Your message dated Wed, 7 Nov 2012 12:25:32 +0100 with message-id <20121107112532.GD17465@radis.cristau.org> and subject line Re: Bug#690074: wpa will not migrate, upload to tpu? has caused the Debian Bug report #690074, regarding unblock: wpa/1.0-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 690074: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690074 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: wpa/1.0-3
- From: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>
- Date: Tue, 9 Oct 2012 20:26:48 +0200
- Message-id: <201210092026.49573.s.L-H@gmx.de>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal X-Debbugs-CC: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org> Please unblock package wpa Hi This unblock request for wpa 1.0-3 follows on the heels of DSA 2557-1 https://lists.debian.org/debian-security-announce/2012/msg00201.html for hostapd, which is now part of the wpa source package in >=wheezy. Besides the security bugfix for CVE-2012-4445 it contains two small changes: - adding an additional README(-P2P) to the wpasupplicant package. - debian/wpasupplicant.docs - reverting back from wpa_cli's own crude readline implementation to using readline, as it was used before up to wpasupplicant 0.7.3. This fixes two relatively minor, but quite annoying and end-user visible usability regressions[1, 2]. This change has been tested for quite a while and relying on readline is still the default in all other distributions. This change only affects /sbin/wpa_cli, which is not part of the udeb and therefore doesn't affect it or its footprint. - debian/config/wpasupplicant/kfreebsd - debian/config/wpasupplicant/linux - debian/control The urgency follows the example set by the security team for hostapd 1:0.6.10-2+squeeze1, as this security issue may be exploited remotely. wpa 1.0-3 has been built successfully on all architectures by now and uploaded to all but powerpc at this moment; the udeb is not affected by any of these changes. So please consider to unblock wpa/1.0-3. Regards Stefan Lippers-Hollmann diff -Nru wpa-1.0/debian/changelog wpa-1.0/debian/changelog --- wpa-1.0/debian/changelog 2012-05-13 22:39:47.000000000 +0200 +++ wpa-1.0/debian/changelog 2012-10-08 23:18:18.000000000 +0200 @@ -1,3 +1,15 @@ +wpa (1.0-3) unstable; urgency=high + + * ship forgotten README-P2P. + * revert to GNU readline for wpa_cli, instead of using the internal readline + implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl + is GPL-2 (only) - switching back to the internal readline implementation is + targeted for wheezy+1 (Closes: #677993, #678077). + * Fix DoS via specially crafted EAP-TLS messages with longer message + length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990). + + -- Stefan Lippers-Hollmann <s.l-h@gmx.de> Mon, 08 Oct 2012 17:48:04 +0200 + wpa (1.0-2) unstable; urgency=low * Really enable hardened build flags, thanks Simon Ruderich diff -Nru wpa-1.0/debian/config/wpasupplicant/kfreebsd wpa-1.0/debian/config/wpasupplicant/kfreebsd --- wpa-1.0/debian/config/wpasupplicant/kfreebsd 2012-04-14 01:13:49.000000000 +0200 +++ wpa-1.0/debian/config/wpasupplicant/kfreebsd 2012-10-08 18:32:27.000000000 +0200 @@ -238,11 +238,11 @@ # When building a wpa_cli binary for distribution, please note that these # libraries are licensed under GPL and as such, BSD license may not apply for # the resulting binary. -#CONFIG_READLINE=y +CONFIG_READLINE=y # Include internal line edit mode in wpa_cli. This can be used as a replacement # for GNU Readline to provide limited command line editing and history support. -CONFIG_WPA_CLI_EDIT=y +#CONFIG_WPA_CLI_EDIT=y # Remove debugging code that is printing out debug message to stdout. # This can be used to reduce the size of the wpa_supplicant considerably diff -Nru wpa-1.0/debian/config/wpasupplicant/linux wpa-1.0/debian/config/wpasupplicant/linux --- wpa-1.0/debian/config/wpasupplicant/linux 2012-04-14 01:13:49.000000000 +0200 +++ wpa-1.0/debian/config/wpasupplicant/linux 2012-10-08 18:32:27.000000000 +0200 @@ -237,11 +237,11 @@ # When building a wpa_cli binary for distribution, please note that these # libraries are licensed under GPL and as such, BSD license may not apply for # the resulting binary. -#CONFIG_READLINE=y +CONFIG_READLINE=y # Include internal line edit mode in wpa_cli. This can be used as a replacement # for GNU Readline to provide limited command line editing and history support. -CONFIG_WPA_CLI_EDIT=y +#CONFIG_WPA_CLI_EDIT=y # Remove debugging code that is printing out debug message to stdout. # This can be used to reduce the