wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability

Debian Bug report logs - #783148
wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability

Date: Wed, 22 Apr 2015 22:57:22 +0200

Source: wpa
Version: 2.3-1
Severity: grave
Tags: security upstream patch
Justification: user security hole

Hi,

the following vulnerability was published for wpa.

CVE-2015-1863[0]:
| P2P SSID processing vulnerability:
| A vulnerability was found in how wpa_supplicant uses SSID information
| parsed from management frames that create or update P2P peer entries
| (e.g., Probe Response frame or number of P2P Public Action frames). SSID
| field has valid length range of 0-32 octets. However, it is transmitted
| in an element that has a 8-bit length field and potential maximum
| payload length of 255 octets. wpa_supplicant was not sufficiently
| verifying the payload length on one of the code paths using the SSID
| received from a peer device.
|
| This can result in copying arbitrary data from an attacker to a fixed
| length buffer of 32 bytes (i.e., a possible overflow of up to 223
| bytes). The SSID buffer is within struct p2p_device that is allocated
| from heap. The overflow can override couple of variables in the struct,
| including a pointer that gets freed. In addition about 150 bytes (the
| exact length depending on architecture) can be written beyond the end of
| the heap allocation.
|
| This could result in corrupted state in heap, unexpected program
| behavior due to corrupted P2P peer device information, denial of service
| due to wpa_supplicant process crash, exposure of memory contents during
| GO Negotiation, and potentially arbitrary code execution.
|
| Vulnerable versions/configurations
|
| wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled
|
| Attacker (or a system controlled by the attacker) needs to be within
| radio range of the vulnerable system to send a suitably constructed
| management frame that triggers a P2P peer device information to be
| created or updated.
|
| The vulnerability is easiest to exploit while the device has started an
| active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
| interface command in progress). However, it may be possible, though
| significantly more difficult, to trigger this even without any active
| P2P operation in progress.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-1863
[1] http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt
[2] http://w1.fi/security/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch

Regards,
Salvatore

Message #10 received at 783148@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 783148@bugs.debian.org

Subject: Re: Bug#783148: wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability

Date: Thu, 23 Apr 2015 18:47:00 +0200

Hi,

I'm currently preparing the debdiffs for jessie-security and sid
uploads.

Regards,
Salvatore

Message #15 received at 783148@bugs.debian.org (full text, mbox, reply):

From: Stefan Lippers-Hollmann <s.l-h@gmx.de>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 783148@bugs.debian.org

Subject: Re: [pkg-wpa-devel] Bug#783148: wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability

Date: Thu, 23 Apr 2015 19:14:01 +0200

[Message part 1 (text/plain, inline)]

Hi

On 2015-04-23, Salvatore Bonaccorso wrote:
> Hi,
> 
> I'm currently preparing the debdiffs for jessie-security and sid
> uploads.

Thank you for taking care of it, I was about to respond now (and am
currently testing the patched packages, successfully so far).

Be aware that src:wpa 1.0-3+deb7u1 in wheezy is not affected by this
bug, as we did (intentionally) disable CONFIG_P2P for those packages.

Regards
	Stefan Lippers-Hollmann

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 783148@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Stefan Lippers-Hollmann <s.l-h@gmx.de>

Cc: 783148@bugs.debian.org

Subject: Re: [pkg-wpa-devel] Bug#783148: wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability

Date: Thu, 23 Apr 2015 19:22:17 +0200

Hi Stefan,

On Thu, Apr 23, 2015 at 07:14:01PM +0200, Stefan Lippers-Hollmann wrote:
> Hi
> 
> On 2015-04-23, Salvatore Bonaccorso wrote:
> > Hi,
> > 
> > I'm currently preparing the debdiffs for jessie-security and sid
> > uploads.
> 
> Thank you for taking care of it, I was about to respond now (and am
> currently testing the patched packages, successfully so far).

Thanks for the quick reply. Are you fine if I skip the delayed queue
for the unstable upload? Or do you want to upload your prepared
package? (Would then do the jessie-security one only).

> Be aware that src:wpa 1.0-3+deb7u1 in wheezy is not affected by this
> bug, as we did (intentionally) disable CONFIG_P2P for those packages.

Yes, noticed thanks! Sourcewise it should be affected but only for
people who would rebuild the packages and enable CONFIG_P2P. Will
update https://security-tracker.debian.org/tracker/CVE-2015-1863

Regards,
Salvatore

Message #25 received at 783148-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Lippers-Hollmann <s.l-h@gmx.de>

To: 783148-close@bugs.debian.org

Subject: Bug#783148: fixed in wpa 2.3-2

Date: Fri, 24 Apr 2015 11:03:57 +0000

Source: wpa
Source-Version: 2.3-2

We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Lippers-Hollmann <s.l-h@gmx.de> (supplier of updated wpa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 23 Apr 2015 05:02:21 +0200
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source amd64
Version: 2.3-2
Distribution: unstable
Urgency: high
Maintainer: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>
Changed-By: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Description:
 hostapd    - IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
 wpagui     - graphical user interface for wpa_supplicant
 wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
 wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Closes: 780552 783148
Changes:
 wpa (2.3-2) unstable; urgency=high
 .
   * remove Kel Modderman from Uploaders as per his request, many thanks for
     all past efforts Kel.
   * fix systemd unit dependencies for wpasupplicant, it needs to be started
     before the network target (Closes: 780552), many thanks to Michael Biebl
     <biebl@debian.org> for reporting and suggesting the patch.
   * hostapd: avoid segfault with driver=wired, by merging upstream commit
     e9b783d58c23a7bb50b2f25bce7157f1f3b5d58b "Fix hostapd operation without
     hw_mode driver data."
   * import "P2P: Validate SSID element length before copying it
     (CVE-2015-1863)" from upstream (Closes: #783148).
Checksums-Sha1:
 9815a37a6dd20b9a5e620ff38e740362164e5927 2436 wpa_2.3-2.dsc
 0db649acd8fe7429df74034aef5409c005292b21 76068 wpa_2.3-2.debian.tar.xz
Checksums-Sha256:
 860dad76e4fcbc8e9bbce4e231c231c8366eea8f810319a3dc859853caa35e40 2436 wpa_2.3-2.dsc
 2d4c34e56c8c40a2ed9d2cbb6264fced2e222b787416e46f9b25df90e5ec546c 76068 wpa_2.3-2.debian.tar.xz
Files:
 231bfc62c9242f4e34fa5c16a6550a5b 2436 net optional wpa_2.3-2.dsc
 5fb495b5aacd7daa0649d55b105e70e5 76068 net optional wpa_2.3-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVOfq0AAoJEAVMuPMTQ89EcVcP/RCsdMxE3OjZdUaWwTtQKSwT
nxZiD4A2DsDwO5UXQ+GYNX/zqImzt5dQ3rhFC5Np7rtH9Kbl9skh4FaztLCWyVAg
xiaHdp+ycXSUavaJn+GhPFXnZgJPLVqw7zZsZNDWb7q4fNuzKHPwC7486mUXS7W1
rlZ0FFaNatojSHS6k0q2N9IY0zJviB5hfibT9stbEoqSoSjrYdB0Q9wpRw6nZqy1
GsCgQpJszljUdZvvBL1xX9RwUmINnmRdzZ5hcm0AqTSUVlksCtUcLeO/YGvBwMug
CqdA6pL+5h4+uqMBNuQx9AidK/wEwEqj+KVBvcjJK42bnOipxBbZqTK1zMw0DBoD
koCuq+cu4+fGO8KLQwjfUW2GOnAO67FApowDnEWEDNgI/RJ4557UII7bbO8QsKMO
V857TL+aU5Z0d04t57n0/ztHLRxq980guNzbOK7xF/RxyptD7BXewMwSFtEw8CIY
uXI1EkDpBikU7xjwYaaOatBlzaU6y2z7KFXsmjpLBCWwXFwRlhR65CfrL1uCX0RC
wAvrh7UXc1VEkvN+IXtPMVaujUvB1aOAQzkMMaMtKbUMnX2T1dZ3ENXd2rhKnqnp
LZZcsqv0IresnOeFa5namHrB4579eB9ypfjov4R3GoyB8MWWezipigHP+D4AJBAQ
G5ZE+oetV/T34JRhkGzx
=79po
-----END PGP SIGNATURE-----

Message #30 received at 783148-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Lippers-Hollmann <s.l-h@gmx.de>

