Use os_exec() for action script execution (CVE-2014-3686)

2014-10-22 19:02:24 -05:00 · 2014-10-22 19:02:24 -05:00 · 05ce9ccd8e
commit 05ce9ccd8e
parent 8e194e2572
5 changed files with 626 additions and 3 deletions
--- a/0001-Add-os_exec-helper-to-run-external-programs.patch
+++ b/0001-Add-os_exec-helper-to-run-external-programs.patch
@ -0,0 +1,143 @@
+From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 16:27:44 +0300
+Subject: [PATCH 1/2] Add os_exec() helper to run external programs
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ src/utils/os.h       |  9 +++++++++
+ src/utils/os_unix.c  | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/utils/os_win32.c |  6 ++++++
+ 3 files changed, 70 insertions(+)
+
+diff --git a/src/utils/os.h b/src/utils/os.h
+index f196209..b9247d8 100644
+--- a/src/utils/os.h
+++ b/src/utils/os.h
+@@ -597,14 +597,23 @@ size_t os_strlcpy(char *dest, const char *src, size_t siz);
+  * Returns: Total length of the target string (length of src) (not including
+  * NUL-termination)
+  *
+  * This function matches in behavior with the strlcpy(3) function in OpenBSD.
+  */
+ size_t os_strlcpy(char *dest, const char *src, size_t siz);
+ 
+/**
+ * os_exec - Execute an external program
+ * @program: Path to the program
+ * @arg: Command line argument string
+ * @wait_completion: Whether to wait until the program execution completes
+ * Returns: 0 on success, -1 on error
+ */
+int os_exec(const char *program, const char *arg, int wait_completion);
+
+ 
+ #ifdef OS_REJECT_C_LIB_FUNCTIONS
+ #define malloc OS_DO_NOT_USE_malloc
+ #define realloc OS_DO_NOT_USE_realloc
+ #define free OS_DO_NOT_USE_free
+ #define memcpy OS_DO_NOT_USE_memcpy
+ #define memmove OS_DO_NOT_USE_memmove
+diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c
+index 7498967..523a4d0 100644
+--- a/src/utils/os_unix.c
+++ b/src/utils/os_unix.c
+@@ -5,14 +5,15 @@
+  * This software may be distributed under the terms of the BSD license.
+  * See README for more details.
+  */
+ 
+ #include "includes.h"
+ 
+ #include <time.h>
+#include <sys/wait.h>
+ 
+ #ifdef ANDROID
+ #include <linux/capability.h>
+ #include <linux/prctl.h>
+ #include <private/android_filesystem_config.h>
+ #endif /* ANDROID */
+ 
+@@ -550,7 +551,61 @@ char * os_strdup(const char *s)
+ 		return NULL;
+ 	os_memcpy(d, s, len);
+ 	d[len] = '\0';
+ 	return d;
+ }
+ 
+ #endif /* WPA_TRACE */
+
+
+int os_exec(const char *program, const char *arg, int wait_completion)
+{
+	pid_t pid;
+	int pid_status;
+
+	pid = fork();
+	if (pid < 0) {
+		perror("fork");
+		return -1;
+	}
+
+	if (pid == 0) {
+		/* run the external command in the child process */
+		const int MAX_ARG = 30;
+		char *_program, *_arg, *pos;
+		char *argv[MAX_ARG + 1];
+		int i;
+
+		_program = os_strdup(program);
+		_arg = os_strdup(arg);
+
+		argv[0] = _program;
+
+		i = 1;
+		pos = _arg;
+		while (i < MAX_ARG && pos && *pos) {
+			while (*pos == ' ')
+				pos++;
+			if (*pos == '\0')
+				break;
+			argv[i++] = pos;
+			pos = os_strchr(pos, ' ');
+			if (pos)
+				*pos++ = '\0';
+		}
+		argv[i] = NULL;
+
+		execv(program, argv);
+		perror("execv");
+		os_free(_program);
+		os_free(_arg);
+		exit(0);
+		return -1;
+	}
+
+	if (wait_completion) {
+		/* wait for the child process to complete in the parent */
+		waitpid(pid, &pid_status, 0);
+	}
+
+	return 0;
+}
+diff --git a/src/utils/os_win32.c b/src/utils/os_win32.c
+index 55937de..57ee132 100644
+--- a/src/utils/os_win32.c
+++ b/src/utils/os_win32.c
+@@ -254,7 +254,13 @@ int os_memcmp_const(const void *a, const void *b, size_t len)
+ 			*dest = '\0';
+ 		while (*s++)
+ 			; /* determine total src string length */
+ 	}
+ 
+ 	return s - src - 1;
+ }
+
+
+int os_exec(const char *program, const char *arg, int wait_completion)
+{
+	return -1;
+}
+-- 
+1.9.3
+
--- a/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
+++ b/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
@ -0,0 +1,67 @@
+From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 17:25:52 +0300
