Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal X-Debbugs-CC: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org> Please unblock package wpa Hi This unblock request for wpa 1.0-3 follows on the heels of DSA 2557-1 https://lists.debian.org/debian-security-announce/2012/msg00201.html for hostapd, which is now part of the wpa source package in >=wheezy. Besides the security bugfix for CVE-2012-4445 it contains two small changes: - adding an additional README(-P2P) to the wpasupplicant package. - debian/wpasupplicant.docs - reverting back from wpa_cli's own crude readline implementation to using readline, as it was used before up to wpasupplicant 0.7.3. This fixes two relatively minor, but quite annoying and end-user visible usability regressions[1, 2]. This change has been tested for quite a while and relying on readline is still the default in all other distributions. This change only affects /sbin/wpa_cli, which is not part of the udeb and therefore doesn't affect it or its footprint. - debian/config/wpasupplicant/kfreebsd - debian/config/wpasupplicant/linux - debian/control The urgency follows the example set by the security team for hostapd 1:0.6.10-2+squeeze1, as this security issue may be exploited remotely. wpa 1.0-3 has been built successfully on all architectures by now and uploaded to all but powerpc at this moment; the udeb is not affected by any of these changes. So please consider to unblock wpa/1.0-3. Regards Stefan Lippers-Hollmann diff -Nru wpa-1.0/debian/changelog wpa-1.0/debian/changelog --- wpa-1.0/debian/changelog 2012-05-13 22:39:47.000000000 +0200 +++ wpa-1.0/debian/changelog 2012-10-08 23:18:18.000000000 +0200 @@ -1,3 +1,15 @@ +wpa (1.0-3) unstable; urgency=high + + * ship forgotten README-P2P. + * revert to GNU readline for wpa_cli, instead of using the internal readline + implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl + is GPL-2 (only) - switching back to the internal readline implementation is + targeted for wheezy+1 (Closes: #677993, #678077). + * Fix DoS via specially crafted EAP-TLS messages with longer message + length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990). + + -- Stefan Lippers-Hollmann <s.l-h@gmx.de> Mon, 08 Oct 2012 17:48:04 +0200 + wpa (1.0-2) unstable; urgency=low * Really enable hardened build flags, thanks Simon Ruderich diff -Nru wpa-1.0/debian/config/wpasupplicant/kfreebsd wpa-1.0/debian/config/wpasupplicant/kfreebsd --- wpa-1.0/debian/config/wpasupplicant/kfreebsd 2012-04-14 01:13:49.000000000 +0200 +++ wpa-1.0/debian/config/wpasupplicant/kfreebsd 2012-10-08 18:32:27.000000000 +0200 @@ -238,11 +238,11 @@ # When building a wpa_cli binary for distribution, please note that these # libraries are licensed under GPL and as such, BSD license may not apply for # the resulting binary. -#CONFIG_READLINE=y +CONFIG_READLINE=y # Include internal line edit mode in wpa_cli. This can be used as a replacement # for GNU Readline to provide limited command line editing and history support. -CONFIG_WPA_CLI_EDIT=y +#CONFIG_WPA_CLI_EDIT=y # Remove debugging code that is printing out debug message to stdout. # This can be used to reduce the size of the wpa_supplicant considerably diff -Nru wpa-1.0/debian/config/wpasupplicant/linux wpa-1.0/debian/config/wpasupplicant/linux --- wpa-1.0/debian/config/wpasupplicant/linux 2012-04-14 01:13:49.000000000 +0200 +++ wpa-1.0/debian/config/wpasupplicant/linux 2012-10-08 18:32:27.000000000 +0200 @@ -237,11 +237,11 @@ # When building a wpa_cli binary for distribution, please note that these # libraries are licensed under GPL and as such, BSD license may not apply for # the resulting binary. -#CONFIG_READLINE=y +CONFIG_READLINE=y # Include internal line edit mode in wpa_cli. This can be used as a replacement # for GNU Readline to provide limited command line editing and history support. -CONFIG_WPA_CLI_EDIT=y +#CONFIG_WPA_CLI_EDIT=y # Remove debugging code that is printing out debug message to stdout. # This can be used to reduce the size of the wpa_supplicant considerably diff -Nru wpa-1.0/debian/control wpa-1.0/debian/control --- wpa-1.0/debian/control 2012-04-14 02:57:03.000000000 +0200 +++ wpa-1.0/debian/control 2012-06-22 00:42:59.000000000 +0200 @@ -16,6 +16,7 @@ libnl-genl-3-dev (>= 3.2.3-2~) [linux-any], libpcap-dev [kfreebsd-any], libbsd-dev [kfreebsd-any], + libreadline-gplv2-dev, pkg-config, qt4-qmake, docbook-to-man, diff -Nru wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch --- wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch 1970-01-01 01:00:00.000000000 +0100 +++ wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch 2012-10-08 17:34:24.000000000 +0200 @@ -0,0 +1,43 @@ +From: Jouni Malinen <j@w1.fi> +Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300) +Subject: EAP-TLS server: Fix TLS Message Length validation +X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de + +EAP-TLS server: Fix TLS Message Length validation + +EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS +Message Length value properly and could end up trying to store more +information into the message buffer than the allocated size if the first +fragment is longer than the indicated size. This could result in hostapd +process terminating in wpabuf length validation. Fix this by rejecting +messages that have invalid TLS Message Length value. + +This would affect cases that use the internal EAP authentication server +in hostapd either directly with IEEE 802.1X or when using hostapd as a +RADIUS authentication server and when receiving an incorrectly +constructed EAP-TLS message. Cases where hostapd uses an external +authentication are not affected. + +Thanks to Timo Warns for finding and reporting this issue. + +Signed-hostap: Jouni Malinen <j@w1.fi> +intended-for: hostap-1 +--- + +--- a/src/eap_server/eap_server_tls_common.c ++++ b/src/eap_server/eap_server_tls_common.c +@@ -224,6 +224,14 @@ static int eap_server_tls_process_fragme + return -1; + } + ++ if (len > message_length) { ++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " ++ "first fragment of frame (TLS Message " ++ "Length %d bytes)", ++ (int) len, (int) message_length); ++ return -1; ++ } ++ + data->tls_in = wpabuf_alloc(message_length); + if (data->tls_in == NULL) { + wpa_printf(MSG_DEBUG, "SSL: No memory for message"); diff -Nru wpa-1.0/debian/patches/series wpa-1.0/debian/patches/series --- wpa-1.0/debian/patches/series 2012-04-17 13:03:56.000000000 +0200 +++ wpa-1.0/debian/patches/series 2012-10-08 17:34:24.000000000 +0200 @@ -6,3 +6,4 @@ 12_wpa_gui_knotify_support.patch 13_human_readable_signal.patch libnl3-includes.patch +EAP-TLS-server_fix-TLS-Message-length-validation.patch diff -Nru wpa-1.0/debian/wpasupplicant.docs wpa-1.0/debian/wpasupplicant.docs --- wpa-1.0/debian/wpasupplicant.docs 2012-04-08 00:57:32.000000000 +0200 +++ wpa-1.0/debian/wpasupplicant.docs 2012-06-19 18:05:41.000000000 +0200 @@ -1,2 +1,3 @@ wpa_supplicant/README wpa_supplicant/README-WPS +wpa_supplicant/README-P2P unblock wpa/1.0-3 [1] http://bugs.debian.org/677993 [2] http://bugs.debian.org/678077
Attachment:
signature.asc
Description: This is a digitally signed message part.