gnu: wpa-supplicant: Add fixes for CVE-2015-{5310,5314,5315,5316}.

* gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch,
  gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch,
  gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch,
  gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/admin.scm (wpa-supplicant-minimal)[source]: Add patches.
This commit is contained in:
Mark H Weaver 2015-11-11 07:43:12 -05:00
parent 875b2f3d5e
commit 419630e0be
6 changed files with 181 additions and 1 deletions

View File

@ -692,6 +692,10 @@ dist_patch_DATA = \
gnu/packages/patches/wicd-template-instantiation.patch \ gnu/packages/patches/wicd-template-instantiation.patch \
gnu/packages/patches/wicd-urwid-1.3.patch \ gnu/packages/patches/wicd-urwid-1.3.patch \
gnu/packages/patches/wmctrl-64-fix.patch \ gnu/packages/patches/wmctrl-64-fix.patch \
gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch \
gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch \
gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch \
gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch \
gnu/packages/patches/xf86-video-ark-remove-mibstore.patch \ gnu/packages/patches/xf86-video-ark-remove-mibstore.patch \
gnu/packages/patches/xf86-video-ast-remove-mibstore.patch \ gnu/packages/patches/xf86-video-ast-remove-mibstore.patch \
gnu/packages/patches/xf86-video-geode-glibc-2.20.patch \ gnu/packages/patches/xf86-video-geode-glibc-2.20.patch \

View File

@ -716,7 +716,12 @@ commands and their arguments.")
".tar.gz")) ".tar.gz"))
(sha256 (sha256
(base32 (base32
"05mkp5bx1c3z7h5biddsv0p49gkrq9ksany3anp4wdiv92p5prfc")))) "05mkp5bx1c3z7h5biddsv0p49gkrq9ksany3anp4wdiv92p5prfc"))
(patches
(map search-patch '("wpa-supplicant-CVE-2015-5310.patch"
"wpa-supplicant-CVE-2015-5314.patch"
"wpa-supplicant-CVE-2015-5315.patch"
"wpa-supplicant-CVE-2015-5316.patch")))))
(build-system gnu-build-system) (build-system gnu-build-system)
(arguments (arguments
'(#:phases (alist-replace '(#:phases (alist-replace

View File

@ -0,0 +1,32 @@
From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 25 Oct 2015 15:45:50 +0200
Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
PMF in use
WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
enabled. Verify that PMF is in use before using this field on station
side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
wpa_supplicant/wnm_sta.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 954de67..7d79499 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
end = ptr + key_len_total;
wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
+ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
+ wpa_msg(wpa_s, MSG_INFO,
+ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
+ return;
+ }
+
while (ptr + 1 < end) {
if (ptr + 2 + ptr[1] > end) {
wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "

View File

@ -0,0 +1,51 @@
From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 1 Nov 2015 18:24:16 +0200
Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5314)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_server/eap_server_pwd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index cb83ff7..9f787ab 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
/*
* the first and all intermediate fragments have the M bit set
*/
- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
"attack detected! (%d+%d > %d)",
@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
}
wpabuf_put_data(data->inbuf, pos, len);
data->in_frag_pos += len;
+ }
+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
(int) len);
return;
@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* buffering fragments so that's how we know it's the last)
*/
if (data->in_frag_pos) {
- wpabuf_put_data(data->inbuf, pos, len);
- data->in_frag_pos += len;
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
--
1.9.1

View File

@ -0,0 +1,54 @@
From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 1 Nov 2015 18:18:17 +0200
Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_pwd.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 1f78544..75ceef1 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
/*
* buffer and ACK the fragment
*/
- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
data->in_frag_pos += len;
if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
return NULL;
}
wpabuf_put_data(data->inbuf, pos, len);
-
+ }
+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
EAP_PWD_HDR_SIZE,
EAP_CODE_RESPONSE, eap_get_id(reqData));
@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
* we're buffering and this is the last fragment
*/
if (data->in_frag_pos) {
- wpabuf_put_data(data->inbuf, pos, len);
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
(int) len);
- data->in_frag_pos += len;
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
}
--
1.9.1

View File

@ -0,0 +1,34 @@
From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 1 Nov 2015 19:35:44 +0200
Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_pwd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 75ceef1..892b590 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
fin:
- bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
+ if (data->grp)
+ bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
BN_clear_free(x);
BN_clear_free(y);
if (data->outbuf == NULL) {
--
1.9.1