[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#949367: marked as done (stretch-pu: package wpa/2:2.4-1+deb9u6)

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #949367,
regarding stretch-pu: package wpa/2:2.4-1+deb9u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
949367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949367
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Please let wpa 2:2.4-1+deb9u5 into stretch.

This upload backports the following security patch:

 wpa (2:2.4-1+deb9u5) stretch; urgency=medium
 .
   * SECURITY UPDATE:
     - AP mode PMF disconnection protection bypass.
       More details:
        + https://w1.fi/security/2019-7/
       Closes: #940080 (CVE-2019-16275)

Please see the debdiff attached.

Thanks!

-- 
Andrej

diff --git a/debian/changelog b/debian/changelog
index 689d552..216a678 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+wpa (2:2.4-1+deb9u5) stretch; urgency=medium
+
+  * SECURITY UPDATE:
+    - AP mode PMF disconnection protection bypass.
+      More details:
+       + https://w1.fi/security/2019-7/
+      Closes: #940080 (CVE-2019-16275)
+
+ -- Andrej Shadura <andrewsh@debian.org>  Mon, 13 Jan 2020 11:06:28 +0100
+
 wpa (2:2.4-1+deb9u4) stretch-security; urgency=high
 
   * SECURITY UPDATE (2019-5):
diff --git a/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
new file mode 100644
index 0000000..12ff79b
--- /dev/null
+++ b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -62,6 +62,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "no address");
+ 		return -1;
+ 	}
++
++	if (is_multicast_ether_addr(addr) ||
++	    is_zero_ether_addr(addr) ||
++	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++			   " in received indication - ignore this indication silently",
++			   __func__, MAC2STR(addr));
++		return 0;
++	}
++
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -2210,6 +2210,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
++	if (is_multicast_ether_addr(mgmt->sa) ||
++	    is_zero_ether_addr(mgmt->sa) ||
++	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++			   " in received frame - ignore this frame silently",
++			   MAC2STR(mgmt->sa));
++		return 0;
++	}
++
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index e2b1ee9..e381596 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -56,3 +56,5 @@ CVE-2018-14526/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-
 2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
 2019-5/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
 2019-5/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+
+2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---
Reply to: