FS#69784 - [wpa_supplicant] [Security] arbitrary code execution

Attached to Project: Arch Linux
Opened by Jonas Witschel (diabonas) - Thursday, 25 February 2021, 19:16 GMT
Last edited by Antonio Rojas (arojas) - Sunday, 23 January 2022, 09:38 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Immediate
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Summary
=======

The package wpa_supplicant is vulnerable to denial of service, and possibly arbitrary code execution.

Guidance
========

Applying the patch referenced below (corresponding to upstream commit 8460e3230988ef2ec13ce6b69b687e941f6cdb32) fixes the issue.

References
==========

https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt
https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32
This task depends upon

Closed by  Antonio Rojas (arojas)
Sunday, 23 January 2022, 09:38 GMT
Reason for closing:  Fixed
Additional comments about closing:  thanks @loqs
Comment by Jonas Witschel (diabonas) - Saturday, 27 February 2021, 09:09 GMT
This is now tracked as CVE-2021-27803 (https://security.archlinux.org/CVE-2021-27803).
Comment by Jonas Witschel (diabonas) - Friday, 02 April 2021, 10:13 GMT
Another issue has recently been discovered that could potentially allow signature forgery. It is labeled CVE-2021-30004 (https://security.archlinux.org/CVE-2021-30004) and fixed by applying https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15
Comment by Jonas Witschel (diabonas) - Tuesday, 22 June 2021, 13:05 GMT
Another issue reported by the Android CNA: CVE-2021-0535 could lead to local privilege escalation and is fixed by upstream commit https://w1.fi/cgit/hostap/commit/wpa_supplicant/?id=8ca330bd709bf7c000dfda5b1edbc0cbeabb8b55
Comment by Pascal Ernster (hardfalcon) - Sunday, 16 January 2022, 22:55 GMT
Upstream has released wpa_supplicant 2.10 which appears to contain all of the mentioned commits, along a improved fixes for side channel vulnerabilities in the SAE and EAP-PWD implementations:

https://lists.infradead.org/pipermail/hostap/2022-January/040148.html

https://lists.infradead.org/pipermail/hostap/2022-January/040147.html
Comment by loqs (loqs) - Tuesday, 18 January 2022, 23:00 GMT
[1] Updates the PKGBUILD to 2.10, removes patches now part of upstream, update none upstreamed patches [2][3][4], prefix files with package name.

[5] Reformats wpa_supplicant_config to be based off upstream defconfig.
New upstream enabled option CONFIG_DPP2=y
Options removed as no longer supported by upstream CONFIG_IEEE80211N [6] CONFIG_IEEE80211W [7].
WEP is left disabled [8] and TKIP enabled [9], as per upstream defaults.

[10] Does not uncomment options that are already set by default.

Not implemented use epoll instead of select.

[1] PKGBUILD.diff.1
[2] https://sources.debian.org/data/main/w/wpa/2%3A2.10-1/debian/patches/07_dbus_service_syslog.patch
[3] https://sources.debian.org/data/main/w/wpa/2%3A2.10-1/debian/patches/wpa_service_ignore-on-isolate.patch
[4] https://sources.debian.org/data/main/w/wpa/2%3A2.10-1/debian/patches/allow-tlsv1.patch
[5] PKGBUILD.diff.2
[6] https://w1.fi/cgit/hostap/commit/?id=f3bcd696034683f94300dd971865af7ed86aa180
[7] https://w1.fi/cgit/hostap/commit/?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482
[8] https://w1.fi/cgit/hostap/tree/wpa_supplicant/defconfig?h=hostap_2_10#n614
[9] https://w1.fi/cgit/hostap/tree/wpa_supplicant/defconfig?h=hostap_2_10#n629
[10] PKGBUILD.diff.3
   PKGBUILD.diff.1 (15 KiB)
   PKGBUILD.diff.2 (25.5 KiB)
   PKGBUILD.diff.3 (2.3 KiB)

Loading...