Your message dated Wed, 7 Nov 2012 12:25:32 +0100
with message-id <[email protected]>
and subject line Re: Bug#690074: wpa will not migrate, upload to tpu?
has caused the Debian Bug report #690074,
regarding unblock: wpa/1.0-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
690074: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690074
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
User: [email protected]
Usertags: unblock
Severity: normal
X-Debbugs-CC: Debian wpasupplicant Maintainers
<[email protected]>
Please unblock package wpa
Hi
This unblock request for wpa 1.0-3 follows on the heels of DSA 2557-1
https://lists.debian.org/debian-security-announce/2012/msg00201.html
for hostapd, which is now part of the wpa source package in >=wheezy.
Besides the security bugfix for CVE-2012-4445 it contains two small
changes:
- adding an additional README(-P2P) to the wpasupplicant package.
- debian/wpasupplicant.docs
- reverting back from wpa_cli's own crude readline implementation to
using readline, as it was used before up to wpasupplicant 0.7.3.
This fixes two relatively minor, but quite annoying and end-user
visible usability regressions[1, 2]. This change has been tested for
quite a while and relying on readline is still the default in all
other distributions. This change only affects /sbin/wpa_cli, which
is not part of the udeb and therefore doesn't affect it or its
footprint.
- debian/config/wpasupplicant/kfreebsd
- debian/config/wpasupplicant/linux
- debian/control
The urgency follows the example set by the security team for hostapd
1:0.6.10-2+squeeze1, as this security issue may be exploited remotely.
wpa 1.0-3 has been built successfully on all architectures by now and
uploaded to all but powerpc at this moment; the udeb is not affected
by any of these changes. So please consider to unblock wpa/1.0-3.
Regards
Stefan Lippers-Hollmann
diff -Nru wpa-1.0/debian/changelog wpa-1.0/debian/changelog
--- wpa-1.0/debian/changelog 2012-05-13 22:39:47.000000000 +0200
+++ wpa-1.0/debian/changelog 2012-10-08 23:18:18.000000000 +0200
@@ -1,3 +1,15 @@
+wpa (1.0-3) unstable; urgency=high
+
+ * ship forgotten README-P2P.
+ * revert to GNU readline for wpa_cli, instead of using the internal readline
+ implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl
+ is GPL-2 (only) - switching back to the internal readline implementation is
+ targeted for wheezy+1 (Closes: #677993, #678077).
+ * Fix DoS via specially crafted EAP-TLS messages with longer message
+ length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990).
+
+ -- Stefan Lippers-Hollmann <[email protected]> Mon, 08 Oct 2012 17:48:04 +0200
+
wpa (1.0-2) unstable; urgency=low
* Really enable hardened build flags, thanks Simon Ruderich
diff -Nru wpa-1.0/debian/config/wpasupplicant/kfreebsd
wpa-1.0/debian/config/wpasupplicant/kfreebsd
--- wpa-1.0/debian/config/wpasupplicant/kfreebsd 2012-04-14
01:13:49.000000000 +0200
+++ wpa-1.0/debian/config/wpasupplicant/kfreebsd 2012-10-08
18:32:27.000000000 +0200
@@ -238,11 +238,11 @@
# When building a wpa_cli binary for distribution, please note that these
# libraries are licensed under GPL and as such, BSD license may not apply for
# the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/config/wpasupplicant/linux
wpa-1.0/debian/config/wpasupplicant/linux
--- wpa-1.0/debian/config/wpasupplicant/linux 2012-04-14 01:13:49.000000000
+0200
+++ wpa-1.0/debian/config/wpasupplicant/linux 2012-10-08 18:32:27.000000000
+0200
@@ -237,11 +237,11 @@
# When building a wpa_cli binary for distribution, please note that these
# libraries are licensed under GPL and as such, BSD license may not apply for
# the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/control wpa-1.0/debian/control
--- wpa-1.0/debian/control 2012-04-14 02:57:03.000000000 +0200
+++ wpa-1.0/debian/control 2012-06-22 00:42:59.000000000 +0200
@@ -16,6 +16,7 @@
libnl-genl-3-dev (>= 3.2.3-2~) [linux-any],
libpcap-dev [kfreebsd-any],
libbsd-dev [kfreebsd-any],
+ libreadline-gplv2-dev,
pkg-config,
qt4-qmake,
docbook-to-man,
diff -Nru
wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
---
wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
1970-01-01 01:00:00.000000000 +0100
+++
wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
2012-10-08 17:34:24.000000000 +0200
@@ -0,0 +1,43 @@
+From: Jouni Malinen <[email protected]>
+Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300)
+Subject: EAP-TLS server: Fix TLS Message Length validation
+X-Git-Url:
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de
+
+EAP-TLS server: Fix TLS Message Length validation
+
+EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
+Message Length value properly and could end up trying to store more
+information into the message buffer than the allocated size if the first
+fragment is longer than the indicated size. This could result in hostapd
+process terminating in wpabuf length validation. Fix this by rejecting
+messages that have invalid TLS Message Length value.