+Subject: [PATCH 2/2] wpa_cli: Use os_exec() for action script execution
+
+Use os_exec() to run the action script operations to avoid undesired
+command line processing for control interface event strings. Previously,
+it could have been possible for some of the event strings to include
+unsanitized data which is not suitable for system() use. (CVE-2014-3686)
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ wpa_supplicant/wpa_cli.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
+index 18b9b77..fe30b41 100644
+--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
+@@ -3155,36 +3155,27 @@ static int str_match(const char *a, const char *b)
+ 	return os_strncmp(a, b, os_strlen(b)) == 0;
+ }
+ 
+ 
+ static int wpa_cli_exec(const char *program, const char *arg1,
+ 			const char *arg2)
+ {
+-	char *cmd;
+	char *arg;
+ 	size_t len;
+ 	int res;
+-	int ret = 0;
+ 
+-	len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
+-	cmd = os_malloc(len);
+-	if (cmd == NULL)
+	len = os_strlen(arg1) + os_strlen(arg2) + 2;
+	arg = os_malloc(len);
+	if (arg == NULL)
+ 		return -1;
+-	res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
+-	if (res < 0 || (size_t) res >= len) {
+-		os_free(cmd);
+-		return -1;
+-	}
+-	cmd[len - 1] = '\0';
+-#ifndef _WIN32_WCE
+-	if (system(cmd) < 0)
+-		ret = -1;
+-#endif /* _WIN32_WCE */
+-	os_free(cmd);
+	os_snprintf(arg, len, "%s %s", arg1, arg2);
+	res = os_exec(program, arg, 1);
+	os_free(arg);
+ 
+-	return ret;
+	return res;
+ }
+ 
+ 
+ static void wpa_cli_action_process(const char *msg)
+ {
+ 	const char *pos;
+ 	char *copy = NULL, *id, *pos2;
+-- 
+1.9.3
+
--- a/0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch
+++ b/0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch
--- a/rh948453-man-page.patch
+++ b/rh948453-man-page.patch
@ -0,0 +1,397 @@
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml
+--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page	2014-01-20 16:40:02.340869189 -0600
+++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml	2014-01-20 16:40:02.340869189 -0600
+@@ -0,0 +1,205 @@
+<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+
+<refentry>
+  <refmeta>
+    <refentrytitle>eapol_test</refentrytitle>
+    <manvolnum>8</manvolnum>
+  </refmeta>
+  <refnamediv>
+    <refname>eapol_test</refname>
+
+    <refpurpose>EAP peer and RADIUS client testing</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>eapol_test</command>
+      <arg>-nWS</arg>
+      <arg>-c<replaceable>config file</replaceable></arg>
+      <arg>-a<replaceable>server IP address</replaceable></arg>
+      <arg>-A<replaceable>client IP address</replaceable></arg>
+      <arg>-p<replaceable>UDP port</replaceable></arg>
+      <arg>-s<replaceable>shared secret</replaceable></arg>
+      <arg>-r<replaceable>re-authentications</replaceable></arg>
+      <arg>-t<replaceable>timeout</replaceable></arg>
+      <arg>-C<replaceable>Connect-Info</replaceable></arg>
+      <arg>-M<replaceable>MAC address</replaceable></arg>
+      <arg>-o<replaceable>file</replaceable></arg>
+      <arg>-N<replaceable>attr spec</replaceable></arg>
+    </cmdsynopsis>
+    <cmdsynopsis>
+      <command>eapol_test scard</command>
+    </cmdsynopsis>
+    <cmdsynopsis>
+      <command>eapol_test sim</command>
+      <arg>PIN</arg>
+      <arg>num triplets</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Overview</title>
+
+    <para>eapol_test is a program that links together the same EAP
+    peer implementation that wpa_supplicant is using and the RADIUS
+    authentication client code from hostapd. In addition, it has
+    minimal glue code to combine these two components in similar
+    ways to IEEE 802.1X/EAPOL Authenticator state machines. In other
+    words, it integrates IEEE 802.1X Authenticator (normally, an
+    access point) and IEEE 802.1X Supplicant (normally, a wireless
+    client) together to generate a single program that can be used to
+    test EAP methods without having to setup an access point and a
+    wireless client.</para>
+
+    <para>The main uses for eapol_test are in interoperability testing
+    of EAP methods against RADIUS servers and in development testing
+    for new EAP methods. It can be easily used to automate EAP testing
+    for interoperability and regression since the program can be run
+    from shell scripts without require additional test components apart
+    from a RADIUS server. For example, the automated EAP tests described
+    in eap_testing.txt are implemented with eapol_test. Similarly,
+    eapol_test could be used to implement an automated regression
+    test suite for a RADIUS authentication server.</para>
+
+
+    <para>As an example:</para>
+
+<blockquote><programlisting>
+eapol_test -ctest.conf -a127.0.0.1 -p1812 -ssecret -r1
+</programlisting></blockquote>
+
+    <para>tries to complete EAP authentication based on the network
+    configuration from test.conf against the RADIUS server running
+    on the local host. A re-authentication is triggered to test fast
+    re-authentication. The configuration file uses the same format for
+    network blocks as wpa_supplicant.</para>
+
+  </refsect1>
+  <refsect1>
+    <title>Command Arguments</title>
+    <variablelist>
+      <varlistentry>
+	<term>-c configuration file path</term>
+
+	<listitem><para>A configuration to use.  The configuration should
+	use the same format for network blocks as wpa_supplicant.
+	</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-a AS address</term>
+
+	<listitem><para>IP address of the authentication server.  The
+	default is '127.0.0.1'.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-A client address</term>
+
+	<listitem><para>IP address of the client.  The default is to
+	select an address automatically.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-p AS port</term>
+
+        <listitem><para>UDP port of the authentication server. The
+        default is '1812'.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s AS secret</term>
+
+	<listitem><para>Shared secret with the authentication server.
+	The default is 'radius'.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r count</term>
+
+	<listitem><para>Number of reauthentications.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t timeout</term>
+
+	<listitem><para>Timeout in seconds. The default is 30.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-C info</term>
+
+	<listitem><para>RADIUS Connect-Info.  The default is
+	'CONNECT 11Mbps 802.11b'.</para></listitem>
+      </varlistentry>
+
+
+      <varlistentry>
+	<term>-M mac address</term>
+
+	<listitem><para>Client MAC address (Calling-Station-Id).  The
+	default is '02:00:00:00:00:01'.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-o file</term>
+
+	<listitem><para>Location to write out server certificate.
+	</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-N attr spec</term>
+
+	<listitem><para>Send arbitrary attribute specific by
+	attr_id:syntax:value, or attr_id alone.  attr_id should be the numeric
+	ID of the attribute, and syntax should be one of 's' (string),
+	'd' (integer), or 'x' (octet string). The value is the attribute value
+	to send.  When attr_id is given alone, NULL is used as the attribute
+	value.  Multiple attributes can be specified by using the option
+	several times.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-n</term>
+
+	<listitem><para>Indicates that no MPPE keys are expected.
+	</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-W</term>
+
+	<listitem><para>Wait for a control interface monitor before starting.
+	</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-S</term>
+
+	<listitem><para>Save configuration after authentication.
+	</para></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+  <refsect1>
+    <title>See Also</title>
+    <para>
+      <citerefentry>
+	<refentrytitle>wpa_supplicant</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+  <refsect1>
+    <title>Legal</title>
+    <para>wpa_supplicant is copyright (c) 2003-2012,
+    Jouni Malinen <email>j@w1.fi</email> and
+    contributors.
