Your message dated Fri, 24 Apr 2015 15:50:18 +0000
with message-id <[email protected]>
and subject line Bug#783148: fixed in wpa 2.3-1+deb8u1
has caused the Debian Bug report #783148,
regarding wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
783148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783148
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wpa
Version: 2.3-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
Hi,
the following vulnerability was published for wpa.
CVE-2015-1863[0]:
| P2P SSID processing vulnerability:
| A vulnerability was found in how wpa_supplicant uses SSID information
| parsed from management frames that create or update P2P peer entries
| (e.g., Probe Response frame or number of P2P Public Action frames). SSID
| field has valid length range of 0-32 octets. However, it is transmitted
| in an element that has a 8-bit length field and potential maximum
| payload length of 255 octets. wpa_supplicant was not sufficiently
| verifying the payload length on one of the code paths using the SSID
| received from a peer device.
|
| This can result in copying arbitrary data from an attacker to a fixed
| length buffer of 32 bytes (i.e., a possible overflow of up to 223
| bytes). The SSID buffer is within struct p2p_device that is allocated
| from heap. The overflow can override couple of variables in the struct,
| including a pointer that gets freed. In addition about 150 bytes (the
| exact length depending on architecture) can be written beyond the end of
| the heap allocation.
|
| This could result in corrupted state in heap, unexpected program
| behavior due to corrupted P2P peer device information, denial of service
| due to wpa_supplicant process crash, exposure of memory contents during
| GO Negotiation, and potentially arbitrary code execution.
|
| Vulnerable versions/configurations
|
| wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled
|
| Attacker (or a system controlled by the attacker) needs to be within
| radio range of the vulnerable system to send a suitably constructed
| management frame that triggers a P2P peer device information to be
| created or updated.
|
| The vulnerability is easiest to exploit while the device has started an
| active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
| interface command in progress). However, it may be possible, though
| significantly more difficult, to trigger this even without any active
| P2P operation in progress.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1863
[1] http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt
[2]
http://w1.fi/security/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wpa
Source-Version: 2.3-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Lippers-Hollmann <[email protected]> (supplier of updated wpa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Apr 2015 19:32:29 +0200
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source amd64
Version: 2.3-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian wpasupplicant Maintainers
<[email protected]>
Changed-By: Stefan Lippers-Hollmann <[email protected]>
Description:
hostapd - IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
wpagui - graphical user interface for wpa_supplicant
wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Closes: 783148
Changes:
wpa (2.3-1+deb8u1) jessie-security; urgency=high
.
* import "P2P: Validate SSID element length before copying it
(CVE-2015-1863)" from upstream (Closes: #783148).
Checksums-Sha1:
cd5ce228c0f6294b1ab5f2eeaeb64159a4c702c3 2496 wpa_2.3-1+deb8u1.dsc
7737a4306195ffaba8bb6777e2ede5a4a25e3ca0 1735544 wpa_2.3.orig.tar.xz
7a3efdcd8c6090b3acc80b339b9af9eb7b0ef74b 75404 wpa_2.3-1+deb8u1.debian.tar.xz
Checksums-Sha256:
e112c7fe66fc5f0aa41e326df1fdf7ee229ff423b2cf3bd69bc2e7151151b3e7 2496
wpa_2.3-1+deb8u1.dsc
3d96034fa9e042c8aacb0812d8b2ab3d4c9aa6fc410802b4ee0da311e51c3eb3 1735544
wpa_2.3.orig.tar.xz
18dec2f1116ce66aae8b90d894370b750ace8559d4c25423bcee84d655f14e6a 75404
wpa_2.3-1+deb8u1.debian.tar.xz
Files:
a233d108a9b584bb330723a103106f4c 2496 net optional wpa_2.3-1+deb8u1.dsc
d6dc9fa32a406506717ee6a4d076cd6d 1735544 net optional wpa_2.3.orig.tar.xz
d0f365b9276dc71eba04d6149bdb3ec7 75404 net optional
wpa_2.3-1+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVOVaRAAoJEAVMuPMTQ89EQUMP/31HesPh0ndMjfquKRSMFs+J
p0/yUGbagWVWpM2biaDejluMIC2PElzGpA9zL18CN8cwyhf3rSMOw9TBJolIJ+eg
PnrFu52e5KlGR2NupNIuVzgCKlhk9AMfdPFt3lcTEu1DcJgOULHqLwDfh8zARbmP
/OQOs7zK3bNnOBAhWOiFihtHmt7/CSIBLgTYnu089NhPYMPT9r62WgWwF3PnlzDJ
D7soBdlswRzVZLAZPJM6HLX12N52Jen5elzLDLRaSiRuh1jgJHok6QZLdc12PnWn
Ol3C8ZnfJd7fLfD5YjzKV2yoe7id2txGsGUhADjbnrgs/RXYwXFqOmBWHqrlYHQr
k40IizNG4e5x1YFLQAP7+e3L4IfPKai+lQteTFWE7h56R2Z0TpkMFB57mYRJiII7
qVLUNFK71D7lDju9uA9NuYQRZ8yjD5SIcaJlyS5jI96ZYK9OGgr8m5thcJeCTrIL
xwBABrPYnSdXxMZqSTKtNijsfiyjHvq3Feb66iAki01R4pT0y6K9xxT7Qfudp72V
djDmB2GHKlzIYRVc7v0L1akDEzMC/3hmbKG7DwjB9I6wmqwThKDjA8whhuBwlUV3
4Rt8cl2o+2px+llWC1i8mGkKne1dIx9hl8w+C+2YhaopnJ+pNhS1Lt83nDyETprY
KWkxj4ZFhvctGb/EFI3o
=GYde
-----END PGP SIGNATURE-----
--- End Message ---