size of the wpa_supplicant considerably diff -Nru wpa-1.0/debian/control wpa-1.0/debian/control --- wpa-1.0/debian/control 2012-04-14 02:57:03.000000000 +0200 +++ wpa-1.0/debian/control 2012-06-22 00:42:59.000000000 +0200 @@ -16,6 +16,7 @@ libnl-genl-3-dev (>= 3.2.3-2~) [linux-any], libpcap-dev [kfreebsd-any], libbsd-dev [kfreebsd-any], + libreadline-gplv2-dev, pkg-config, qt4-qmake, docbook-to-man, diff -Nru wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch --- wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch 1970-01-01 01:00:00.000000000 +0100 +++ wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch 2012-10-08 17:34:24.000000000 +0200 @@ -0,0 +1,43 @@ +From: Jouni Malinen <j@w1.fi> +Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300) +Subject: EAP-TLS server: Fix TLS Message Length validation +X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de + +EAP-TLS server: Fix TLS Message Length validation + +EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS +Message Length value properly and could end up trying to store more +information into the message buffer than the allocated size if the first +fragment is longer than the indicated size. This could result in hostapd +process terminating in wpabuf length validation. Fix this by rejecting +messages that have invalid TLS Message Length value. + +This would affect cases that use the internal EAP authentication server +in hostapd either directly with IEEE 802.1X or when using hostapd as a +RADIUS authentication server and when receiving an incorrectly +constructed EAP-TLS message. Cases where hostapd uses an external +authentication are not affected. + +Thanks to Timo Warns for finding and reporting this issue. + +Signed-hostap: Jouni Malinen <j@w1.fi> +intended-for: hostap-1 +--- + +--- a/src/eap_server/eap_server_tls_common.c ++++ b/src/eap_server/eap_server_tls_common.c +@@ -224,6 +224,14 @@ static int eap_server_tls_process_fragme + return -1; + } + ++ if (len > message_length) { ++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " ++ "first fragment of frame (TLS Message " ++ "Length %d bytes)", ++ (int) len, (int) message_length); ++ return -1; ++ } ++ + data->tls_in = wpabuf_alloc(message_length); + if (data->tls_in == NULL) { + wpa_printf(MSG_DEBUG, "SSL: No memory for message"); diff -Nru wpa-1.0/debian/patches/series wpa-1.0/debian/patches/series --- wpa-1.0/debian/patches/series 2012-04-17 13:03:56.000000000 +0200 +++ wpa-1.0/debian/patches/series 2012-10-08 17:34:24.000000000 +0200 @@ -6,3 +6,4 @@ 12_wpa_gui_knotify_support.patch 13_human_readable_signal.patch libnl3-includes.patch +EAP-TLS-server_fix-TLS-Message-length-validation.patch diff -Nru wpa-1.0/debian/wpasupplicant.docs wpa-1.0/debian/wpasupplicant.docs --- wpa-1.0/debian/wpasupplicant.docs 2012-04-08 00:57:32.000000000 +0200 +++ wpa-1.0/debian/wpasupplicant.docs 2012-06-19 18:05:41.000000000 +0200 @@ -1,2 +1,3 @@ wpa_supplicant/README wpa_supplicant/README-WPS +wpa_supplicant/README-P2P unblock wpa/1.0-3 [1] http://bugs.debian.org/677993 [2] http://bugs.debian.org/678077Attachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
- To: Thijs Kinkhorst <thijs@debian.org>, 690074-done@bugs.debian.org
- Cc: pkg-wpa-devel@lists.alioth.debian.org
- Subject: Re: Bug#690074: wpa will not migrate, upload to tpu?
- From: Julien Cristau <jcristau@debian.org>
- Date: Wed, 7 Nov 2012 12:25:32 +0100
- Message-id: <20121107112532.GD17465@radis.cristau.org>
- In-reply-to: <20121013183909.GY17465@radis.cristau.org>
- References: <77255fbd77d5f139c6b4606ccbb753e4.squirrel@aphrodite.kinkhorst.nl> <20121013183909.GY17465@radis.cristau.org>
On Sat, Oct 13, 2012 at 20:39:09 +0200, Julien Cristau wrote: > On Sat, Oct 13, 2012 at 17:08:33 +0200, Thijs Kinkhorst wrote: > > > Hi, > > > > wpa has been updated in unstable for CVE-2012-4445, and subsequently > > unblocked. However it picked up an enhanced dependency on pcsc-lite in > > unstable and hence cannot migrate. > > > > One solution could be to unblock pcsc-lite, but the feasibility of this I > > leave up to the release team. > > > > The other solution is an upload to tpu; I've just taken all changes from > > unstable since they were already unblocked and hence deemed acceptable for > > wheeze. See attached debdiff. If this is the preferred solution, let me > > know so I can actually upload. > > > The third solution is to fix libpcsclite1.symbols to not lie about the > needed version, and then rebuild wpa. > binNMUs scheduled against libpcsclite1 (>= 1.8.6-3). Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---