+
+This would affect cases that use the internal EAP authentication server
+in hostapd either directly with IEEE 802.1X or when using hostapd as a
+RADIUS authentication server and when receiving an incorrectly
+constructed EAP-TLS message. Cases where hostapd uses an external
+authentication are not affected.
+
+Thanks to Timo Warns for finding and reporting this issue.
+
+Signed-hostap: Jouni Malinen <[email protected]>
+intended-for: hostap-1
+---
+
+--- a/src/eap_server/eap_server_tls_common.c
++++ b/src/eap_server/eap_server_tls_common.c
+@@ -224,6 +224,14 @@ static int eap_server_tls_process_fragme
+ return -1;
+ }
+
++ if (len > message_length) {
++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++ "first fragment of frame (TLS Message "
++ "Length %d bytes)",
++ (int) len, (int) message_length);
++ return -1;
++ }
++
+ data->tls_in = wpabuf_alloc(message_length);
+ if (data->tls_in == NULL) {
+ wpa_printf(MSG_DEBUG, "SSL: No memory for message");
diff -Nru wpa-1.0/debian/patches/series wpa-1.0/debian/patches/series
--- wpa-1.0/debian/patches/series 2012-04-17 13:03:56.000000000 +0200
+++ wpa-1.0/debian/patches/series 2012-10-08 17:34:24.000000000 +0200
@@ -6,3 +6,4 @@
12_wpa_gui_knotify_support.patch
13_human_readable_signal.patch
libnl3-includes.patch
+EAP-TLS-server_fix-TLS-Message-length-validation.patch
diff -Nru wpa-1.0/debian/wpasupplicant.docs wpa-1.0/debian/wpasupplicant.docs
--- wpa-1.0/debian/wpasupplicant.docs 2012-04-08 00:57:32.000000000 +0200
+++ wpa-1.0/debian/wpasupplicant.docs 2012-06-19 18:05:41.000000000 +0200
@@ -1,2 +1,3 @@
wpa_supplicant/README
wpa_supplicant/README-WPS
+wpa_supplicant/README-P2P
unblock wpa/1.0-3
[1] http://bugs.debian.org/677993
[2] http://bugs.debian.org/678077
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
On Sat, Oct 13, 2012 at 20:39:09 +0200, Julien Cristau wrote:
> On Sat, Oct 13, 2012 at 17:08:33 +0200, Thijs Kinkhorst wrote:
>
> > Hi,
> >
> > wpa has been updated in unstable for CVE-2012-4445, and subsequently
> > unblocked. However it picked up an enhanced dependency on pcsc-lite in
> > unstable and hence cannot migrate.
> >
> > One solution could be to unblock pcsc-lite, but the feasibility of this I
> > leave up to the release team.
> >
> > The other solution is an upload to tpu; I've just taken all changes from
> > unstable since they were already unblocked and hence deemed acceptable for
> > wheeze. See attached debdiff. If this is the preferred solution, let me
> > know so I can actually upload.
> >
> The third solution is to fix libpcsclite1.symbols to not lie about the
> needed version, and then rebuild wpa.
>
binNMUs scheduled against libpcsclite1 (>= 1.8.6-3).
Cheers,
Julien
signature.asc
Description: Digital signature
--- End Message ---
