Debian Bug report logs -
#927463
wpa: CVE-2019-11555: EAP-pwd message reassembly issue with unexpected fragment
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 20 Apr 2019 06:15:05 UTC
Severity: important
Tags: patch, security, upstream
Found in versions wpa/2:2.4-1+deb9u2, wpa/2:2.4-1, wpa/2:2.4-1+deb9u3, wpa/2:2.7+git20190128+0c1e29f-4
Fixed in versions wpa/2:2.7+git20190128+0c1e29f-5, wpa/2:2.4-1+deb9u4
Done: Andrej Shadura <andrewsh@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian wpasupplicant Maintainers <wpa@packages.debian.org>:
Bug#927463; Package src:wpa.
(Sat, 20 Apr 2019 06:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian wpasupplicant Maintainers <wpa@packages.debian.org>.
(Sat, 20 Apr 2019 06:15:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wpa
Version: 2:2.7+git20190128+0c1e29f-4
Severity: important
Tags: patch security upstream
Hi
From [1]
> EAP-pwd message reassembly issue with unexpected fragment
>
> Published: April 18, 2019
> Latest version available from: https://w1.fi/security/2019-5/
>
> Vulnerability
>
> EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
> peer) was discovered not to validate fragmentation reassembly state
> properly for a case where an unexpected fragment could be received. This
> could result in process termination due to NULL pointer dereference.
>
> An attacker in radio range of a station device with wpa_supplicant
> network profile enabling use of EAP-pwd could cause the wpa_supplicant
> process to terminate by constructing unexpected sequence of EAP
> messages. An attacker in radio range of an access point that points to
> hostapd as an authentication server with EAP-pwd user enabled in runtime
> configuration (or in non-WLAN uses of EAP authentication as long as the
> attacker can send EAP-pwd messages to the server) could cause the
> hostapd process to terminate by constructing unexpected sequence of EAP
> messages.
>
>
> Vulnerable versions/configurations
>
> All hostapd and wpa_supplicant versions with EAP-pwd support
> (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
> in the runtime configuration) are vulnerable against the process
> termination (denial of service) attack.
>
>
> Possible mitigation steps
>
> - Merge the following commits to wpa_supplicant/hostapd and rebuild:
>
> EAP-pwd peer: Fix reassembly buffer handling
> EAP-pwd server: Fix reassembly buffer handling
>
> These patches are available from https://w1.fi/security/2019-5/
>
> - Update to wpa_supplicant/hostapd v2.8 or newer, once available
[1] https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt
Not a CVE assigned AFAIK (yet).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian wpasupplicant Maintainers <wpa@packages.debian.org>:
Bug#927463; Package src:wpa.
(Thu, 25 Apr 2019 09:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrej Shadura <andrew@shadura.me>:
Extra info received and forwarded to list. Copy sent to Debian wpasupplicant Maintainers <wpa@packages.debian.org>.
(Thu, 25 Apr 2019 09:45:03 GMT) (full text, mbox, link).
Message #10 received at 927463@bugs.debian.org (full text, mbox, reply):
Hi,
On Sat, 20 Apr 2019 at 08:15, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi
>
> From [1]
>
> > EAP-pwd message reassembly issue with unexpected fragment
> >
> > Published: April 18, 2019
> > Latest version available from: https://w1.fi/security/2019-5/
Thanks for filing the bug. I was aware of this issue but since I was
about to leave for a holiday, I did nothing on that front :) I will
address it tomorrow.
--
Cheers,
Andrej
Reply sent
to Andrej Shadura <andrewsh@debian.org>:
You have taken responsibility.
(Fri, 26 Apr 2019 13:09:02 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 26 Apr 2019 13:09:02 GMT) (full text, mbox, link).
Message #15 received at 927463-close@bugs.debian.org (full text, mbox, reply):
Source: wpa
Source-Version: 2:2.7+git20190128+0c1e29f-5
We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927463@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <andrewsh@debian.org> (supplier of updated wpa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 26 Apr 2019 14:55:52 +0200
Source: wpa
Architecture: source
Version: 2:2.7+git20190128+0c1e29f-5
Distribution: unstable
Urgency: high
Maintainer: Debian wpasupplicant Maintainers <wpa@packages.debian.org>
Changed-By: Andrej Shadura <andrewsh@debian.org>
Closes: 927463
Changes:
wpa (2:2.7+git20190128+0c1e29f-5) unstable; urgency=high
.
* Fix security issue 2019-5:
- EAP-pwd message reassembly issue with unexpected fragment
(Closes: #927463, no CVE assigned).
