Bug#690078: marked as done (unblock: wpa/1.0-3)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 12 Nov 2012 17:35:09 +0000
with message-id <1352741709.27968.61.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#690074: wpa will not migrate, upload to tpu?
has caused the Debian Bug report #690074,
regarding unblock: wpa/1.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
690074: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690074
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unblock: wpa/1.0-3
• From: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>
• Date: Tue, 9 Oct 2012 20:26:48 +0200
• Message-id: <201210092026.49573.s.L-H@gmx.de>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
X-Debbugs-CC: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>

Please unblock package wpa

Hi

This unblock request for wpa 1.0-3 follows on the heels of DSA 2557-1
https://lists.debian.org/debian-security-announce/2012/msg00201.html
for hostapd, which is now part of the wpa source package in >=wheezy.

Besides the security bugfix for CVE-2012-4445 it contains two small
changes:

- adding an additional README(-P2P) to the wpasupplicant package.
  - debian/wpasupplicant.docs
- reverting back from wpa_cli's own crude readline implementation to
  using readline, as it was used before up to wpasupplicant 0.7.3.
  This fixes two relatively minor, but quite annoying and end-user 
  visible usability regressions[1, 2]. This change has been tested for 
  quite a while and relying on readline is still the default in all 
  other distributions. This change only affects /sbin/wpa_cli, which 
  is not part of the udeb and therefore doesn't affect it or its 
  footprint.
  - debian/config/wpasupplicant/kfreebsd
  - debian/config/wpasupplicant/linux
  - debian/control

The urgency follows the example set by the security team for hostapd
1:0.6.10-2+squeeze1, as this security issue may be exploited remotely.

wpa 1.0-3 has been built successfully on all architectures by now and 
uploaded to all but powerpc at this moment; the udeb is not affected
by any of these changes. So please consider to unblock wpa/1.0-3.

Regards
	Stefan Lippers-Hollmann

diff -Nru wpa-1.0/debian/changelog wpa-1.0/debian/changelog
--- wpa-1.0/debian/changelog	2012-05-13 22:39:47.000000000 +0200
+++ wpa-1.0/debian/changelog	2012-10-08 23:18:18.000000000 +0200
@@ -1,3 +1,15 @@
+wpa (1.0-3) unstable; urgency=high
+
+  * ship forgotten README-P2P.
+  * revert to GNU readline for wpa_cli, instead of using the internal readline
+    implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl
+    is GPL-2 (only) - switching back to the internal readline implementation is
+    targeted for wheezy+1 (Closes: #677993, #678077).
+  * Fix DoS via specially crafted EAP-TLS messages with longer message
+    length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990).
+
+ -- Stefan Lippers-Hollmann <s.l-h@gmx.de>  Mon, 08 Oct 2012 17:48:04 +0200
+
 wpa (1.0-2) unstable; urgency=low
 
   * Really enable hardened build flags, thanks Simon Ruderich
diff -Nru wpa-1.0/debian/config/wpasupplicant/kfreebsd wpa-1.0/debian/config/wpasupplicant/kfreebsd
--- wpa-1.0/debian/config/wpasupplicant/kfreebsd	2012-04-14 01:13:49.000000000 +0200
+++ wpa-1.0/debian/config/wpasupplicant/kfreebsd	2012-10-08 18:32:27.000000000 +0200
@@ -238,11 +238,11 @@
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
 
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
 
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/config/wpasupplicant/linux wpa-1.0/debian/config/wpasupplicant/linux
--- wpa-1.0/debian/config/wpasupplicant/linux	2012-04-14 01:13:49.000000000 +0200
+++ wpa-1.0/debian/config/wpasupplicant/linux	2012-10-08 18:32:27.000000000 +0200
@@ -237,11 +237,11 @@
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
 
