[arch-commits] Commit in wpa_supplicant/trunk (4 files)
Date: Wednesday, January 22, 2020 @ 22:55:45
Author: heftig
Revision: 373806
improve units and avoid breakage from increases TLS version
Added:
wpa_supplicant/trunk/CVE-2019-16275.patch
wpa_supplicant/trunk/systemd.patch
wpa_supplicant/trunk/tls.patch
Modified:
wpa_supplicant/trunk/PKGBUILD
--+
CVE-2019-16275.patch | 73 +
PKGBUILD |9 --
systemd.patch| 29 +++
tls.patch| 26 +
4 files changed, 135 insertions(+), 2 deletions(-)
Added: CVE-2019-16275.patch
===
--- CVE-2019-16275.patch(rev 0)
+++ CVE-2019-16275.patch2020-01-22 22:55:45 UTC (rev 373806)
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen
+---
+ src/ap/drv_callbacks.c | 13 +
+ src/ap/ieee802_11.c| 12
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const
u8 *addr,
+ "hostapd_notif_assoc: Skip event with no address");
+ return -1;
+ }
++
++ if (is_multicast_ether_addr(addr) ||
++ is_zero_ether_addr(addr) ||
++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication
silently",
++ __func__, MAC2STR(addr));
++ return 0;
++ }
++
+ random_add_randomness(addr, ETH_ALEN);
+
+ hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8
*buf, size_t len,
+ fc = le_to_host16(mgmt->frame_control);
+ stype = WLAN_FC_GET_STYPE(fc);
+
++ if (is_multicast_ether_addr(mgmt->sa) ||
++ is_zero_ether_addr(mgmt->sa) ||
++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++ /* Do not process any frames with unexpected/invalid SA so that
++ * we do not add any state for unexpected STA addresses or end
++ * up sending out frames to unexpected destination. */
++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++ " in received frame - ignore this frame silently",
++ MAC2STR(mgmt->sa));
++ return 0;
++ }
++
+ if (stype == WLAN_FC_STYPE_BEACON) {
+ handle_beacon(hapd, mgmt, len, fi);
+ return 1;
+--
+2.20.1
+
Modified: PKGBUILD
===
--- PKGBUILD2020-01-22 22:30:13 UTC (rev 373805)
+++ PKGBUILD2020-01-22 22:55:45 UTC (rev 373806)
@@ -12,11 +12,16 @@
depends=(openssl libdbus readline libnl)
install=wpa_supplicant.install
source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
-config
-)
+CVE-2019-16275.patch
+tls.patch # More permissive TLS fallback
+systemd.patch # Unit improvements from Ubuntu
+config)
validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
sha256sums=('fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17'
'SKIP'
+'bf91a135e717265969f1ab0319297c9d2e6f695928a17e3b3fa5accc8ef7b297'
+'449c7dad67b246b5b93e796f57c2f90c5c32cfc5b16f7aa4f17802dc260d3414'
+'dd14f99618bb4db40eadfaf4ced29d6139ccf319429a1eef54c2c08c80924742'
[arch-commits] Commit in wpa_supplicant/trunk (4 files)
Date: Monday, May 21, 2012 @ 14:40:24
Author: tomegun
Revision: 159338
remove dbus patch
update libnl patch
update config from example in sources
enable systemd support
Modified:
wpa_supplicant/trunk/PKGBUILD
wpa_supplicant/trunk/config
wpa_supplicant/trunk/hostap_allow-linking-with-libnl-3.2.patch
Deleted:
wpa_supplicant/trunk/dbus.patch
---+
PKGBUILD | 43 +++--
config| 92 +++-
dbus.patch| 61 --
hostap_allow-linking-with-libnl-3.2.patch | 54 +++-
4 files changed, 114 insertions(+), 136 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2012-05-21 17:24:07 UTC (rev 159337)
+++ PKGBUILD2012-05-21 18:40:24 UTC (rev 159338)
@@ -2,48 +2,55 @@
# Maintainer: Thomas Bächler tho...@archlinux.org
pkgname=wpa_supplicant
-pkgver=0.7.3
-pkgrel=5
+pkgver=1.0
+pkgrel=1
pkgdesc=A utility providing key negotiation for WPA wireless networks
url=http://hostap.epitest.fi/wpa_supplicant;
