diff options
| author |   Bjarke Istrup Pedersen <gurligebis@gentoo.org> | 2015-07-14 19:36:35 +0000 |
|---|---|---|
| committer | Bjarke Istrup Pedersen <gurligebis@gentoo.org> | 2015-07-14 19:36:35 +0000 |
| commit | 0996c9a5bd4fca6546b97359370178fddf4b35e4 (patch) | |
| tree | 509163f7204122a1d005ae48580b48d6a8245ba5 /net-wireless | |
| parent | Stable on alpha, bug 553584 (diff) | |
| download | gentoo-2-0996c9a5bd4fca6546b97359370178fddf4b35e4.tar.gz gentoo-2-0996c9a5bd4fca6546b97359370178fddf4b35e4.tar.bz2 gentoo-2-0996c9a5bd4fca6546b97359370178fddf4b35e4.zip | |
Adding security fixes wrt. bug #554862
(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 15AE484C)
Diffstat (limited to 'net-wireless')
4 files changed, 323 insertions, 1 deletions
diff --git a/net-wireless/hostapd/ChangeLog b/net-wireless/hostapd/ChangeLog index 53a4e362984e..a28a3c6124c7 100644 --- a/net-wireless/hostapd/ChangeLog +++ b/net-wireless/hostapd/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-wireless/hostapd # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/ChangeLog,v 1.160 2015/05/20 11:07:18 gurligebis Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/ChangeLog,v 1.161 2015/07/14 19:36:35 gurligebis Exp $ + +*hostapd-2.4-r3 (14 Jul 2015) + + 14 Jul 2015; <gurligebis@gentoo.org> +hostapd-2.4-r3.ebuild, + +files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch, + +files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch + : + Adding security fixes wrt. bug #554862 20 May 2015; <gurligebis@gentoo.org> -hostapd-2.0-r1.ebuild, -files/hostapd-2.0-tls_length_fix.patch, metadata.xml: diff --git a/net-wireless/hostapd/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch b/net-wireless/hostapd/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch new file mode 100644 index 000000000000..d03eb484fc28 --- /dev/null +++ b/net-wireless/hostapd/files/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch @@ -0,0 +1,29 @@ +From fc880b11ed70ff9dcf8be48621f75d354cc5094d Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 7 Jul 2015 15:33:55 +0300 +Subject: [PATCH] NFC: Avoid misaligned read of an NDEF field + +The 32-bit version of payload length field may not be 32-bit aligned in +the message buffer, so use WPA_GET_BE32() to read it instead of ntohl(). + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/wps/ndef.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index 8d1ce1e..5604b0a 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -47,7 +47,7 @@ static int ndef_parse_record(const u8 *data, u32 size, + } else { + if (size < 6) + return -1; +- record->payload_length = ntohl(*(u32 *)pos); ++ record->payload_length = WPA_GET_BE32(pos); + pos += sizeof(u32); + } + +-- +1.7.9.5 + diff --git a/net-wireless/hostapd/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/net-wireless/hostapd/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 000000000000..1f624c8dad46 --- /dev/null +++ b/net-wireless/hostapd/files/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,61 @@ +From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Tue, 7 Jul 2015 21:57:28 +0300 +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser + +It was possible for the 32-bit record->total_length value to end up +wrapping around due to integer overflow if the longer form of payload +length field is used and record->payload_length gets a value close to +2^32. This could result in ndef_parse_record() accepting a too large +payload length value and the record type filter reading up to about 20 +bytes beyond the end of the buffer and potentially killing the process. +This could also result in an attempt to allocate close to 2^32 bytes of +heap memory and if that were to succeed, a buffer read overflow of the +same length which would most likely result in the process termination. +In case of record->total_length ending up getting the value 0, there +would be no buffer read overflow, but