[arch-commits] Commit in wpa_supplicant/trunk (4 files)
Date: Wednesday, January 22, 2020 @ 22:55:45 Author: heftig Revision: 373806 improve units and avoid breakage from increases TLS version Added: wpa_supplicant/trunk/CVE-2019-16275.patch wpa_supplicant/trunk/systemd.patch wpa_supplicant/trunk/tls.patch Modified: wpa_supplicant/trunk/PKGBUILD --+ CVE-2019-16275.patch | 73 + PKGBUILD |9 -- systemd.patch| 29 +++ tls.patch| 26 + 4 files changed, 135 insertions(+), 2 deletions(-) Added: CVE-2019-16275.patch === --- CVE-2019-16275.patch(rev 0) +++ CVE-2019-16275.patch2020-01-22 22:55:45 UTC (rev 373806) @@ -0,0 +1,73 @@ +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen +--- + src/ap/drv_callbacks.c | 13 + + src/ap/ieee802_11.c| 12 + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 + Modified: PKGBUILD === --- PKGBUILD2020-01-22 22:30:13 UTC (rev 373805) +++ PKGBUILD2020-01-22 22:55:45 UTC (rev 373806) @@ -12,11 +12,16 @@ depends=(openssl libdbus readline libnl) install=wpa_supplicant.install source=(https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc} -config -) +CVE-2019-16275.patch +tls.patch # More permissive TLS fallback +systemd.patch # Unit improvements from Ubuntu +config) validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen sha256sums=('fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17' 'SKIP' +'bf91a135e717265969f1ab0319297c9d2e6f695928a17e3b3fa5accc8ef7b297' +'449c7dad67b246b5b93e796f57c2f90c5c32cfc5b16f7aa4f17802dc260d3414' +'dd14f99618bb4db40eadfaf4ced29d6139ccf319429a1eef54c2c08c80924742'
[arch-commits] Commit in wpa_supplicant/trunk (4 files)
Date: Monday, May 21, 2012 @ 14:40:24 Author: tomegun Revision: 159338 remove dbus patch update libnl patch update config from example in sources enable systemd support Modified: wpa_supplicant/trunk/PKGBUILD wpa_supplicant/trunk/config wpa_supplicant/trunk/hostap_allow-linking-with-libnl-3.2.patch Deleted: wpa_supplicant/trunk/dbus.patch ---+ PKGBUILD | 43 +++-- config| 92 +++- dbus.patch| 61 -- hostap_allow-linking-with-libnl-3.2.patch | 54 +++- 4 files changed, 114 insertions(+), 136 deletions(-) Modified: PKGBUILD === --- PKGBUILD2012-05-21 17:24:07 UTC (rev 159337) +++ PKGBUILD2012-05-21 18:40:24 UTC (rev 159338) @@ -2,48 +2,55 @@ # Maintainer: Thomas Bächler tho...@archlinux.org pkgname=wpa_supplicant -pkgver=0.7.3 -pkgrel=5 +pkgver=1.0 +pkgrel=1 pkgdesc=A utility providing key negotiation for WPA wireless networks url=http://hostap.epitest.fi/wpa_supplicant; arch=('i686' 'x86_64') -depends=('openssl' 'dbus-core=1.2.4' 'readline=6.0' 'libnl') +depends=('openssl' 'dbus-core' 'readline' 'libnl') optdepends=('wpa_supplicant_gui: wpa_gui program') license=('GPL') groups=('base') backup=('etc/wpa_supplicant.conf') -source=(http://hostap.epitest.fi/releases/wpa_supplicant-$pkgver.tar.gz -config dbus.patch hostap_allow-linking-with-libnl-3.2.patch) -sha256sums=('d0cd50caa85346ccc376dcda5ed3c258eef19a93b3cade39d25760118ad59443' -'d00f306e53c22cc0d7352a0d4ed701fd77b9ff20e3a2422d81ac1fddcc11dff4' -'13effa9ed6a1bb940ffc056a3eabcf64c8cc057069eca5cc1822b98ed769812a' -'ac805bf6e5aaec733dfc2c333417e519239cd58663a6e1cb34a54fd0f2bcc3c5') +source=(http://w1.fi/releases/${pkgname}-${pkgver}.tar.gz; + config hostap_allow-linking-with-libnl-3.2.patch) build() { - cd ${srcdir}/${pkgname}-${pkgver} + cd ${srcdir}/${pkgname}-${pkgver}/ + + # from fedora patch -Np1 -i $srcdir/hostap_allow-linking-with-libnl-3.2.patch - cd ${pkgname} - # Required by NetworkManager 0.8.995 - patch -Np2 -i $srcdir/dbus.patch + cd ${pkgname} + cp ${srcdir}/config ./.config + sed -i 's@/usr/local@$(PREFIX)@g' Makefile - make + + make PREFIX=/usr } package() { cd ${srcdir}/${pkgname}-${pkgver}/${pkgname} make PREFIX=/usr DESTDIR=${pkgdir} install - install -m755 -d ${pkgdir}/etc + + install -d -m755 ${pkgdir}/etc install -m644 wpa_supplicant.conf ${pkgdir}/etc/wpa_supplicant.conf + install -d -m755 ${pkgdir}/usr/share/man/man{5,8} install -m644 doc/docbook/*.5 ${pkgdir}/usr/share/man/man5/ install -m644 doc/docbook/*.8 ${pkgdir}/usr/share/man/man8/ rm -f ${pkgdir}/usr/share/man/man8/wpa_{priv,gui}.8 - install -m755 -d ${pkgdir}/usr/share/dbus-1/system-services + install -d -m755 ${pkgdir}/usr/share/dbus-1/system-services install -m644 dbus/{fi.epitest.hostap.WPASupplicant.service,fi.w1.wpa_supplicant1.service} ${pkgdir}/usr/share/dbus-1/system-services/ - sed -e 's/sbin/usr\/sbin/' -i ${pkgdir}/usr/share/dbus-1/system-services/*.service - install -m755 -d ${pkgdir}/etc/dbus-1/system.d + + install -d -m755 ${pkgdir}/etc/dbus-1/system.d install -m644 dbus/dbus-wpa_supplicant.conf ${pkgdir}/etc/dbus-1/system.d/wpa_supplicant.conf + + install -d -m755 ${pkgdir}/usr/lib/systemd/system + install -m644 systemd/*.service ${pkgdir}/usr/lib/systemd/system/ } +md5sums=('8650f6aa23646ef634402552d0669640' + '380d8d1fe24bccb2a2636cb2a6038c39' + '473fb6b77909ec5a50b6f4d91370e86b') Modified: config === --- config 2012-05-21 17:24:07 UTC (rev 159337) +++ config 2012-05-21 18:40:24 UTC (rev 159338) @@ -78,6 +78,11 @@ #CONFIG_DRIVER_RALINK=y # Driver interface for generic Linux wireless extensions +# Note: WEXT is deprecated in the current Linux kernel version and no new +# functionality is added to it. nl80211-based interface is the new +# replacement for WEXT and its use allows wpa_supplicant to properly control +# the driver to improve existing functionality like roaming and to support new +# functionality. CONFIG_DRIVER_WEXT=y # Driver interface for Linux drivers using the nl80211 kernel interface @@ -109,11 +114,6 @@ # Driver interface for development testing #CONFIG_DRIVER_TEST=y -# Include client MLME (management frame processing) for test driver -# This can be used to test MLME operations in hostapd with the test interface. -# space. -#CONFIG_CLIENT_MLME=y - # Driver interface for wired Ethernet drivers CONFIG_DRIVER_WIRED=y @@ -123,6 +123,10 @@ # Driver interface for no driver (e.g., WPS ER only) #CONFIG_DRIVER_NONE=y +# Solaris libraries +#LIBS += -lsocket -ldlpi -lnsl +#LIBS_c += -lsocket + # Enable IEEE 802.1X