arch=('i686' 'x86_64')
-depends=('openssl' 'dbus-core=1.2.4' 'readline=6.0' 'libnl')
+depends=('openssl' 'dbus-core' 'readline' 'libnl')
optdepends=('wpa_supplicant_gui: wpa_gui program')
license=('GPL')
groups=('base')
backup=('etc/wpa_supplicant.conf')
-source=(http://hostap.epitest.fi/releases/wpa_supplicant-$pkgver.tar.gz
-config dbus.patch hostap_allow-linking-with-libnl-3.2.patch)
-sha256sums=('d0cd50caa85346ccc376dcda5ed3c258eef19a93b3cade39d25760118ad59443'
-'d00f306e53c22cc0d7352a0d4ed701fd77b9ff20e3a2422d81ac1fddcc11dff4'
-'13effa9ed6a1bb940ffc056a3eabcf64c8cc057069eca5cc1822b98ed769812a'
-'ac805bf6e5aaec733dfc2c333417e519239cd58663a6e1cb34a54fd0f2bcc3c5')
+source=(http://w1.fi/releases/${pkgname}-${pkgver}.tar.gz;
+ config hostap_allow-linking-with-libnl-3.2.patch)
build() {
- cd ${srcdir}/${pkgname}-${pkgver}
+ cd ${srcdir}/${pkgname}-${pkgver}/
+
+ # from fedora
patch -Np1 -i $srcdir/hostap_allow-linking-with-libnl-3.2.patch
- cd ${pkgname}
- # Required by NetworkManager 0.8.995
- patch -Np2 -i $srcdir/dbus.patch
+ cd ${pkgname}
+
cp ${srcdir}/config ./.config
+
sed -i 's@/usr/local@$(PREFIX)@g' Makefile
- make
+
+ make PREFIX=/usr
}
package() {
cd ${srcdir}/${pkgname}-${pkgver}/${pkgname}
make PREFIX=/usr DESTDIR=${pkgdir} install
- install -m755 -d ${pkgdir}/etc
+
+ install -d -m755 ${pkgdir}/etc
install -m644 wpa_supplicant.conf ${pkgdir}/etc/wpa_supplicant.conf
+
install -d -m755 ${pkgdir}/usr/share/man/man{5,8}
install -m644 doc/docbook/*.5 ${pkgdir}/usr/share/man/man5/
install -m644 doc/docbook/*.8 ${pkgdir}/usr/share/man/man8/
rm -f ${pkgdir}/usr/share/man/man8/wpa_{priv,gui}.8
- install -m755 -d ${pkgdir}/usr/share/dbus-1/system-services
+ install -d -m755 ${pkgdir}/usr/share/dbus-1/system-services
install -m644
dbus/{fi.epitest.hostap.WPASupplicant.service,fi.w1.wpa_supplicant1.service}
${pkgdir}/usr/share/dbus-1/system-services/
- sed -e 's/sbin/usr\/sbin/' -i
${pkgdir}/usr/share/dbus-1/system-services/*.service
- install -m755 -d ${pkgdir}/etc/dbus-1/system.d
+
+ install -d -m755 ${pkgdir}/etc/dbus-1/system.d
install -m644 dbus/dbus-wpa_supplicant.conf
${pkgdir}/etc/dbus-1/system.d/wpa_supplicant.conf
+
+ install -d -m755 ${pkgdir}/usr/lib/systemd/system
+ install -m644 systemd/*.service ${pkgdir}/usr/lib/systemd/system/
}
+md5sums=('8650f6aa23646ef634402552d0669640'
+ '380d8d1fe24bccb2a2636cb2a6038c39'
+ '473fb6b77909ec5a50b6f4d91370e86b')
Modified: config
===
--- config 2012-05-21 17:24:07 UTC (rev 159337)
+++ config 2012-05-21 18:40:24 UTC (rev 159338)
@@ -78,6 +78,11 @@
#CONFIG_DRIVER_RALINK=y
# Driver interface for generic Linux wireless extensions
+# Note: WEXT is deprecated in the current Linux kernel version and no new
+# functionality is added to it. nl80211-based interface is the new
+# replacement for WEXT and its use allows wpa_supplicant to properly control
+# the driver to improve existing functionality like roaming and to support new
+# functionality.
CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface
@@ -109,11 +114,6 @@
# Driver interface for development testing
#CONFIG_DRIVER_TEST=y
-# Include client MLME (management frame processing) for test driver
-# This can be used to test MLME operations in hostapd with the test interface.
-# space.
-#CONFIG_CLIENT_MLME=y
-
# Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y
@@ -123,6 +123,10 @@
# Driver interface for no driver (e.g., WPS ER only)
#CONFIG_DRIVER_NONE=y
+# Solaris libraries
+#LIBS += -lsocket -ldlpi -lnsl
+#LIBS_c += -lsocket
+
# Enable IEEE 802.1X