+    All Rights Reserved.</para>
+
+    <para>This program is licensed under the BSD license (the one with
+    advertisement clause removed).</para>
+  </refsect1>
+</refentry>
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile
+--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page	2013-01-12 09:42:53.000000000 -0600
+++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile	2014-01-20 16:40:02.342869164 -0600
+@@ -1,4 +1,4 @@
+-all: man html pdf
+all: man
+ 
+ FILES += wpa_background
+ FILES += wpa_cli
+@@ -7,6 +7,7 @@ FILES += wpa_passphrase
+ FILES += wpa_priv
+ FILES += wpa_supplicant.conf
+ FILES += wpa_supplicant
+FILES += eapol_test
+ 
+ man:
+ 	for i in $(FILES); do docbook2man $$i.sgml; done
+@@ -20,7 +21,7 @@ pdf:
+ 
+ 
+ clean:
+-	rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8
+	rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 eapol_test.8
+ 	rm -f wpa_supplicant.conf.5
+ 	rm -f manpage.links manpage.refs
+ 	rm -f $(FILES:%=%.pdf)
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml
+--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page	2013-01-12 09:42:53.000000000 -0600
+++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml	2014-01-20 16:40:02.339869202 -0600
+@@ -15,10 +15,12 @@
+     <cmdsynopsis>
+       <command>wpa_cli</command>
+       <arg>-p <replaceable>path to ctrl sockets</replaceable></arg>
+      <arg>-g <replaceable>path to global ctrl_interface socket</replaceable></arg>
+       <arg>-i <replaceable>ifname</replaceable></arg>
+       <arg>-hvB</arg>
+       <arg>-a <replaceable>action file</replaceable></arg>
+       <arg>-P <replaceable>pid file</replaceable></arg>
+      <arg>-G <replaceable>ping interval</replaceable></arg>
+       <arg><replaceable>command ...</replaceable></arg>
+     </cmdsynopsis>
+   </refsynopsisdiv>
+@@ -111,6 +113,14 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed
+       </varlistentry>
+ 
+       <varlistentry>
+	<term>-g control socket path</term>
+
+	<listitem><para>Connect to the global control socket at the
+	indicated path rather than an interface-specific control
+	socket.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+ 	<term>-i ifname</term>
+ 
+         <listitem><para>Specify the interface that is being
+@@ -161,6 +171,13 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed
+       </varlistentry>
+ 
+       <varlistentry>
+	<term>-G ping interval</term>
+
+	<listitem><para>Set the interval (in seconds) at which
+	wpa_cli pings the supplicant.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+ 	<term>command</term>
+ 
+ 	<listitem><para>Run a command.  The available commands are
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
+--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page	2013-01-12 09:42:53.000000000 -0600
+++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml	2014-01-20 16:40:02.339869202 -0600
+@@ -12,7 +12,7 @@
+   <refsynopsisdiv>
+     <cmdsynopsis>
+       <command>wpa_supplicant</command>
+-      <arg>-BddfhKLqqtuvW</arg>
+      <arg>-BddfhKLqqsTtuvW</arg>
+       <arg>-i<replaceable>ifname</replaceable></arg>
+       <arg>-c<replaceable>config file</replaceable></arg>
+       <arg>-D<replaceable>driver</replaceable></arg>
+@@ -344,9 +344,20 @@
+       </varlistentry>
+ 
+       <varlistentry>
+	<term>-e entropy file</term>
+	<listitem>
+	  <para>File for <command>wpa_supplicant</command> to use to
+	  maintain its internal entropy store in over restarts.</para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+ 	<term>-f output file</term>
+ 	<listitem>
+-	  <para>Log output to specified file instead of stdout.</para>
+	  <para>Log output to specified file instead of stdout. (This
+	  is only available if <command>wpa_supplicant</command> was
+	  built with the <literal>CONFIG_DEBUG_FILE</literal>
+	  option.)</para>
+ 	</listitem>
+       </varlistentry>
+ 
+@@ -387,6 +398,22 @@
+       </varlistentry>
+ 
+       <varlistentry>
+	<term>-o override driver</term>
+	<listitem>
+	  <para>Override the driver parameter for new
+	  interfaces.</para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-O override ctrl_interface</term>
+	<listitem>
+	  <para>Override the ctrl_interface parameter for new
