Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#44695 - [wpa_supplicant] CVE2015-1863

Attached to Project: Arch Linux
Opened by Ingo Albrecht (indigo) - Wednesday, 22 April 2015, 23:18 GMT
Last edited by Evangelos Foutras (foutrelis) - Friday, 24 April 2015, 18:47 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Thomas Bächler (brain0)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No



A vulnerability CVE2015-1863 was found in wpa_supplicant <version 2.5 and confirmed upstream [1] that could result in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.

For mitigation until wpa_supplicant is updated, patches are linked in [1], further it is advised to rebuild disabling CONFIG_P2P in [2].

Additional info:

This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Friday, 24 April 2015, 18:47 GMT
Reason for closing:  Fixed
Additional comments about closing:  wpa_supplicant 2.4-1
Comment by Levente Polyak (anthraxx) - Thursday, 23 April 2015, 21:25 GMT
to be pedantic it is not required to apply the patch *and* also disable CONFIG_P2P. either of both solutions are mitigating the issue (as stated by the upstream advisory).
I recommend that it may make sense to go with the upstream recommendation to apply the provided patch rather then disabling P2P support on build-time as the patch resolves the issue.
Comment by Evangelos Foutras (foutrelis) - Friday, 24 April 2015, 02:58 GMT
wpa_supplicant-2.4-1 in [testing] includes the upstream patch for this.
Comment by Ingo Albrecht (indigo) - Friday, 24 April 2015, 11:59 GMT
Your pedantry with such is well received, anthraxx. You're right. The alternative mentioned by upstream is to disable the feature via (the undocumented) "p2p_disabled=1" configuration option per interface in .conf (switching p2p off/on at runtime with wpa_cli does not work apparently).

Thanks for patching, 2.4-1 works fine here.