On 21 September 2016 at 03:47, Zhixiong Chi <zhixiong....@windriver.com>
> +From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
> +From: Jouni Malinen <jo...@qca.qualcomm.com>
> +Date: Fri, 4 Mar 2016 17:20:18 +0200
> +Subject: [PATCH 1/2] WPS: Reject a Credential with invalid passphrase
> +WPA/WPA2-Personal passphrase is not allowed to include control
> +characters. Reject a Credential received from a WPS Registrar both as
> +STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
> +WPA2PSK authentication type and includes an invalid passphrase.
> +This fixes an issue where hostapd or wpa_supplicant could have updated
> +the configuration file PSK/passphrase parameter with arbitrary data from
> +an external device (Registrar) that may not be fully trusted. Should
> +such data include a newline character, the resulting configuration file
> +could become invalid and fail to be parsed.
> +Upstream-Status: Backport
> +Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com>
Please add your own s-o-b to the patch header, and as it fixes a CVE then a
CVE tag (CVE: CVE-2016-4476) too.
Openembedded-core mailing list