Bug#690074: wpa will not migrate, upload to tpu?
Hi,
wpa has been updated in unstable for CVE-2012-4445, and subsequently
unblocked. However it picked up an enhanced dependency on pcsc-lite in
unstable and hence cannot migrate.
One solution could be to unblock pcsc-lite, but the feasibility of this I
leave up to the release team.
The other solution is an upload to tpu; I've just taken all changes from
unstable since they were already unblocked and hence deemed acceptable for
wheeze. See attached debdiff. If this is the preferred solution, let me
know so I can actually upload.
Cheers,
Thijs
diff -Nru wpa-1.0/debian/changelog wpa-1.0/debian/changelog
--- wpa-1.0/debian/changelog 2012-05-13 20:39:47.000000000 +0000
+++ wpa-1.0/debian/changelog 2012-10-13 14:58:25.000000000 +0000
@@ -1,3 +1,19 @@
+wpa (1.0-2+wheezy1) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload.
+ * Rebuild for wheezy.
+
+ [ Stefan Lippers-Hollmann ]
+ * ship forgotten README-P2P.
+ * revert to GNU readline for wpa_cli, instead of using the internal readline
+ implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl
+ is GPL-2 (only) - switching back to the internal readline implementation is
+ targeted for wheezy+1 (Closes: #677993, #678077).
+ * Fix DoS via specially crafted EAP-TLS messages with longer message
+ length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990).
+
+ -- Thijs Kinkhorst <thijs@debian.org> Sat, 13 Oct 2012 14:48:08 +0000
+
wpa (1.0-2) unstable; urgency=low
* Really enable hardened build flags, thanks Simon Ruderich
diff -Nru wpa-1.0/debian/config/wpasupplicant/kfreebsd wpa-1.0/debian/config/wpasupplicant/kfreebsd
--- wpa-1.0/debian/config/wpasupplicant/kfreebsd 2012-04-13 23:13:49.000000000 +0000
+++ wpa-1.0/debian/config/wpasupplicant/kfreebsd 2012-10-08 16:32:27.000000000 +0000
@@ -238,11 +238,11 @@
# When building a wpa_cli binary for distribution, please note that these
# libraries are licensed under GPL and as such, BSD license may not apply for
# the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/config/wpasupplicant/linux wpa-1.0/debian/config/wpasupplicant/linux
--- wpa-1.0/debian/config/wpasupplicant/linux 2012-04-13 23:13:49.000000000 +0000
+++ wpa-1.0/debian/config/wpasupplicant/linux 2012-10-08 16:32:27.000000000 +0000
@@ -237,11 +237,11 @@
# When building a wpa_cli binary for distribution, please note that these
# libraries are licensed under GPL and as such, BSD license may not apply for
# the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/control wpa-1.0/debian/control
--- wpa-1.0/debian/control 2012-04-14 00:57:03.000000000 +0000
+++ wpa-1.0/debian/control 2012-06-21 22:42:59.000000000 +0000
@@ -16,6 +16,7 @@
libnl-genl-3-dev (>= 3.2.3-2~) [linux-any],
libpcap-dev [kfreebsd-any],
libbsd-dev [kfreebsd-any],
+ libreadline-gplv2-dev,
pkg-config,
qt4-qmake,
docbook-to-man,
diff -Nru wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
--- wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch 1970-01-01 00:00:00.000000000 +0000
+++ wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch 2012-10-08 15:34:24.000000000 +0000
@@ -0,0 +1,43 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300)
+Subject: EAP-TLS server: Fix TLS Message Length validation
+X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de
+
+EAP-TLS server: Fix TLS Message Length validation
+
+EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
+Message Length value properly and could end up trying to store more
+information into the message buffer than the allocated size if the first
+fragment is longer than the indicated size. This could result in hostapd
+process terminating in wpabuf length validation. Fix this by rejecting
+messages that have invalid TLS Message Length value.
+
+This would affect cases that use the internal EAP authentication server
+in hostapd either directly with IEEE 802.1X or when using hostapd as a
+RADIUS authentication server and when receiving an incorrectly
+constructed EAP-TLS message. Cases where hostapd uses an external
+authentication are not affected.
+
+Thanks to Timo Warns for finding and reporting this issue.
+
+Signed-hostap: Jouni Malinen <j@w1.fi>
+intended-for: hostap-1
+---
+
+--- a/src/eap_server/eap_server_tls_common.c
++++ b/src/eap_server/eap_server_tls_common.c
+@@ -224,6 +224,14 @@ static int eap_server_tls_process_fragme
+ return -1;
+ }
+
++ if (len > message_length) {
++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++ "first fragment of frame (TLS Message "
++ "Length %d bytes)",
++ (int) len, (int) message_length);
++ return -1;
++ }
++
+ data->tls_in = wpabuf_alloc(message_length);
+ if (data->tls_in == NULL) {
+ wpa_printf(MSG_DEBUG, "SSL: No memory for message");
diff -Nru wpa-1.0/debian/patches/series wpa-1.0/debian/patches/series
--- wpa-1.0/debian/patches/series 2012-04-17 11:03:56.000000000 +0000
+++ wpa-1.0/debian/patches/series 2012-10-08 15:34:24.000000000 +0000
@@ -6,3 +6,4 @@
12_wpa_gui_knotify_support.patch
13_human_readable_signal.patch
libnl3-includes.patch
+EAP-TLS-server_fix-TLS-Message-length-validation.patch
diff -Nru wpa-1.0/debian/wpasupplicant.docs wpa-1.0/debian/wpasupplicant.docs
--- wpa-1.0/debian/wpasupplicant.docs 2012-04-07 22:57:32.000000000 +0000
+++ wpa-1.0/debian/wpasupplicant.docs 2012-06-19 16:05:41.000000000 +0000
@@ -1,2 +1,3 @@
wpa_supplicant/README
wpa_supplicant/README-WPS
+wpa_supplicant/README-P2P
Reply to: