Bug#949367: stretch-pu: package wpa/2:2.4-1+deb9u5

Andrej Shadura Mon, 20 Jan 2020 01:57:00 -0800

Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu


Hi,

Please let wpa 2:2.4-1+deb9u5 into stretch.

This upload backports the following security patch:

 wpa (2:2.4-1+deb9u5) stretch; urgency=medium
 .
   * SECURITY UPDATE:
     - AP mode PMF disconnection protection bypass.
       More details:
        + https://w1.fi/security/2019-7/
       Closes: #940080 (CVE-2019-16275)

Please see the debdiff attached.

Thanks!

-- 
Andrej

diff --git a/debian/changelog b/debian/changelog
index 689d552..216a678 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+wpa (2:2.4-1+deb9u5) stretch; urgency=medium
+
+  * SECURITY UPDATE:
+    - AP mode PMF disconnection protection bypass.
+      More details:
+       + https://w1.fi/security/2019-7/
+      Closes: #940080 (CVE-2019-16275)
+
+ -- Andrej Shadura <[email protected]>  Mon, 13 Jan 2020 11:06:28 +0100
+
 wpa (2:2.4-1+deb9u4) stretch-security; urgency=high
 
   * SECURITY UPDATE (2019-5):
diff --git 
a/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 
b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
new file mode 100644
index 0000000..12ff79b
--- /dev/null
+++ 
b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <[email protected]>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <[email protected]>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -62,6 +62,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 
*addr,
+                          "no address");
+               return -1;
+       }
++
++      if (is_multicast_ether_addr(addr) ||
++          is_zero_ether_addr(addr) ||
++          os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++              /* Do not process any frames with unexpected/invalid SA so that
++               * we do not add any state for unexpected STA addresses or end
++               * up sending out frames to unexpected destination. */
++              wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++                         " in received indication - ignore this indication 
silently",
++                         __func__, MAC2STR(addr));
++              return 0;
++      }
++
+       random_add_randomness(addr, ETH_ALEN);
+ 
+       hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -2210,6 +2210,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 
*buf, size_t len,
+       fc = le_to_host16(mgmt->frame_control);
+       stype = WLAN_FC_GET_STYPE(fc);
+ 
++      if (is_multicast_ether_addr(mgmt->sa) ||
++          is_zero_ether_addr(mgmt->sa) ||
++          os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++              /* Do not process any frames with unexpected/invalid SA so that
++               * we do not add any state for unexpected STA addresses or end
++               * up sending out frames to unexpected destination. */
++              wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++                         " in received frame - ignore this frame silently",
++                         MAC2STR(mgmt->sa));
++              return 0;
++      }
++
+       if (stype == WLAN_FC_STYPE_BEACON) {
+               handle_beacon(hapd, mgmt, len, fi);
+               return 1;
+-- 
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index e2b1ee9..e381596 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -56,3 +56,5 @@ 
CVE-2018-14526/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-
 2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
 2019-5/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
 2019-5/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+
+2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch

Bug#949367: stretch-pu: package wpa/2:2.4-1+deb9u5

Reply via email to