Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
aports
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Johannes Müller
aports
Commits
4c63d159
Commit
4c63d159
authored
Jun 05, 2019
by
Leonardo Arena
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
main/hostapd: security fix (CVE-2019-9496)
Fixes #10335
parent
71e80d98
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
62 additions
and
1 deletion
+62
-1
main/hostapd/APKBUILD
main/hostapd/APKBUILD
+5
-1
main/hostapd/CVE-2019-9496.patch
main/hostapd/CVE-2019-9496.patch
+57
-0
No files found.
main/hostapd/APKBUILD
View file @
4c63d159
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname
=
hostapd
pkgver
=
2.6
pkgrel
=
4
pkgrel
=
5
pkgdesc
=
"daemon for wireless software access points"
url
=
"http://hostap.epitest.fi/hostapd/"
arch
=
"all"
...
...
@@ -17,6 +17,7 @@ patches="CVE-2012-4445.patch
0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
0006-TDLS-Reject-TPK-TK-reconfiguration.patch
0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
CVE-2019-9496.patch
0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
"
...
...
@@ -28,6 +29,8 @@ options="!check" #no testsuite
builddir
=
"
$srcdir
"
/
$pkgname
-
$pkgver
/hostapd
# secfixes:
# 2.6-r5:
# - CVE-2019-9496
# 2.6-r4:
# - CVE-2019-11555
# 2.6-r2:
...
...
@@ -109,6 +112,7 @@ a6382d8e84b4829be33c46bf2f4c6f3232c9d924a4547a21dfe023bf5be8ee1c635920295f52be28
8707a123cd78149dfee9f5bd791761ee1eca605ef96580167044c2339c896920cf0e030b184a5afa9e310f5755afb30bef8ebd4522fc52753f3fbd6acead2cdf 0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
37d050b2e4a3598484912667d8b2705fbe84c5c562267f900d42b0c7b606fb1fed09ddca8b80e2131768baa8f3690aab6ba7a232dee6ff1e66150fdb8816c927 0006-TDLS-Reject-TPK-TK-reconfiguration.patch
fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed792bef1887dcc8c4626586465d78dd0258edb83dcd50a65a 0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
90981a52d6cb2e91f67a9bc830d3db02da6fde4bea0cf512b22111da6c8ab151f5dd171a2f2e409d9ff75e388e72c2314dd023a98fdabf16248b11a950bde881 CVE-2019-9496.patch
7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c 0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822 0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
...
...
main/hostapd/CVE-2019-9496.patch
0 → 100644
View file @
4c63d159
From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 5 Mar 2019 23:43:25 +0200
Subject: SAE: Fix confirm message validation in error cases
Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/common/sae.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/common/sae.c b/src/common/sae.c
index eaf825d..5a50294 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1487,23 +1487,31 @@
int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
- if (sae->tmp == NULL) {
+ if (!sae->tmp || !sae->peer_commit_scalar ||
+ !sae->tmp->own_commit_scalar) {
wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
return -1;
}
- if (sae->tmp->ec)
+ if (sae->tmp->ec) {
+ if (!sae->tmp->peer_commit_element_ecc ||
+ !sae->tmp->own_commit_element_ecc)
+ return -1;
sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
sae->tmp->peer_commit_element_ecc,
sae->tmp->own_commit_scalar,
sae->tmp->own_commit_element_ecc,
verifier);
- else
+ } else {
+ if (!sae->tmp->peer_commit_element_ffc ||
+ !sae->tmp->own_commit_element_ffc)
+ return -1;
sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
sae->tmp->peer_commit_element_ffc,
sae->tmp->own_commit_scalar,
sae->tmp->own_commit_element_ffc,
verifier);
+ }
if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
--
cgit v0.12
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