+	  interfaces.</para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+ 	<term>-p</term>
+ 	<listitem>
+ 	  <para>Driver parameters. (Per interface)</para>
+@@ -409,10 +436,40 @@
+       </varlistentry>
+ 
+       <varlistentry>
+	<term>-s</term>
+	<listitem>
+	  <para>Log output to syslog instead of stdout. (This is only
+	  available if <command>wpa_supplicant</command> was built
+	  with the <literal>CONFIG_DEBUG_SYSLOG</literal>
+	  option.)</para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-T</term>
+	<listitem>
+	  <para>Log output to Linux tracing in addition to any other
+	  destinations. (This is only available
+	  if <command>wpa_supplicant</command> was built with
+	  the <literal>CONFIG_DEBUG_LINUX_TRACING</literal>
+	  option.)</para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t</term>
+	<listitem>
+	  <para>Include timestamp in debug messages.</para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+ 	<term>-u</term>
+ 	<listitem>
+-	  <para>Enabled DBus control interface. If enabled, interface
+-	  definitions may be omitted.</para>
+	  <para>Enable DBus control interface. If enabled, interface
+	  definitions may be omitted. (This is only available
+	  if <command>wpa_supplicant</command> was built with
+	  the <literal>CONFIG_DBUS</literal> option.)</para>
+ 	</listitem>
+       </varlistentry>
+ 
+diff -up wpa_supplicant-2.0/wpa_supplicant/main.c.man-page wpa_supplicant-2.0/wpa_supplicant/main.c
+--- wpa_supplicant-2.0/wpa_supplicant/main.c.man-page	2013-01-12 09:42:53.000000000 -0600
+++ wpa_supplicant-2.0/wpa_supplicant/main.c	2014-01-20 16:40:02.340869189 -0600
+@@ -23,11 +23,11 @@ static void usage(void)
+ 	int i;
+ 	printf("%s\n\n%s\n"
+ 	       "usage:\n"
+-	       "  wpa_supplicant [-BddhKLqqstuvW] [-P<pid file>] "
+	       "  wpa_supplicant [-BddhKLqqtvW] [-P<pid file>] "
+ 	       "[-g<global ctrl>] \\\n"
+ 	       "        -i<ifname> -c<config file> [-C<ctrl>] [-D<driver>] "
+ 	       "[-p<driver_param>] \\\n"
+-	       "        [-b<br_ifname>] [-f<debug file>] [-e<entropy file>] "
+	       "        [-b<br_ifname>] [-e<entropy file>] "
+ 	       "\\\n"
+ 	       "        [-o<override driver>] [-O<override ctrl>] \\\n"
+ 	       "        [-N -i<ifname> -c<conf> [-C<ctrl>] "
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.0
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: BSD
 Group: System Environment/Base
 Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@ -42,8 +42,13 @@ Patch6: wpa_supplicant-gui-qt4.patch
 Patch7: libnl3-includes.patch
 # Less aggressive roaming; signal strength is wildly variable
 Patch8: rh837402-less-aggressive-roaming.patch
+# Add missing command-line options to man page, also filed upstream
+Patch9: rh948453-man-page.patch
 # Don't evict current AP from PMKSA cache when it's large
-Patch9: 0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch
+Patch10: rh1032758-fix-pmksa-cache-entry-clearing.patch
+# CVE-2014-3686
+Patch11: 0001-Add-os_exec-helper-to-run-external-programs.patch
+Patch12: 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch

 %if %{build_libeap}
 # Dirty hack for WiMAX
@ -61,6 +66,7 @@ BuildRequires: readline-devel
 BuildRequires: dbus-devel
 BuildRequires: libnl3-devel
 BuildRequires: systemd-units
+BuildRequires: docbook-utils
 Requires(post): systemd-sysv
 Requires(post): systemd-units
 Requires(preun): systemd-units
@ -113,7 +119,10 @@ Don't use this unless you know what you're doing.
 %patch6 -p1 -b .qt4
 %patch7 -p1 -b .libnl3
 %patch8 -p1 -b .rh837402-less-aggressive-roaming
-%patch9 -p1 -b .okc-current-fix
+%patch9 -p1 -b .man-page
+%patch10 -p1 -b .pmksa-clear-fix
+%patch11 -p1 -b .CVE-2014-3686-1
+%patch12 -p1 -b .CVE-2014-3686-2

 %build
 pushd wpa_supplicant
@ -131,6 +140,10 @@ pushd wpa_supplicant
  make eapol_test
 popd

+pushd wpa_supplicant/doc/docbook
+  make
+popd
+
 %install
 # init scripts
 install -D -m 0755 %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service
@ -257,6 +270,9 @@ fi
 %endif

 %changelog
+* Wed Oct 22 2014 Dan Williams <dcbw@redhat.com> - 1:2.0-12
+- Use os_exec() for action script execution (CVE-2014-3686)
+
 * Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 1:2.0-11
 - Rebuild for rpm bug 1131960