diff --git a/wpa_supplicant-0.6.3-fix-dbus-use-after-free.patch b/wpa_supplicant-0.6.3-fix-dbus-use-after-free.patch new file mode 100644 index 0000000..ecb8c3e --- /dev/null +++ b/wpa_supplicant-0.6.3-fix-dbus-use-after-free.patch @@ -0,0 +1,13 @@ +diff --git a/wpa_supplicant/dbus_dict_helpers.c b/wpa_supplicant/dbus_dict_helpers.c +index 1232ab2..d810979 100644 +--- a/wpa_supplicant/dbus_dict_helpers.c ++++ b/wpa_supplicant/dbus_dict_helpers.c +@@ -674,7 +674,7 @@ static dbus_bool_t _wpa_dbus_dict_entry_get_byte_array( + /* Zero-length arrays are valid. */ + if (entry->array_len == 0) { + free(entry->bytearray_value); +- entry->strarray_value = NULL; ++ entry->bytearray_value = NULL; + } + + success = TRUE; diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 9a8c8e4..d4cba30 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -2,7 +2,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 Version: 0.6.3 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Group: System Environment/Base Source0: http://hostap.epitest.fi/releases/%{name}-%{version}.tar.gz @@ -19,6 +19,7 @@ Patch2: wpa_supplicant-0.5.7-qmake-location.patch Patch3: wpa_supplicant-0.5.7-flush-debug-output.patch Patch4: wpa_supplicant-0.5.7-use-IW_ENCODE_TEMP.patch Patch5: wpa_supplicant-0.5.10-dbus-service-file.patch +Patch6: wpa_supplicant-0.6.3-fix-dbus-use-after-free.patch URL: http://w1.fi/wpa_supplicant/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -52,6 +53,7 @@ Graphical User Interface for wpa_supplicant written using QT3 %patch3 -p1 -b .flush-debug-output %patch4 -p1 -b .use-IW_ENCODE_TEMP %patch5 -p1 -b .dbus-service-file +%patch6 -p1 -b .use-after-free %build pushd src @@ -145,6 +147,9 @@ fi %{_bindir}/wpa_gui %changelog +* Tue Mar 4 2008 Dan Williams - 1:0.6.3-2 +- Fix a potential use-after-free in the D-Bus byte array demarshalling code + * Mon Mar 3 2008 Dan Williams - 1:0.6.3-1 - Update to latest development release; remove upstreamed patches