Bug#690078: unblock: wpa/1.0-3

["Stefan Lippers-Hollmann" <s.L-H@gmx.de>]

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
X-Debbugs-CC: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>

Please unblock package wpa

Hi

This unblock request for wpa 1.0-3 follows on the heels of DSA 2557-1
https://lists.debian.org/debian-security-announce/2012/msg00201.html
for hostapd, which is now part of the wpa source package in >=wheezy.

Besides the security bugfix for CVE-2012-4445 it contains two small
changes:

- adding an additional README(-P2P) to the wpasupplicant package.
  - debian/wpasupplicant.docs
- reverting back from wpa_cli's own crude readline implementation to
  using readline, as it was used before up to wpasupplicant 0.7.3.
  This fixes two relatively minor, but quite annoying and end-user 
  visible usability regressions[1, 2]. This change has been tested for 
  quite a while and relying on readline is still the default in all 
  other distributions. This change only affects /sbin/wpa_cli, which 
  is not part of the udeb and therefore doesn't affect it or its 
  footprint.
  - debian/config/wpasupplicant/kfreebsd
  - debian/config/wpasupplicant/linux
  - debian/control

The urgency follows the example set by the security team for hostapd
1:0.6.10-2+squeeze1, as this security issue may be exploited remotely.

wpa 1.0-3 has been built successfully on all architectures by now and 
uploaded to all but powerpc at this moment; the udeb is not affected
by any of these changes. So please consider to unblock wpa/1.0-3.

Regards
	Stefan Lippers-Hollmann

diff -Nru wpa-1.0/debian/changelog wpa-1.0/debian/changelog
--- wpa-1.0/debian/changelog	2012-05-13 22:39:47.000000000 +0200
+++ wpa-1.0/debian/changelog	2012-10-08 23:18:18.000000000 +0200
@@ -1,3 +1,15 @@
+wpa (1.0-3) unstable; urgency=high
+
+  * ship forgotten README-P2P.
+  * revert to GNU readline for wpa_cli, instead of using the internal readline
+    implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl
+    is GPL-2 (only) - switching back to the internal readline implementation is
+    targeted for wheezy+1 (Closes: #677993, #678077).
+  * Fix DoS via specially crafted EAP-TLS messages with longer message
+    length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990).
+
+ -- Stefan Lippers-Hollmann <s.l-h@gmx.de>  Mon, 08 Oct 2012 17:48:04 +0200
+
 wpa (1.0-2) unstable; urgency=low
 
   * Really enable hardened build flags, thanks Simon Ruderich
diff -Nru wpa-1.0/debian/config/wpasupplicant/kfreebsd wpa-1.0/debian/config/wpasupplicant/kfreebsd
--- wpa-1.0/debian/config/wpasupplicant/kfreebsd	2012-04-14 01:13:49.000000000 +0200
+++ wpa-1.0/debian/config/wpasupplicant/kfreebsd	2012-10-08 18:32:27.000000000 +0200
@@ -238,11 +238,11 @@
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
 
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
 
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/config/wpasupplicant/linux wpa-1.0/debian/config/wpasupplicant/linux
--- wpa-1.0/debian/config/wpasupplicant/linux	2012-04-14 01:13:49.000000000 +0200
+++ wpa-1.0/debian/config/wpasupplicant/linux	2012-10-08 18:32:27.000000000 +0200
@@ -237,11 +237,11 @@
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
 
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
 
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/control wpa-1.0/debian/control
--- wpa-1.0/debian/control	2012-04-14 02:57:03.000000000 +0200
+++ wpa-1.0/debian/control	2012-06-22 00:42:59.000000000 +0200
@@ -16,6 +16,7 @@
  libnl-genl-3-dev (>= 3.2.3-2~) [linux-any],
  libpcap-dev [kfreebsd-any],
  libbsd-dev [kfreebsd-any],
+ libreadline-gplv2-dev,
  pkg-config,
  qt4-qmake,
  docbook-to-man,
diff -Nru wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
--- wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch	1970-01-01 01:00:00.000000000 +0100
+++ wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch	2012-10-08 17:34:24.000000000 +0200
@@ -0,0 +1,43 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300)
+Subject: EAP-TLS server: Fix TLS Message Length validation
+X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de
+
+EAP-TLS server: Fix TLS Message Length validation
+
+EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
+Message Length value properly and could end up trying to store more
+information into the message buffer than the allocated size if the first
+fragment is longer than the indicated size. This could result in hostapd
+process terminating in wpabuf length validation. Fix this by rejecting
+messages that have invalid TLS Message Length value.
+
+This would affect cases that use the internal EAP authentication server
+in hostapd either directly with IEEE 802.1X or when using hostapd as a
+RADIUS authentication server and when receiving an incorrectly
+constructed EAP-TLS message. Cases where hostapd uses an external
+authentication are not affected.
+
+Thanks to Timo Warns for finding and reporting this issue.
+
+Signed-hostap: Jouni Malinen <j@w1.fi>
+intended-for: hostap-1
+---
+
+--- a/src/eap_server/eap_server_tls_common.c
++++ b/src/eap_server/eap_server_tls_common.c
+@@ -224,6 +224,14 @@ static int eap_server_tls_process_fragme
+ 			return -1;
+ 		}
+ 
++		if (len > message_length) {
++			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++				   "first fragment of frame (TLS Message "
++				   "Length %d bytes)",
++				   (int) len, (int) message_length);
++			return -1;
++		}
++
+ 		data->tls_in = wpabuf_alloc(message_length);
+ 		if (data->tls_in == NULL) {
+ 			wpa_printf(MSG_DEBUG, "SSL: No memory for message");
diff -Nru wpa-1.0/debian/patches/series wpa-1.0/debian/patches/series
--- wpa-1.0/debian/patches/series	2012-04-17 13:03:56.000000000 +0200
+++ wpa-1.0/debian/patches/series	2012-10-08 17:34:24.000000000 +0200
@@ -6,3 +6,4 @@
 12_wpa_gui_knotify_support.patch
 13_human_readable_signal.patch
 libnl3-includes.patch
+EAP-TLS-server_fix-TLS-Message-length-validation.patch
diff -Nru wpa-1.0/debian/wpasupplicant.docs wpa-1.0/debian/wpasupplicant.docs
--- wpa-1.0/debian/wpasupplicant.docs	2012-04-08 00:57:32.000000000 +0200
+++ wpa-1.0/debian/wpasupplicant.docs	2012-06-19 18:05:41.000000000 +0200
@@ -1,2 +1,3 @@
 wpa_supplicant/README
 wpa_supplicant/README-WPS
+wpa_supplicant/README-P2P



unblock wpa/1.0-3

[1]	http://bugs.debian.org/677993
[2]	http://bugs.debian.org/678077

Attachment: signature.asc
Description: This is a digitally signed message part.