On 2017-10-24 08:14:47, Guido Günther wrote:
> Hi Antoine,
> (trimming the cc: list a bit)
>
> On Mon, Oct 23, 2017 at 07:43:49PM -0400, Antoine Beaupré wrote:
>> Hi,
>>
>> I have looked at backporting the "KRACK" patches down into wheezy. I'm a
>> little concerned about the results: I don't have a good grasp of WPA2
>> and particularly of the wpa_supplicant codebase. I don't even know if
>> wheezy is actually vulnerable, I went under the assumption that it was
>> vulnerable and carried on.
>>
>> Obviously, I don't have a full WPA stack to test this with here either:
>> my laptop is not running wheezy and I couldn't find a quick way to test
>> this directly, let alone mount a full attack to try and reproduce the
>> issue or confirm it is fixed.
>>
>> So I uploaded a test package to my usual repository:
>>
>> https://people.debian.org/~anarcat/debian/wheezy-lts/
>>
>> WARNING: I didn't test this in any way. I tried to make the patch
>> meaningful and the code compiled, but that's about it.
>>
>> A patch is attached for your perusal, but I am concerned about some bits
>> of the patchset, and I wonder if the version in wheezy might not be
>> vulnerable to even *more* issues. It's kind of scary to think that
>> wpa_supplicant is running, as root, on so many machines out there...
>
> Did you try reaching out to upstream to confirm if Wheezy is vulnerable?
> I'm pretty sure they have a good idea now about the affected versions
> given all the fuzz around KRACK.
> Cheers,
Good idea, I just did that.
A.
--
That's the kind of society I want to build. I want a guarantee - with
physics and mathematics, not with laws - that we can give ourselves
real privacy of personal communications.
- John Gilmore