To: 783148-close@bugs.debian.org

Subject: Bug#783148: fixed in wpa 2.3-1+deb8u1

Date: Fri, 24 Apr 2015 15:50:18 +0000

Source: wpa
Source-Version: 2.3-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Lippers-Hollmann <s.l-h@gmx.de> (supplier of updated wpa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 23 Apr 2015 19:32:29 +0200
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source amd64
Version: 2.3-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>
Changed-By: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Description:
 hostapd    - IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
 wpagui     - graphical user interface for wpa_supplicant
 wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
 wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Closes: 783148
Changes:
 wpa (2.3-1+deb8u1) jessie-security; urgency=high
 .
   * import "P2P: Validate SSID element length before copying it
     (CVE-2015-1863)" from upstream (Closes: #783148).
Checksums-Sha1:
 cd5ce228c0f6294b1ab5f2eeaeb64159a4c702c3 2496 wpa_2.3-1+deb8u1.dsc
 7737a4306195ffaba8bb6777e2ede5a4a25e3ca0 1735544 wpa_2.3.orig.tar.xz
 7a3efdcd8c6090b3acc80b339b9af9eb7b0ef74b 75404 wpa_2.3-1+deb8u1.debian.tar.xz
Checksums-Sha256:
 e112c7fe66fc5f0aa41e326df1fdf7ee229ff423b2cf3bd69bc2e7151151b3e7 2496 wpa_2.3-1+deb8u1.dsc
 3d96034fa9e042c8aacb0812d8b2ab3d4c9aa6fc410802b4ee0da311e51c3eb3 1735544 wpa_2.3.orig.tar.xz
 18dec2f1116ce66aae8b90d894370b750ace8559d4c25423bcee84d655f14e6a 75404 wpa_2.3-1+deb8u1.debian.tar.xz
Files:
 a233d108a9b584bb330723a103106f4c 2496 net optional wpa_2.3-1+deb8u1.dsc
 d6dc9fa32a406506717ee6a4d076cd6d 1735544 net optional wpa_2.3.orig.tar.xz
 d0f365b9276dc71eba04d6149bdb3ec7 75404 net optional wpa_2.3-1+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVOVaRAAoJEAVMuPMTQ89EQUMP/31HesPh0ndMjfquKRSMFs+J
p0/yUGbagWVWpM2biaDejluMIC2PElzGpA9zL18CN8cwyhf3rSMOw9TBJolIJ+eg
PnrFu52e5KlGR2NupNIuVzgCKlhk9AMfdPFt3lcTEu1DcJgOULHqLwDfh8zARbmP
/OQOs7zK3bNnOBAhWOiFihtHmt7/CSIBLgTYnu089NhPYMPT9r62WgWwF3PnlzDJ
D7soBdlswRzVZLAZPJM6HLX12N52Jen5elzLDLRaSiRuh4jgJHok6QZLdc12PnWn
Ol3C8ZnfJd7fLfD5YjzKV2yoe7id2txGsGUhADjbnrgs/RXYwXFqOmBWHqrlYHQr
k40IizNG4e5x1YFLQAP7+e3L4IfPKai+lQteTFWE7h56R2Z0TpkMFB57mYRJiII7
qVLUNFK71D7lDju9uA9NuYQRZ8yjD5SIcaJlyS5jI96ZYK9OGgr8m5thcJeCTrIL
xwBABrPYnSdXxMZqSTKtNijsfiyjHvq3Feb66iAki01R4pT0y6K9xxT7Qfudp72V
djDmB2GHKlzIYRVc7v0L1akDEzMC/3hmbKG7DwjB9I6wmqwThKDjA8whhuBwlUV3
4Rt8cl2o+2px+llWC1i8mGkKne1dIx9hl8w+C+2YhaopnJ+pNhS1Lt83nDyETprY
KWkxj4ZFhvctGb/EFI3o
=GYde
-----END PGP SIGNATURE-----

Message #35 received at 783148-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Lippers-Hollmann <s.l-h@gmx.de>

