Hello community, here is the log from the commit of package wpa_supplicant for openSUSE:Factory checked in at 2018-10-25 08:10:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wpa_supplicant (Old) and /work/SRC/openSUSE:Factory/.wpa_supplicant.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wpa_supplicant" Thu Oct 25 08:10:20 2018 rev:73 rq:643170 version:2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/wpa_supplicant/wpa_supplicant.changes 2018-10-01 09:04:43.475928644 +0200 +++ /work/SRC/openSUSE:Factory/.wpa_supplicant.new/wpa_supplicant.changes 2018-10-25 08:10:23.000265005 +0200 @@ -1,0 +2,37 @@ +Tue Oct 16 06:45:59 UTC 2018 - Karol Babioch <[email protected]> + +- Renamed patches: + - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch + - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch +- wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag +- Enabled timestamps in log files (bsc#1080798) + +------------------------------------------------------------------- +Mon Oct 15 16:20:25 CEST 2018 - [email protected] + +- compile eapol_test binary to allow testing via radius proxy and server + (note: this does not match CONFIG_EAPOL_TEST which sets -Werror + and activates an assert call inside the code of wpa_supplicant) + (bsc#1111873), (fate#326725) +- add patch to fix wrong operator precedence in ieee802_11.c + wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch +- add patch to avoid redefinition of __bitwise macro + wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch + +------------------------------------------------------------------- +Fri Oct 12 06:55:06 UTC 2018 - Karol Babioch <[email protected]> + +- Added wpa-supplicant-log-file-permission.patch: Fixes the default file + permissions of the debug log file to more sane values, i.e. it is no longer + world-readable (bsc#1098854). +- Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with + O_CLOEXEC, which will prevent file descriptor leaking to child processes + (bsc#1098854). + +------------------------------------------------------------------- +Thu Oct 11 11:58:33 UTC 2018 - Karol Babioch <[email protected]> + +- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: + Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205). + +------------------------------------------------------------------- New: ---- rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch wpa_supplicant-log-file-cloexec.patch wpa_supplicant-log-file-permission.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wpa_supplicant.spec ++++++ --- /var/tmp/diff_new_pack.qNXEZ1/_old 2018-10-25 08:10:23.732264525 +0200 +++ /var/tmp/diff_new_pack.qNXEZ1/_new 2018-10-25 08:10:23.732264525 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -51,6 +51,11 @@ Patch17: rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch Patch18: wpa_supplicant-bnc-1099835-fix-private-key-password.patch Patch19: wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch +Patch20: rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch +Patch21: wpa_supplicant-log-file-permission.patch +Patch22: wpa_supplicant-log-file-cloexec.patch +Patch23: wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch +Patch24: wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch BuildRequires: openssl-devel BuildRequires: pkgconfig @@ -99,10 +104,16 @@ %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 %build cd wpa_supplicant CFLAGS="%{optflags}" make V=1 %{?_smp_mflags} +CFLAGS="%{optflags}" make V=1 %{?_smp_mflags} eapol_test cd wpa_gui-qt4 %qmake5 make %{?_smp_mflags} @@ -112,6 +123,7 @@ install -m 0755 wpa_supplicant/wpa_cli %{buildroot}%{_sbindir} install -m 0755 wpa_supplicant/wpa_passphrase %{buildroot}%{_sbindir} install -m 0755 wpa_supplicant/wpa_supplicant %{buildroot}%{_sbindir} +install -m 0755 wpa_supplicant/eapol_test %{buildroot}%{_sbindir} install -d %{buildroot}%{_sysconfdir}/dbus-1/system.d install -m 0644 wpa_supplicant/dbus/dbus-wpa_supplicant.