Checksums-Sha1:
8ed8fd6502ec27028da34b317c3ae6ae5f2661b0 2312 wpa_2.7+git20190128+0c1e29f-5.dsc
c328b25104724fd60d341d35a7808487ca61c062 101872 wpa_2.7+git20190128+0c1e29f-5.debian.tar.xz
Checksums-Sha256:
df7ad84b5e5f121bfccb30c429702903d580101440c6c2f749a3911d7b2cebaf 2312 wpa_2.7+git20190128+0c1e29f-5.dsc
b5f5ec86af4ed82c486391af8851f430a224fe782501ef4f399103f84bcd5fa9 101872 wpa_2.7+git20190128+0c1e29f-5.debian.tar.xz
Files:
1d894e880f6f834436bad35793100d03 2312 net optional wpa_2.7+git20190128+0c1e29f-5.dsc
479eedce0a9a86f5f45746433dca3b65 101872 net optional wpa_2.7+git20190128+0c1e29f-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlzDAHcACgkQXkCM2RzY
OdLGAQf+M4CduoRc8MZUstNlsYva6IYMAC7FDKDcyeNdMMQ+6bUkU+VgAhabVq9l
05l6m8ke9ySkhB1Q3A4a794lysaJUP6ztzt33xYWPqN47zftH2DkXsrzUO8IeZY6
lJLCxjHn3WtG4uRZ9dU8SQy9HQiTrhy8QrUoi07u0HeRNcfmL6I/GXxXjDHxoz1g
IXwBLOV1tIndks+8HyiJbbhC/mdz0tIEGgbDXncwuh8Qjzn5+MMb/HM2DR7gv+Rp
Nr+NKlZV0Aj8steaBTuLWM4SK8f6TCywWlENgNNSl4VqQuP7rkHmWpLjeR9Q/ODi
z4JG29V5vzLpyIRdnC428CehGVaIXg==
=/ieq
-----END PGP SIGNATURE-----
Marked as found in versions wpa/2:2.4-1+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Apr 2019 18:51:03 GMT) (full text, mbox, link).
Marked as found in versions wpa/2:2.4-1+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Apr 2019 18:51:04 GMT) (full text, mbox, link).
Marked as found in versions wpa/2:2.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Apr 2019 18:51:06 GMT) (full text, mbox, link).
Changed Bug title to 'wpa: CVE-2019-11555: EAP-pwd message reassembly issue with unexpected fragment' from 'wpa: EAP-pwd message reassembly issue with unexpected fragment'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Apr 2019 21:45:03 GMT) (full text, mbox, link).
Reply sent
to Andrej Shadura <andrewsh@debian.org>:
You have taken responsibility.
(Sat, 25 May 2019 22:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 25 May 2019 22:21:03 GMT) (full text, mbox, link).
Message #28 received at 927463-close@bugs.debian.org (full text, mbox, reply):
Source: wpa
Source-Version: 2:2.4-1+deb9u4
We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927463@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <andrewsh@debian.org> (supplier of updated wpa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 26 Apr 2019 15:21:54 +0200
Source: wpa
Architecture: source
Version: 2:2.4-1+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>
Changed-By: Andrej Shadura <andrewsh@debian.org>
Closes: 927463
Changes:
wpa (2:2.4-1+deb9u4) stretch-security; urgency=high
.
* SECURITY UPDATE (2019-5):
- CVE-2019-11555: EAP-pwd message reassembly issue with unexpected fragment
(Closes: #927463).
Checksums-Sha1:
0f501c7b79559105a47c4b2da112bf65953785e6 2186 wpa_2.4-1+deb9u4.dsc
487099193b2d84c623685b35cebb1569e4eb65be 99980 wpa_2.4-1+deb9u4.debian.tar.xz
Checksums-Sha256:
850299102a1ea713c1684b63de39d05e25de307b0843b1b2f102d5729d802e35 2186 wpa_2.4-1+deb9u4.dsc
21e7c8bc5a868b45e5ff8afb3f3dd4fa00f6058c16f7241d391ce29d2dd34631 99980 wpa_2.4-1+deb9u4.debian.tar.xz
Files:
89a9ed0d166a3e293ffb552df57b1f45 2186 net optional wpa_2.4-1+deb9u4.dsc
8453ce5cc56c31210610b26a19b80e6c 99980 net optional wpa_2.4-1+deb9u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlzZX7MACgkQXkCM2RzY
OdLaxQgAtmDbZIhS6MSKX6zmvw1sGpbkbCghZkFS3/EJNGSlL+rpuNKz48VbCxAt
2FES/ngWvkOwe0CCGxgs1ZE2wHh+mTdIbZwD8URbuYPvP7pic1yiEwHLzTawNIFZ
mFOhv5SLkleCscNubElSGsXVyMN5hMHwUm8T5DaQbHjimMhO3Dk43BqzgnHXNzOh
yx+M9QDcfD0PqJljmOkXmuBqeFYAjc9x35imBhjovbo4kj3g3ug261c/XSvZxGS5
9gsozb6oeYMMeWJ6O3qtbfPa8CCTH5wrxa6jEgcH26DeL0j5bsa5f84uC9i1RKI6
sX7dY41ClfQANjkzhi8rjmvjlZtrXw==
=yAAm
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:57:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon