From dd5ca60f4a9fbc8f562159e93d688f67449f4854 Mon Sep 17 00:00:00 2001 From: Lubomir Rintel Date: Tue, 27 Oct 2015 09:08:51 +0100 Subject: [PATCH] Update to version 2.5 --- .gitignore | 1 + ...D-element-length-before-copying-it-C.patch | 42 ---- ...973-dbus-fix-operations-for-p2p-mgmt.patch | 195 ------------------ sources | 2 +- wpa_supplicant-gui-qt4.patch | 39 +++- wpa_supplicant.spec | 18 +- 6 files changed, 40 insertions(+), 257 deletions(-) delete mode 100644 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch delete mode 100644 rh1231973-dbus-fix-operations-for-p2p-mgmt.patch diff --git a/.gitignore b/.gitignore index 2a36f05..7c50424 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ wpa_supplicant-0.6.8.tar.gz /wpa_supplicant-2.0.tar.gz /wpa_supplicant-2.3.tar.gz /wpa_supplicant-2.4.tar.gz +/wpa_supplicant-2.5.tar.gz diff --git a/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch deleted file mode 100644 index 626a753..0000000 --- a/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Tue, 7 Apr 2015 11:32:11 +0300 -Subject: [PATCH] P2P: Validate SSID element length before copying it - (CVE-2015-1863) - -This fixes a possible memcpy overflow for P2P dev->oper_ssid in -p2p_add_device(). The length provided by the peer device (0..255 bytes) -was used without proper bounds checking and that could have resulted in -arbitrary data of up to 223 bytes being written beyond the end of the -dev->oper_ssid[] array (of which about 150 bytes would be beyond the -heap allocation) when processing a corrupted management frame for P2P -peer discovery purposes. - -This could result in corrupted state in heap, unexpected program -behavior due to corrupted P2P peer device information, denial of service -due to process crash, exposure of memory contents during GO Negotiation, -and potentially arbitrary code execution. - -Thanks to Google security team for reporting this issue and smart -hardware research group of Alibaba security team for discovering it. - -Signed-off-by: Jouni Malinen ---- - src/p2p/p2p.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c -index f584fae..a45fe73 100644 ---- a/src/p2p/p2p.c -+++ b/src/p2p/p2p.c -@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq, - if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0) - os_memcpy(dev->interface_addr, addr, ETH_ALEN); - if (msg.ssid && -+ msg.ssid[1] <= sizeof(dev->oper_ssid) && - (msg.ssid[1] != P2P_WILDCARD_SSID_LEN || - os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) - != 0)) { --- -2.3.5 - diff --git a/rh1231973-dbus-fix-operations-for-p2p-mgmt.patch b/rh1231973-dbus-fix-operations-for-p2p-mgmt.patch deleted file mode 100644 index e004262..0000000 --- a/rh1231973-dbus-fix-operations-for-p2p-mgmt.patch +++ /dev/null @@ -1,195 +0,0 @@ -From 8a78e227df1ead19be8e12a4108e448887e64d6f Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Wed, 29 Apr 2015 10:13:34 +0000 -Subject: D-Bus: Fix operations when P2P management interface is used - -Commit 21efc940f6e7f07b84b7e5c5867f3d81594c4fb0 ('wpa_supplicant: Do not -register a P2P management interface on DBus') hides the special P2P -management interface from D-Bus. However, it did not take into account -the possibility of wpa_s->dbus_path and wpa_s->dbus_new_path being NULL -in such cases on number of code paths within the D-Bus handlers. This -could result in invalid arguments (NULL path) being provided to D-Bus -functions (mainly, dbus_message_iter_append_basic) and NULL pointer -dereference when iterating over all interfaces. Either of these could -make wpa_supplicant process terminate. - -Fix this by explicitly checking that the interface-specific D-Bus path -has been registered before using it anywhere with D-Bus handlers. In -addition, find the correct wpa_s instance to fix P2P operations through -D-Bus when the P2P Device interface is used. - -Signed-off-by: Jouni Malinen ---- -(limited to 'wpa_supplicant/dbus/dbus_new_handlers.c') - -diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c -index d695d1b..3f5fd0a 100644 ---- a/wpa_supplicant/dbus/dbus_new_handlers.c -+++ b/wpa_supplicant/dbus/dbus_new_handlers.c -@@ -157,7 +157,8 @@ static struct wpa_supplicant * get_iface_by_dbus_path( - struct wpa_supplicant *wpa_s; - - for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) { -- if (os_strcmp(wpa_s->dbus_new_path, path) == 0) -+ if (wpa_s->dbus_new_path && -+ os_strcmp(wpa_s->dbus_new_path, path) == 0) - return wpa_s; - } - return NULL; -@@ -600,7 +601,7 @@ DBusMessage * wpas_dbus_handler_create_interface(DBusMessage *message, - iface.bridge_ifname = bridge_ifname; - /* Otherwise, have wpa_supplicant attach to it. */ - wpa_s = wpa_supplicant_add_iface(global, &iface, NULL); -- if (wpa_s) { -+ if (wpa_s && wpa_s->dbus_new_path) { - const char *path = wpa_s->dbus_new_path; - - reply = dbus_message_new_method_return(message); -@@ -684,7 +685,7 @@ DBusMessage * wpas_dbus_handler_get_interface(DBusMessage *message, - DBUS_TYPE_INVALID); - - wpa_s = wpa_supplicant_get_iface(global, ifname); -- if (wpa_s == NULL) -+ if (wpa_s == NULL || wpa_s->dbus_new_path == NULL) - return wpas_dbus_error_iface_unknown(message); - - path = wpa_s->dbus_new_path; -@@ -876,8 +877,10 @@ dbus_bool_t wpas_dbus_getter_interfaces(DBusMessageIter *iter, - unsigned int i = 0, num = 0; - dbus_bool_t success; - -- for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) -- num++; -+ for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) { -+ if (wpa_s->dbus_new_path) -+ num++; -+ } - - paths = os_calloc(num, sizeof(char *)); - if (!paths) { -@@ -885,8 +888,10 @@ dbus_bool_t wpas_dbus_getter_interfaces(DBusMessageIter *iter, - return FALSE; - } - -- for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) -- paths[i++] = wpa_s->dbus_new_path; -+ for (wpa_s = global->ifaces; wpa_s; wpa_s = wpa_s->next) { -+ if (wpa_s->dbus_new_path) -+ paths[i++] = wpa_s->dbus_new_path; -+ } - - success = wpas_dbus_simple_array_property_getter(iter, - DBUS_TYPE_OBJECT_PATH, -@@ -1478,7 +1483,8 @@ DBusMessage * wpas_dbus_handler_add_network(DBusMessage *message, - - dbus_message_iter_init(message, &iter); - -- ssid = wpa_config_add_network(wpa_s->conf); -+ if (wpa_s->dbus_new_path) -+ ssid = wpa_config_add_network(wpa_s->conf); - if (ssid == NULL) { - wpa_printf(MSG_ERROR, "%s[dbus]: can't add new interface.", - __func__); -@@ -1602,7 +1608,7 @@ DBusMessage * wpas_dbus_handler_remove_network(DBusMessage *message, - iface = wpas_dbus_new_decompose_object_path(op, - WPAS_DBUS_NEW_NETWORKS_PART, - &net_id); -- if (iface == NULL || net_id == NULL || -+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path || - os_strcmp(iface, wpa_s->dbus_new_path) != 0) { - reply = wpas_dbus_error_invalid_args(message, op); - goto out; -@@ -1715,7 +1721,7 @@ DBusMessage * wpas_dbus_handler_select_network(DBusMessage *message, - iface = wpas_dbus_new_decompose_object_path(op, - WPAS_DBUS_NEW_NETWORKS_PART, - &net_id); -- if (iface == NULL || net_id == NULL || -+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path || - os_strcmp(iface, wpa_s->dbus_new_path) != 0) { - reply = wpas_dbus_error_invalid_args(message, op); - goto out; -@@ -1773,7 +1779,7 @@ DBusMessage * wpas_dbus_handler_network_reply(DBusMessage *message, - iface = wpas_dbus_new_decompose_object_path(op, - WPAS_DBUS_NEW_NETWORKS_PART, - &net_id); -- if (iface == NULL || net_id == NULL || -+ if (iface == NULL || net_id == NULL || !wpa_s->dbus_new_path || - os_strcmp(iface, wpa_s->dbus_new_path) != 0) { - reply = wpas_dbus_error_invalid_args(message, op); - goto out; -@@ -2266,12 +2272,14 @@ DBusMessage * wpas_dbus_handler_set_pkcs11_engine_and_module_path( - message, DBUS_ERROR_FAILED, - "Reinit of the EAPOL state machine with the new PKCS #11 engine and module path failed."); - -- wpa_dbus_mark_property_changed( -- wpa_s->global->dbus, wpa_s->dbus_new_path, -- WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11EnginePath"); -- wpa_dbus_mark_property_changed( -- wpa_s->global->dbus, wpa_s->dbus_new_path, -- WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11ModulePath"); -+ if (wpa_s->dbus_new_path) { -+ wpa_dbus_mark_property_changed( -+ wpa_s->global->dbus, wpa_s->dbus_new_path, -+ WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11EnginePath"); -+ wpa_dbus_mark_property_changed( -+ wpa_s->global->dbus, wpa_s->dbus_new_path, -+ WPAS_DBUS_NEW_IFACE_INTERFACE, "PKCS11ModulePath"); -+ } - - return NULL; - } -@@ -3024,7 +3032,7 @@ dbus_bool_t wpas_dbus_getter_current_bss(DBusMessageIter *iter, - struct wpa_supplicant *wpa_s = user_data; - char path_buf[WPAS_DBUS_OBJECT_PATH_MAX], *bss_obj_path = path_buf; - -- if (wpa_s->current_bss) -+ if (wpa_s->current_bss && wpa_s->dbus_new_path) - os_snprintf(bss_obj_path, WPAS_DBUS_OBJECT_PATH_MAX, - "%s/" WPAS_DBUS_NEW_BSSIDS_PART "/%u", - wpa_s->dbus_new_path, wpa_s->current_bss->id); -@@ -3052,7 +3060,7 @@ dbus_bool_t wpas_dbus_getter_current_network(DBusMessageIter *iter, - struct wpa_supplicant *wpa_s = user_data; - char path_buf[WPAS_DBUS_OBJECT_PATH_MAX], *net_obj_path = path_buf; - -- if (wpa_s->current_ssid) -+ if (wpa_s->current_ssid && wpa_s->dbus_new_path) - os_snprintf(net_obj_path, WPAS_DBUS_OBJECT_PATH_MAX, - "%s/" WPAS_DBUS_NEW_NETWORKS_PART "/%u", - wpa_s->dbus_new_path, wpa_s->current_ssid->id); -@@ -3140,6 +3148,12 @@ dbus_bool_t wpas_dbus_getter_bsss(DBusMessageIter *iter, DBusError *error, - unsigned int i = 0; - dbus_bool_t success = FALSE; - -+ if (!wpa_s->dbus_new_path) { -+ dbus_set_error(error, DBUS_ERROR_FAILED, -+ "%s: no D-Bus interface", __func__); -+ return FALSE; -+ } -+ - paths = os_calloc(wpa_s->num_bss, sizeof(char *)); - if (!paths) { - dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, "no memory"); -@@ -3191,6 +3205,12 @@ dbus_bool_t wpas_dbus_getter_networks(DBusMessageIter *iter, DBusError *error, - unsigned int i = 0, num = 0; - dbus_bool_t success = FALSE; - -+ if (!wpa_s->dbus_new_path) { -+ dbus_set_error(error, DBUS_ERROR_FAILED, -+ "%s: no D-Bus interface", __func__); -+ return FALSE; -+ } -+ - for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) - if (!network_is_persistent_group(ssid)) - num++; -@@ -4104,7 +4124,7 @@ void wpas_dbus_signal_preq(struct wpa_supplicant *wpa_s, - struct wpas_dbus_priv *priv = wpa_s->global->dbus; - - /* Do nothing if the control interface is not turned on */ -- if (priv == NULL) -+ if (priv == NULL || !wpa_s->dbus_new_path) - return; - - if (wpa_s->preq_notify_peer == NULL) --- -cgit v0.9.2 diff --git a/sources b/sources index ae17477..d219c94 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f0037dbe03897dcaf2ad2722e659095d wpa_supplicant-2.4.tar.gz +96ff75c3a514f1f324560a2376f13110 wpa_supplicant-2.5.tar.gz diff --git a/wpa_supplicant-gui-qt4.patch b/wpa_supplicant-gui-qt4.patch index ab7a38d..c54cd9a 100644 --- a/wpa_supplicant-gui-qt4.patch +++ b/wpa_supplicant-gui-qt4.patch @@ -1,16 +1,41 @@ -diff -up wpa_supplicant-0.7.3/wpa_supplicant/Makefile.qt4 wpa_supplicant-0.7.3/wpa_supplicant/Makefile ---- wpa_supplicant-0.7.3/wpa_supplicant/Makefile.qt4 2010-09-07 10:43:39.000000000 -0500 -+++ wpa_supplicant-0.7.3/wpa_supplicant/Makefile 2010-12-08 10:07:44.152664004 -0600 -@@ -1352,10 +1352,10 @@ wpa_gui: wpa_gui/Makefile +From 9404f356e394604d1d3d6dbffc52abd54260e4d4 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Tue, 27 Oct 2015 08:56:35 +0100 +Subject: [PATCH] wpa_supplicant: allow overriding the names of the Qt4 tools + +This is useful for distributions that ship different versions of Qt in +different locations. +--- + wpa_supplicant/Makefile | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index ad9ead9..b19676d 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -11,6 +11,9 @@ export INCDIR ?= /usr/local/include/ + export BINDIR ?= /usr/local/sbin/ + PKG_CONFIG ?= pkg-config + ++QMAKE ?= qmake ++LRELEASE ?= lrelease ++ + CFLAGS += $(EXTRA_CFLAGS) + CFLAGS += -I$(abspath ../src) + CFLAGS += -I$(abspath ../src/utils) +@@ -1787,10 +1790,10 @@ wpa_gui: @echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement" wpa_gui-qt4/Makefile: -- qmake -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro -+ qmake-qt4 -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro +- qmake -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro ++ $(QMAKE) -o wpa_gui-qt4/Makefile wpa_gui-qt4/wpa_gui.pro wpa_gui-qt4/lang/wpa_gui_de.qm: wpa_gui-qt4/lang/wpa_gui_de.ts - lrelease wpa_gui-qt4/wpa_gui.pro -+ lrelease-qt4 wpa_gui-qt4/wpa_gui.pro ++ $(LRELEASE) wpa_gui-qt4/wpa_gui.pro wpa_gui-qt4: wpa_gui-qt4/Makefile wpa_gui-qt4/lang/wpa_gui_de.qm $(MAKE) -C wpa_gui-qt4 +-- +2.6.2 + diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index b4ee2e2..bea0093 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -6,8 +6,8 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 -Version: 2.4 -Release: 6%{?dist} +Version: 2.5 +Release: 1%{?dist} License: BSD Group: System Environment/Base Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz @@ -35,12 +35,6 @@ Patch6: wpa_supplicant-gui-qt4.patch # dcbw states (2015-04): # "upstream doesn't like that patch so it's been discussed and I think rejected" Patch8: rh837402-less-aggressive-roaming.patch -# CVE-2015-1863, backport from upstream master, will be in 2.5 -# http://w1.fi/cgit/hostap/commit/?id=9ed4eee345f85e3025c33c6e20aa25696e341ccd -Patch9: 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch -# Fix a crash - rh #1231973 -# http://w1.fi/cgit/hostap/commit/wpa_supplicant/dbus/dbus_new_handlers.c?id=8a78e227df1ead19be8e12a4108e448887e64d6f -Patch10: rh1231973-dbus-fix-operations-for-p2p-mgmt.patch # Fix a security issue - rh #rh1241907 # http://w1.fi/security/2015-5/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch Patch11: rh1241907-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch @@ -97,9 +91,6 @@ Graphical User Interface for wpa_supplicant written using QT %patch3 -p1 -b .quiet-scan-results-msg %patch6 -p1 -b .qt4 %patch8 -p1 -b .rh837402-less-aggressive-roaming -%patch9 -p1 -b .cve-2015-1863 -%patch10 -p1 -b .rh1231973-dbus-fix-operations-for-p2p-mgmt -%patch11 -p1 -b .rh1241907-ndef-length %patch12 -p1 -b .dbus-policy %build @@ -113,7 +104,7 @@ pushd wpa_supplicant LIBDIR="%{_libdir}" ; export LIBDIR ; make %{_smp_mflags} %if %{build_gui} - QTDIR=%{_libdir}/qt4 make wpa_gui-qt4 %{_smp_mflags} + QTDIR=%{_libdir}/qt4 make wpa_gui-qt4 %{_smp_mflags} QMAKE='%{qmake_qt4}' LRELEASE='%{_qt4_bindir}/lrelease' %endif make eapol_test popd @@ -216,6 +207,9 @@ fi %endif %changelog +* Tue Oct 27 2015 Lubomir Rintel - 1:2.5-1 +- Update to version 2.5 + * Fri Oct 23 2015 Lubomir Rintel - 1:2.4-6 - Fix the D-Bus policy