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf install -d %{buildroot}/%{_sysconfdir}/%{name} @@ -124,9 +136,8 @@ install -d %{buildroot}/%{_rundir}/%{name} install -d %{buildroot}%{_mandir}/man{5,8} install -m 0644 wpa_supplicant/doc/docbook/*.8 %{buildroot}%{_mandir}/man8 -# wpa_supplicant is built without CONFIG_PRIVSEP and CONFIG_EAPOL_TEST +# wpa_supplicant is built without CONFIG_PRIVSEP rm %{buildroot}%{_mandir}/man8/wpa_priv.* -rm %{buildroot}%{_mandir}/man8/eapol_test.* install -m 0644 wpa_supplicant/doc/docbook/*.5 %{buildroot}%{_mandir}/man5 install -m 755 wpa_supplicant/wpa_gui-qt4/wpa_gui %{buildroot}%{_sbindir} install -d %{buildroot}%{_unitdir} @@ -154,6 +165,7 @@ %files %defattr(-,root,root) %doc wpa_supplicant/ChangeLog COPYING README wpa_supplicant/todo.txt wpa_supplicant/examples wpa_supplicant/wpa_supplicant.conf +%{_sbindir}/eapol_test %{_sbindir}/rcwpa_supplicant %{_sbindir}/wpa_cli %{_sbindir}/wpa_passphrase ++++++ fi.epitest.hostap.WPASupplicant.service ++++++ --- /var/tmp/diff_new_pack.qNXEZ1/_old 2018-10-25 08:10:23.776264496 +0200 +++ /var/tmp/diff_new_pack.qNXEZ1/_new 2018-10-25 08:10:23.776264496 +0200 @@ -1,5 +1,5 @@ [D-BUS Service] Name=fi.epitest.hostap.WPASupplicant -Exec=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log +Exec=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -t -f /var/log/wpa_supplicant.log User=root SystemdService=wpa_supplicant.service ++++++ fi.w1.wpa_supplicant1.service ++++++ --- /var/tmp/diff_new_pack.qNXEZ1/_old 2018-10-25 08:10:23.788264489 +0200 +++ /var/tmp/diff_new_pack.qNXEZ1/_new 2018-10-25 08:10:23.788264489 +0200 @@ -1,5 +1,5 @@ [D-BUS Service] Name=fi.w1.wpa_supplicant1 -Exec=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log +Exec=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -t -f /var/log/wpa_supplicant.log User=root SystemdService=wpa_supplicant.service ++++++ rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch ++++++ >From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef <[email protected]> Date: Sun, 15 Jul 2018 01:25:53 +0200 Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data Ignore unauthenticated encrypted EAPOL-Key data in supplicant processing. When using WPA2, these are frames that have the Encrypted flag set, but not the MIC flag. When using WPA2, EAPOL-Key frames that had the Encrypted flag set but not the MIC flag, had their data field decrypted without first verifying the MIC. In case the data field was encrypted using RC4 (i.e., when negotiating TKIP as the pairwise cipher), this meant that unauthenticated but decrypted data would then be processed. An adversary could abuse this as a decryption oracle to recover sensitive information in the data field of EAPOL-Key messages (e.g., the group key). (CVE-2018-14526) Signed-off-by: Mathy Vanhoef <[email protected]> --- src/rsn_supp/wpa.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c --- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300 +++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300 @@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { + /* + * Only decrypt the Key Data field if the frame's authenticity + * was verified. When using AES-SIV (FILS), the MIC flag is not + * set, so this check should only be performed if mic_len != 0 + * which is the case in this code branch. + */ + if (!(key_info & WPA_KEY_INFO_MIC)) { + wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, + "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); + goto out; + } if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data, &key_data_len)) goto out; ++++++ wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch ++++++ commit f5b74b966c942feb95a8ddbb7d130540b15b796d Author: Beniamino Galvani <[email protected]> Date: Mon Oct 30 11:14:40 2017 +0100 common: Avoid conflict with __bitwise macro from linux/types.h Undefine the __bitwise macro before defining it to avoid conflicts with the one from linux/types.h; the same is done some lines above when __CHECKER__ is defined. Fixes the following warning: In file included from ../src/l2_packet/l2_packet_linux.c:15:0: hostap/src/utils/common.h:438:0: warning: "__bitwise" redefined #define __bitwise In file included from /usr/include/linux/filter.h:9:0, from ../src/l2_packet/l2_packet_linux.c:13: /usr/include/linux/types.h:21:0: note: this is the location of the previous definition #define __bitwise __bitwise__ Signed-off-by: Beniamino Galvani <[email protected]> diff --git a/src/utils/common.h b/src/utils/common.h index 46e96a65b..fec7f6013 100644 --- a/src/utils/common.h +++ b/src/utils/common.h @@ -435,6 +435,7 @@ void perror(const char *s); #define __bitwise __attribute__((bitwise)) #else #define __force +#undef __bitwise #define __bitwise #endif ++++++ wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch ++++++ commit fa67debf4c6ddbc881a212b175faa6d5d0d90c8c Author: Jouni Malinen <[email protected]> Date: Sat Jan 14 01:04:31 2017 +0200 Fix duplicate Reassociation Request frame dropping Relational operators (==) have higher precedence than the ternary conditional in C. The last_subtype check for association/reassociation was broken due to incorrect assumption about the precedence. Fix this by adding parenthesis around the ternary conditional. The previous implementation worked for Association Request frames by accident since WLAN_FC_STYPE_ASSOC_REQ happens to have value 0 and when the last receive frame was an Association Request frame, the sta->last_subtype == reassoc check was true and non-zero WLAN_FC_STYPE_REASSOC_REQ was interpreted as true. However, this was broken for Reassociation Request frame. reassoc == 1 in that case could have matched received Association Response frame (subtype == 1), but those are not received in AP mode and as such, this did not break other behavior apart from not being able to drop duplicated Reassociation Request frames. Signed-off-by: Jouni Malinen <[email protected]> diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 060b63517..92a7ec6db 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -2527,8 +2527,8 @@ static void handle_assoc(struct hostapd_data *hapd, if ((fc & WLAN_FC_RETRY) && sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && sta->last_seq_ctrl == seq_ctrl && - sta->last_subtype == reassoc ? WLAN_FC_STYPE_REASSOC_REQ : - WLAN_FC_STYPE_ASSOC_REQ) { + sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ : + WLAN_FC_STYPE_ASSOC_REQ)) { hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_DEBUG, "Drop repeated association frame seq_ctrl=0x%x", ++++++ wpa_supplicant-log-file-cloexec.patch ++++++ >From a386bc4950e02975ba9a21a5be82e91a53ec9281 Mon Sep 17 00:00:00 2001 From: Karol Babioch <[email protected]> Date: Thu, 11 Oct 2018 21:22:03 +0200 Subject: [PATCH v3 2/2] Enable the close-on-exec flag for the debug log file descriptor On Linux this flag will make sure that no file descriptor is accidentally leaked into potential child processes. While this is not a problem right now, it is considered to be good practice these days when dealing with file descriptors on the Linux. Signed-off-by: Karol Babioch <[email protected]> --- src/utils/wpa_debug.