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
 
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/control wpa-1.0/debian/control
--- wpa-1.0/debian/control	2012-04-14 02:57:03.000000000 +0200
+++ wpa-1.0/debian/control	2012-06-22 00:42:59.000000000 +0200
@@ -16,6 +16,7 @@
  libnl-genl-3-dev (>= 3.2.3-2~) [linux-any],
  libpcap-dev [kfreebsd-any],
  libbsd-dev [kfreebsd-any],
+ libreadline-gplv2-dev,
  pkg-config,
  qt4-qmake,
  docbook-to-man,
diff -Nru wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
--- wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch	1970-01-01 01:00:00.000000000 +0100
+++ wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch	2012-10-08 17:34:24.000000000 +0200
@@ -0,0 +1,43 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300)
+Subject: EAP-TLS server: Fix TLS Message Length validation
+X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de
+
+EAP-TLS server: Fix TLS Message Length validation
+
+EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
+Message Length value properly and could end up trying to store more
+information into the message buffer than the allocated size if the first
+fragment is longer than the indicated size. This could result in hostapd
+process terminating in wpabuf length validation. Fix this by rejecting
+messages that have invalid TLS Message Length value.
+
+This would affect cases that use the internal EAP authentication server
+in hostapd either directly with IEEE 802.1X or when using hostapd as a
+RADIUS authentication server and when receiving an incorrectly
+constructed EAP-TLS message. Cases where hostapd uses an external
+authentication are not affected.
+
+Thanks to Timo Warns for finding and reporting this issue.
+
+Signed-hostap: Jouni Malinen <j@w1.fi>
+intended-for: hostap-1
+---
+
+--- a/src/eap_server/eap_server_tls_common.c
++++ b/src/eap_server/eap_server_tls_common.c
+@@ -224,6 +224,14 @@ static int eap_server_tls_process_fragme
+ 			return -1;
+ 		}
+ 
++		if (len > message_length) {
++			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++				   "first fragment of frame (TLS Message "
++				   "Length %d bytes)",
++				   (int) len, (int) message_length);
++			return -1;
++		}
++
+ 		data->tls_in = wpabuf_alloc(message_length);
+ 		if (data->tls_in == NULL) {
+ 			wpa_printf(MSG_DEBUG, "SSL: No memory for message");
diff -Nru wpa-1.0/debian/patches/series wpa-1.0/debian/patches/series
--- wpa-1.0/debian/patches/series	2012-04-17 13:03:56.000000000 +0200
+++ wpa-1.0/debian/patches/series	2012-10-08 17:34:24.000000000 +0200
@@ -6,3 +6,4 @@
 12_wpa_gui_knotify_support.patch
 13_human_readable_signal.patch
 libnl3-includes.patch
+EAP-TLS-server_fix-TLS-Message-length-validation.patch
diff -Nru wpa-1.0/debian/wpasupplicant.docs wpa-1.0/debian/wpasupplicant.docs
--- wpa-1.0/debian/wpasupplicant.docs	2012-04-08 00:57:32.000000000 +0200
+++ wpa-1.0/debian/wpasupplicant.docs	2012-06-19 18:05:41.000000000 +0200
@@ -1,2 +1,3 @@
 wpa_supplicant/README
 wpa_supplicant/README-WPS
+wpa_supplicant/README-P2P



unblock wpa/1.0-3

[1]	http://bugs.debian.org/677993
[2]	http://bugs.debian.org/678077

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>, 690074-done@bugs.debian.org
• Cc: Julien Cristau <jcristau@debian.org>, Thijs Kinkhorst <thijs@debian.org>, pkg-wpa-devel@lists.alioth.debian.org
• Subject: Re: Bug#690074: wpa will not migrate, upload to tpu?
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Mon, 12 Nov 2012 17:35:09 +0000
• Message-id: <1352741709.27968.61.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <[🔎] 20121112172830.GB28390@mraw.org>
• References: <77255fbd77d5f139c6b4606ccbb753e4.squirrel@aphrodite.kinkhorst.nl> <20121013183909.GY17465@radis.cristau.org> <20121107112532.GD17465@radis.cristau.org> <[🔎] 1352739871.27968.55.camel@jacala.jungle.funky-badger.org> <[🔎] 20121112172830.GB28390@mraw.org>

On Mon, 2012-11-12 at 18:28 +0100, Cyril Brulebois wrote:
> Adam D. Barratt <adam@adam-barratt.org.uk> (12/11/2012):
> > However, it's still lacking a d-i ack afaics.
> 
> d-i ack, thanks.

unblock-udeb added; thanks.

Regards,

Adam

--- End Message ---