Bug#832004: jessie-pu: package wpa/2.3-1+deb8u4

To: Andrew Shadura <andrewsh@debian.org>, 832004@bugs.debian.org
Subject: Bug#832004: jessie-pu: package wpa/2.3-1+deb8u4
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 21 Jul 2016 10:32:20 +0100
Message-id: <[🔎] b489746df78e08f5128b61cea6474797@mail.adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 832004@bugs.debian.org
In-reply-to: <[🔎] 146909109648.30717.2945556256478801935.reportbug@nuevo>
References: <[🔎] 146909109648.30717.2945556256478801935.reportbug@nuevo>

Control: tags -1 + moreinfo

On 2016-07-21 9:51, Andrew Shadura wrote:

I have prepared an upload fixing CVE-2016-4476 and CVE-2016-4477.
Please find the attached debdiff.

I may be missing something, but what do these changes have to do withfixing either of the CVEs you mentioned?

patches/2015-01/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch| 37 +patches/2015-01/wpa_supplicant-p2p-ssid-overflow.txt| 68 +patches/2015-02/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch| 44 +patches/2015-02/wps-upnp-http-chunked-transfer-encoding.txt| 73 +patches/2015-03/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch| 36patches/2015-04/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch| 68 +patches/2015-04/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch| 61 +patches/2015-04/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch| 47 +patches/2015-04/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch| 45 +patches/2015-04/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch| 27patches/2015-04/eap-pwd-missing-payload-length-validation.txt| 64 +patches/2015-05/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch| 56 +patches/2015-05/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt| 87 ++

These look like they're fixes for security issues, but not either of theones mentioned in the changelog. Hmmm, in fact they look like copies ofalready existing patches. For instance, this file:

patches/2015-04/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch| 68 +


appears to be a duplicate of:

patches/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch| 4

These don't appear to be security-related at all, nor mentioned in thechangelog:

patches/ap_config_c_fix-typo-for-capabilities.patch| 28patches/fix-minor-issue-in-HT40-max-rate-determination.patch| 25patches/fix-spelling-s-algorith-algorithm.patch| 25patches/improve-BSS-selection-with-default-noise-floor-value.patch| 158 ++++patches/select-AP-based-on-estimated-maximum-throughput.patch| 366 ++++++++++patches/wpa_supplicant-Fix-a-typo-in-wpa_scan_result_compar.patch| 26

I realise that none of the above are actually enabled indebian/patches/series, but that makes it even more confusing thatthey're in the diff. Please prepare and test a package that containsonly the changes relating to fixing CVE-2016-4476 and CVE-2016-4477 andprovide a debdiff of that.


[
The current diff is

 36 files changed, 1827 insertions(+), 14 deletions(-)

As far as I can tell, the actual functional changes are:

 8 files changed, 414 insertions(+)
]

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#832004: jessie-pu: package wpa/2.3-1+deb8u4
  - From: Andrew Shadura <andrew@shadura.me>

References:
- Bug#832004: jessie-pu: package wpa/2.3-1+deb8u4
  - From: Andrew Shadura <andrewsh@debian.org>

Prev by Date: Bug#832004: jessie-pu: package wpa/2.3-1+deb8u4
Next by Date: Processed: Re: Bug#832004: jessie-pu: package wpa/2.3-1+deb8u4
Previous by thread: Bug#832004: jessie-pu: package wpa/2.3-1+deb8u4
Next by thread: Bug#832004: jessie-pu: package wpa/2.3-1+deb8u4
Index(es):
- Date
- Thread