To: 783148-close@bugs.debian.org

Subject: Bug#783148: fixed in wpa 1.0-3+deb7u2

Date: Tue, 05 May 2015 19:50:52 +0000

Source: wpa
Source-Version: 1.0-3+deb7u2

We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Lippers-Hollmann <s.l-h@gmx.de> (supplier of updated wpa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 23 Apr 2015 19:56:11 +0200
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source amd64
Version: 1.0-3+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>
Changed-By: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Description: 
 hostapd    - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authentica
 wpagui     - graphical user interface for wpa_supplicant
 wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
 wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Closes: 783148
Changes: 
 wpa (1.0-3+deb7u2) wheezy-security; urgency=high
 .
   * import "P2P: Validate SSID element length before copying it
     (CVE-2015-1863)" from upstream (Closes: #783148); this is essentially a
     no-op for the wheezy binaries distributed by Debian, as CONFIG_P2P is
     disabled there.
Checksums-Sha1: 
 bf640b5991efeb3caa79469ed78cbc04bde33b12 2463 wpa_1.0-3+deb7u2.dsc
 bd61f0682d9e9ea9056f786fd969f042e6fada01 89211 wpa_1.0-3+deb7u2.debian.tar.gz
 6250fd0f05010fe7fbb834a1e86a8d5bf7d24dab 476138 hostapd_1.0-3+deb7u2_amd64.deb
 11f5de885f8928141fc2fe6f89bf7c5612001d31 368442 wpagui_1.0-3+deb7u2_amd64.deb
 ccaa0428a1b2925d29485ea9c35716e01f4bd6a1 608388 wpasupplicant_1.0-3+deb7u2_amd64.deb
 72a4e90d40091a6ccab39dad7844d0fdd25c8dd9 154864 wpasupplicant-udeb_1.0-3+deb7u2_amd64.udeb
Checksums-Sha256: 
 a5b295a82237d499c5680af759efa5b37600b2618658156cb3602dec84d7cf7b 2463 wpa_1.0-3+deb7u2.dsc
 eefc6b4d23d72e953db1b564c21af251087fc28b1a5a6423f4ae32f526889f71 89211 wpa_1.0-3+deb7u2.debian.tar.gz
 64aa5dbf2bb06e36d262a2f64e8d84362d311f75243e4c6b1c72db9ca270a9f7 476138 hostapd_1.0-3+deb7u2_amd64.deb
 30e18e961bb9759ca5e06159f38dcfac08e6a5c99f710ee367f967e69e4904ef 368442 wpagui_1.0-3+deb7u2_amd64.deb
 88d00593e3abbf46263f304cfbc3aeabb7df8a545babed1de30f5637aa5ae382 608388 wpasupplicant_1.0-3+deb7u2_amd64.deb
 f36515e72469fa513ec20d3386c3f5ecd643c927ddaaa1d135fc17eeefeff895 154864 wpasupplicant-udeb_1.0-3+deb7u2_amd64.udeb
Files: 
 78101ba617ac20073a538c338cc1babd 2463 net optional wpa_1.0-3+deb7u2.dsc
 d8373f2b07dbae87025a0a3440c944dd 89211 net optional wpa_1.0-3+deb7u2.debian.tar.gz
 5318bce4e3d53d296aa7dd9dc19c42cf 476138 net optional hostapd_1.0-3+deb7u2_amd64.deb
 39bac2934e27a38efe58ed39f8a3c285 368442 net optional wpagui_1.0-3+deb7u2_amd64.deb
 efd7cf52cf80b1a87420804dda07c355 608388 net optional wpasupplicant_1.0-3+deb7u2_amd64.deb
 885a9598c777dc916ce8b8f975ec61cf 154864 debian-installer standard wpasupplicant-udeb_1.0-3+deb7u2_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVOVL4AAoJEAVMuPMTQ89EoTMP/iFI0ejFz1Lcwa/gOQ54XDh4
7QNYv6/HpQ5HamIYfb5LjWgr3tHBDk/oe7j9E6QYEI1gwBUl4lUVO+SYWFpjvcme
mY3IvFb02VobUZiO4ogqXm8defSlhjigQbIwZ1KS1fq6emlVIotkgFwS+2+jEHIQ
V7W4ijjej/iCbZR3PvnISVXYzNdjsnarRMHUIX1gqSrrFscbqm4N2GFNTKGgUovQ
BNSNAvrzlcqyjfjj3ONM1dVc9qB8kgYoLC6ktEqCEvZulbiD6AeH3ZqHw2w1PDd6
DHkM1qbHT1wUJmdelkrf/LjQbayOS1QqE8qXQLEmNxWr2e5dpdy3dOOulzsmEhyt
78+8rLThaHI+lBEBhseu2KYNoKpbHV8gEkbXtTrQWNAsR8C84ja06flJqzROttcd
AaIkhf9+01k7N3JOgKRk7qCiDf5qpGsCRcYQ6UOPivCx61Wwgbc+IlWqHsyvjPi4
ccN6NP/9ui/RsfqbNYicnfMTnHdm8cIKtuMqvYWZ4M+vVSYAqMI+Sk/h/OtD/u4x
LlAKQ7pUfvaMMNeQeNt19l1XGOGIXGqQdFc14AKkQ1Hta6vBL8FRi8K36JCbtrJL
dj0JKBWNu/FSWZEFhlE/rpOmvwdX6ix9AOnpJwC6NGvVJGBypJ9MsjxiTaUM3Qag
tydNLdJiGWs4wiKR2ZKA
=WWfa
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.