record parsing would result in an +infinite loop in ndef_parse_records(). + +Any of these error cases could potentially be used for denial of service +attacks over NFC by using a malformed NDEF record on an NFC Tag or +sending them during NFC connection handover if the application providing +the NDEF message to hostapd/wpa_supplicant did no validation of the +received records. While such validation is likely done in the NFC stack +that needs to parse the NFC messages before further processing, +hostapd/wpa_supplicant better be prepared for any data being included +here. + +Fix this by validating record->payload_length value in a way that +detects integer overflow. (CID 122668) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/wps/ndef.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index 5604b0a..50d018f 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + if (size < 6) + return -1; + record->payload_length = WPA_GET_BE32(pos); ++ if (record->payload_length > size - 6) ++ return -1; + pos += sizeof(u32); + } + +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + pos += record->payload_length; + + record->total_length = pos - data; +- if (record->total_length > size) ++ if (record->total_length > size || ++ record->total_length < record->payload_length) + return -1; + return 0; + } +-- +1.9.1 + diff --git a/net-wireless/hostapd/hostapd-2.4-r3.ebuild b/net-wireless/hostapd/hostapd-2.4-r3.ebuild new file mode 100644 index 000000000000..65815170ec7e --- /dev/null +++ b/net-wireless/hostapd/hostapd-2.4-r3.ebuild @@ -0,0 +1,224 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/hostapd-2.4-r3.ebuild,v 1.1 2015/07/14 19:36:35 gurligebis Exp $ + +EAPI="4" + +inherit toolchain-funcs eutils systemd + +DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon" +HOMEPAGE="http://hostap.epitest.fi" +SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz" + +LICENSE="|| ( GPL-2 BSD )" +SLOT="0" +KEYWORDS="~amd64 ~arm ~mips ~ppc ~x86" +IUSE="ipv6 logwatch netlink sqlite +ssl +wps +crda" + +DEPEND="ssl? ( dev-libs/openssl[-bindist] ) + kernel_linux? ( + dev-libs/libnl:3 + crda? ( net-wireless/crda ) + ) + netlink? ( net-libs/libnfnetlink ) + sqlite? ( >=dev-db/sqlite-3 )" + +RDEPEND="${DEPEND}" + +S="${S}/${PN}" + +src_prepare() { + cd .. + + # bug (548744) + epatch "${FILESDIR}/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch" + epatch "${FILESDIR}/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch" + epatch "${FILESDIR}/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch" + epatch "${FILESDIR}/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch" + epatch "${FILESDIR}/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch" + epatch "${FILESDIR}/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch" + epatch "${FILESDIR}/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch" + + # bug (554862) + epatch "${FILESDIR}/2015-5/0001-NFC-Avoid-misaligned-read-of-an-NDEF-field.patch" + epatch "${FILESDIR}/2015-5/0002-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch" + + cd "${PN}" + + epatch "${FILESDIR}/${PN}-hlr_auc_gw-openssl.patch" + + sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \ + "${S}/hostapd.conf" || die +} + +src_configure() { + local CONFIG="${S}/.config" + + # toolchain setup + echo "CC = $(tc-getCC)" > ${CONFIG} + + # EAP authentication methods + echo "CONFIG_EAP=y" >> ${CONFIG} + echo "CONFIG_ERP=y" >> ${CONFIG} + echo "CONFIG_EAP_MD5=y" >> ${CONFIG} + + if use ssl; then + # SSL authentication methods + echo "CONFIG_EAP_FAST=y" >> ${CONFIG} + echo "CONFIG_EAP_TLS=y" >> ${CONFIG} + echo "CONFIG_EAP_TTLS=y" >> ${CONFIG} + echo "CONFIG_EAP_MSCHAPV2=y" >> ${CONFIG} + echo "CONFIG_EAP_PEAP=y" >> ${CONFIG} + echo "CONFIG_TLSV11=y" >> ${CONFIG} + echo "CONFIG_TLSV12=y" >> ${CONFIG} + fi + + if use wps; then + # Enable Wi-Fi Protected Setup + echo "CONFIG_WPS=y" >> ${CONFIG} + echo "CONFIG_WPS2=y" >> ${CONFIG} + echo "CONFIG_WPS_UPNP=y" >> ${CONFIG} + echo "CONFIG_WPS_NFC=y" >> ${CONFIG} + einfo "Enabling Wi-Fi Protected Setup support" + fi + + echo "CONFIG_EAP_IKEV2=y" >> ${CONFIG} + echo "CONFIG_EAP_TNC=y" >> ${CONFIG} + echo "CONFIG_EAP_GTC=y" >> ${CONFIG} + echo "CONFIG_EAP_SIM=y" >> ${CONFIG} + echo "CONFIG_EAP_AKA=y" >> ${CONFIG} + echo "CONFIG_EAP_AKA_PRIME=y" >> ${CONFIG} + echo "CONFIG_EAP_EKE=y" >> ${CONFIG} + echo "CONFIG_EAP_PAX=y" >> ${CONFIG} + echo "CONFIG_EAP_PSK=y" >> ${CONFIG} + echo "CONFIG_EAP_SAKE=y" >> ${CONFIG} + echo "CONFIG_EAP_GPSK=y" >> ${CONFIG} + echo "CONFIG_EAP_GPSK_SHA256=y" >> ${CONFIG} + echo "CONFIG_EAP_PWD=y" >> ${CONFIG} + + einfo "Enabling drivers: " + + # drivers + echo "CONFIG_DRIVER_HOSTAP=y" >> ${CONFIG} + einfo " HostAP driver enabled" + echo "CONFIG_DRIVER_WIRED=y" >> ${CONFIG} + einfo " Wired driver enabled" + echo "CONFIG_DRIVER_PRISM54=y" >> ${CONFIG} + einfo " Prism54 driver enabled" + echo "CONFIG_DRIVER_NONE=y" >> ${CONFIG} + einfo " None driver enabled" + + einfo " nl80211 driver enabled" + echo "CONFIG_DRIVER_NL80211=y" >> ${CONFIG} + + # misc + echo "CONFIG_DEBUG_FILE=y" >> ${CONFIG} + echo "CONFIG_PKCS12=y" >> ${CONFIG} + echo "CONFIG_RADIUS_SERVER=y" >> ${CONFIG} + echo "CONFIG_IAPP=y" >> ${CONFIG} + echo "CONFIG_IEEE80211R=y" >> ${CONFIG} + echo "CONFIG_IEEE80211W=y" >> ${CONFIG} + echo "CONFIG_IEEE80211N=y" >> ${CONFIG} + echo "CONFIG_IEEE80211AC=y" >> ${CONFIG} + echo "CONFIG_PEERKEY=y" >> ${CONFIG} + echo "CONFIG_RSN_PREAUTH=y" >> ${CONFIG} + echo "CONFIG_INTERWORKING=y" >> ${CONFIG} + echo "CONFIG_FULL_DYNAMIC_VLAN=y" >> ${CONFIG} + echo "CONFIG_HS20=y" >> ${CONFIG} + echo "CONFIG_WNM=y" >> ${CONFIG} + echo "CONFIG_ACS=y" >> ${CONFIG} + + if use netlink; then + # Netlink support + echo "CONFIG_VLAN_NETLINK=y" >> ${CONFIG} + fi + + if use ipv6; then + # IPv6 support + echo "CONFIG_IPV6=y" >> ${CONFIG} + fi + + if use sqlite; then + # Sqlite support + echo "CONFIG_SQLITE=y" >> ${CONFIG} + fi + + # If we are using libnl 2.0 and above, enable support for it + # Removed for now, since the 3.2 version is broken, and we don't + # support it. + if has_version ">=dev-libs/libnl-3.2"; then + echo "CONFIG_LIBNL32=y" >> .config + fi + + # TODO: Add support for BSD drivers + + default_src_configure +} + +src_compile() { + emake V=1 + + if use ssl; then + emake V=1 nt_password_hash + emake V=1 hlr_auc_gw + fi +} + +src_install() { + insinto /etc/${PN} + doins ${PN}.{conf,accept,deny,eap_user,radius_clients,sim_db,wpa_psk} + + fperms -R 600 /etc/${PN} + + dosbin ${PN} + dobin ${PN}_cli + + use ssl && dobin nt_password_hash hlr_auc_gw + + newinitd "${FILESDIR}"/${PN}-init.d ${PN} + newconfd "${FILESDIR}"/${PN}-conf.d ${PN} + systemd_dounit "${FILESDIR}"/${PN}.service + + doman ${PN}{.8,_cli.1} + + dodoc ChangeLog README + use wps && dodoc README-WPS + + docinto examples + dodoc wired.conf + + if use logwatch; then + insinto /etc/log.d/conf/services/ + doins logwatch/${PN}.conf + + exeinto /etc/log.d/scripts/services/ + doexe logwatch/${PN} + fi +} + +pkg_postinst() { + einfo + einfo "If you are running openRC you need to follow this instructions:" + einfo "In order to use ${PN} you need to set up your wireless card" + einfo "for master mode in /etc/conf.d/net and then start" + einfo "/etc/init.d/${PN}." + einfo + einfo "Example configuration:" + einfo + einfo "config_wlan0=( \"192.168.1.1/24\" )" + einfo "channel_wlan0=\"6\"" + einfo "essid_wlan0=\"test\"" + einfo "mode_wlan0=\"master\"" + einfo + #if [ -e "${KV_DIR}"/net/mac80211 ]; then + # einfo "This package now compiles against the headers installed by" + # einfo "the kernel source for the mac80211 driver. You should " + # einfo "re-emerge ${PN} after upgrading your kernel source." + #fi + + if use wps; then + einfo "You have enabled Wi-Fi Protected Setup support, please" + einfo "read the README-WPS file in /usr/share/doc/${P}" + einfo "for info on how to use WPS" + fi +} |