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/utils/wpa_debug.c b/src/utils/wpa_debug.c index 5d2f7becb..12873737c 100644 --- a/src/utils/wpa_debug.c +++ b/src/utils/wpa_debug.c @@ -60,6 +60,9 @@ static int wpa_to_android_level(int level) #ifdef CONFIG_DEBUG_FILE #include <sys/types.h> #include <sys/stat.h> +#ifdef __linux__ +#include <fcntl.h> +#endif /* __linux__ */ static FILE *out_file = NULL; #endif /* CONFIG_DEBUG_FILE */ @@ -566,6 +569,13 @@ int wpa_debug_open_file(const char *path) close(out_fd); return -1; } + +#ifdef __linux__ + if (fcntl(out_fd, F_SETFD, FD_CLOEXEC) == -1) { + wpa_printf(MSG_ERROR, "wpa_debug_open_file: Failed to set O_CLOEXEC " + "on output file descriptor, using standard output"); + } +#endif /* __linux__ */ #ifndef _WIN32 setvbuf(out_file, NULL, _IOLBF, 0); #endif /* _WIN32 */ -- 2.19.1 ++++++ wpa_supplicant-log-file-permission.patch ++++++ >From 2fb45cd0370f1bc6d452df15dc1f7bf6575ed55c Mon Sep 17 00:00:00 2001 From: Karol Babioch <[email protected]> Date: Thu, 11 Oct 2018 21:21:30 +0200 Subject: [PATCH v3 1/2] Create debug log file with more sane file permissions Previously the file permissions for the debug log file were not explicitly set. Instead it was implicitly relying on a secure umask, which in most cases would result in a file that is world-readable. This is a violation of good practices, since not very user of a file should have access to sensitive information that might be contained in the debug log file. This commit will explicitly set sane default file permissions in case the file is newly created. Unfortunately the fopen(3) function does not provide such a facility, so the approach needs to be changed in the following way: 1.) The file descriptor needs to be created manually using the open(3) function with the correct flags and the desired mode set. 2.) fdopen(3) can then be used on the file descriptor to associate a file stream with it. Note: This modification will not change the file permissions of any already existing debug log files, and only applies to newly created ones. Signed-off-by: Karol Babioch <[email protected]> --- src/utils/wpa_debug.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/utils/wpa_debug.c b/src/utils/wpa_debug.c index 62758d864..5d2f7becb 100644 --- a/src/utils/wpa_debug.c +++ b/src/utils/wpa_debug.c @@ -58,6 +58,9 @@ static int wpa_to_android_level(int level) #ifndef CONFIG_NO_STDOUT_DEBUG #ifdef CONFIG_DEBUG_FILE +#include <sys/types.h> +#include <sys/stat.h> + static FILE *out_file = NULL; #endif /* CONFIG_DEBUG_FILE */ @@ -548,10 +551,19 @@ int wpa_debug_open_file(const char *path) last_path = os_strdup(path); } - out_file = fopen(path, "a"); + int out_fd = -1; + out_fd = open(path, O_CREAT | O_WRONLY | O_APPEND, S_IRUSR | S_IWUSR | S_IRGRP); + if (out_fd < 0) { + wpa_printf(MSG_ERROR, "wpa_debug_open_file: Failed to open " + "output file descriptor, using standard output"); + return -1; + } + + out_file = fdopen(out_fd, "a"); if (out_file == NULL) { wpa_printf(MSG_ERROR, "wpa_debug_open_file: Failed to open " "output file, using standard output"); + close(out_fd); return -1; } #ifndef _WIN32 -- 2.19.1 ++++++ wpa_supplicant.service ++++++ --- /var/tmp/diff_new_pack.qNXEZ1/_old 2018-10-25 08:10:23.888264423 +0200 +++ /var/tmp/diff_new_pack.qNXEZ1/_new 2018-10-25 08:10:23.888264423 +0200 @@ -6,7 +6,7 @@ [Service] Type=dbus BusName=fi.w1.wpa_supplicant1 -ExecStart=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log +ExecStart=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -t -f /var/log/wpa_supplicant.log [Install] WantedBy=multi-user.target ++++++ [email protected] ++++++ --- /var/tmp/diff_new_pack.qNXEZ1/_old 2018-10-25 08:10:23.904264412 +0200 +++ /var/tmp/diff_new_pack.qNXEZ1/_new 2018-10-25 08:10:23.904264412 +0200 @@ -6,7 +6,7 @@ [Service] Type=dbus BusName=fi.w1.wpa_supplicant1 -ExecStart=/usr/sbin/wpa_supplicant -i%i -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log +ExecStart=/usr/sbin/wpa_supplicant -i%i -c /etc/wpa_supplicant/wpa_supplicant.conf -u -t -f /var/log/wpa_supplicant.log [Install] WantedBy=multi-user.target
