_length);
- if (data->tls_in == NULL) {
- wpa_printf(MSG_DEBUG, "SSL: No memory for message");
diff --git a/main/hostapd/CVE-2019-16275.patch b/main/hostapd/CVE-2019-16275.patch
new file mode 100644
index 0000000000..d764a9db01
--- /dev/null
+++ b/main/hostapd/CVE-2019-16275.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ "hostapd_notif_assoc: Skip event with no address");
+ return -1;
+ }
++
++ if (is_multicast_ether_addr(addr) ||
++ is_zero_ether_addr(addr) ||
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication silently",
++ __func__, MAC2STR(addr));
++ return 0;
++ }
++
+ random_add_randomness(addr, ETH_ALEN);
+
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ fc = le_to_host16(mgmt->frame_control);
+ stype = WLAN_FC_GET_STYPE(fc);
+
++ if (is_multicast_ether_addr(mgmt->sa) ||
++ is_zero_ether_addr(mgmt->sa) ||
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++ " in received frame - ignore this frame silently",
++ MAC2STR(mgmt->sa));
++ return 0;
++ }
++
+ if (stype == WLAN_FC_STYPE_BEACON) {
+ handle_beacon(hapd, mgmt, len, fi);
+ return 1;
+--
+2.20.1
+