Your message dated Tue, 05 May 2015 19:50:52 +0000
with message-id <[email protected]>
and subject line Bug#783148: fixed in wpa 1.0-3+deb7u2
has caused the Debian Bug report #783148,
regarding wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
783148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783148
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wpa
Version: 2.3-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
Hi,
the following vulnerability was published for wpa.
CVE-2015-1863[0]:
| P2P SSID processing vulnerability:
| A vulnerability was found in how wpa_supplicant uses SSID information
| parsed from management frames that create or update P2P peer entries
| (e.g., Probe Response frame or number of P2P Public Action frames). SSID
| field has valid length range of 0-32 octets. However, it is transmitted
| in an element that has a 8-bit length field and potential maximum
| payload length of 255 octets. wpa_supplicant was not sufficiently
| verifying the payload length on one of the code paths using the SSID
| received from a peer device.
|
| This can result in copying arbitrary data from an attacker to a fixed
| length buffer of 32 bytes (i.e., a possible overflow of up to 223
| bytes). The SSID buffer is within struct p2p_device that is allocated
| from heap. The overflow can override couple of variables in the struct,
| including a pointer that gets freed. In addition about 150 bytes (the
| exact length depending on architecture) can be written beyond the end of
| the heap allocation.
|
| This could result in corrupted state in heap, unexpected program
| behavior due to corrupted P2P peer device information, denial of service
| due to wpa_supplicant process crash, exposure of memory contents during
| GO Negotiation, and potentially arbitrary code execution.
|
| Vulnerable versions/configurations
|
| wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled
|
| Attacker (or a system controlled by the attacker) needs to be within
| radio range of the vulnerable system to send a suitably constructed
| management frame that triggers a P2P peer device information to be
| created or updated.
|
| The vulnerability is easiest to exploit while the device has started an
| active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
| interface command in progress). However, it may be possible, though
| significantly more difficult, to trigger this even without any active
| P2P operation in progress.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1863
[1] http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt
[2]
http://w1.fi/security/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wpa
Source-Version: 1.0-3+deb7u2
We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Lippers-Hollmann <[email protected]> (supplier of updated wpa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Apr 2015 19:56:11 +0200
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source amd64
Version: 1.0-3+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian/Ubuntu wpasupplicant Maintainers
<[email protected]>
Changed-By: Stefan Lippers-Hollmann <[email protected]>
Description:
hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authentica
wpagui - graphical user interface for wpa_supplicant
wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Closes: 783148
Changes:
wpa (1.0-3+deb7u2) wheezy-security; urgency=high
.
* import "P2P: Validate SSID element length before copying it
(CVE-2015-1863)" from upstream (Closes: #783148); this is essentially a
no-op for the wheezy binaries distributed by Debian, as CONFIG_P2P is
disabled there.
Checksums-Sha1:
bf640b5991efeb3caa79469ed78cbc04bde33b12 2463 wpa_1.0-3+deb7u2.dsc
bd61f0682d9e9ea9056f786fd969f042e6fada01 89211 wpa_1.0-3+deb7u2.debian.tar.gz
6250fd0f05010fe7fbb834a1e86a8d5bf7d24dab 476138 hostapd_1.0-3+deb7u2_amd64.deb
11f5de885f8928141fc2fe6f89bf7c5612001d31 368442 wpagui_1.0-3+deb7u2_amd64.deb
ccaa0428a1b2925d29485ea9c35716e01f4bd6a1 608388
wpasupplicant_1.0-3+deb7u2_amd64.deb
72a4e90d40091a6ccab39dad7844d0fdd25c8dd9 154864
wpasupplicant-udeb_1.0-3+deb7u2_amd64.udeb
Checksums-Sha256:
a5b295a82237d499c5680af759efa5b37600b2618658156cb3602dec84d7cf7b 2463
wpa_1.0-3+deb7u2.dsc
eefc6b4d23d72e953db1b564c21af251087fc28b1a5a6423f4ae32f526889f71 89211
wpa_1.0-3+deb7u2.debian.tar.gz
64aa5dbf2bb06e36d262a2f64e8d84362d311f75243e4c6b1c72db9ca270a9f7 476138
hostapd_1.0-3+deb7u2_amd64.deb
30e18e961bb9759ca5e06159f38dcfac08e6a5c99f710ee367f967e69e4904ef 368442
wpagui_1.0-3+deb7u2_amd64.deb
88d00593e3abbf46263f304cfbc3aeabb7df8a545babed1de30f5637aa5ae382 608388
wpasupplicant_1.0-3+deb7u2_amd64.deb
f36515e72469fa513ec20d3386c3f5ecd643c927ddaaa1d135fc17eeefeff895 154864
wpasupplicant-udeb_1.0-3+deb7u2_amd64.udeb
Files:
78101ba617ac20073a538c338cc1babd 2463 net optional wpa_1.0-3+deb7u2.dsc
d8373f2b07dbae87025a0a3440c944dd 89211 net optional
wpa_1.0-3+deb7u2.debian.tar.gz
5318bce4e3d53d296aa7dd9dc19c42cf 476138 net optional
hostapd_1.0-3+deb7u2_amd64.deb
39bac2934e27a38efe58ed39f8a3c285 368442 net optional
wpagui_1.0-3+deb7u2_amd64.deb
efd7cf52cf80b1a87420804dda07c355 608388 net optional
wpasupplicant_1.0-3+deb7u2_amd64.deb
885a9598c777dc916ce8b8f975ec61cf 154864 debian-installer standard
wpasupplicant-udeb_1.0-3+deb7u2_amd64.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVOVL4AAoJEAVMuPMTQ89EoTMP/iFI0ejFz1Lcwa/gOQ54XDh4
7QNYv6/HpQ5HamIYfb5LjWgr3tHBDk/oe7j9E6QYEI1gwBUl4lUVO+SYWFpjvcme
mY3IvFb02VobUZiO4ogqXm8defSlhjigQbIwZ1KS1fq6emlVIotkgFwS+2+jEHIQ
V7W4ijjej/iCbZR3PvnISVXYzNdjsnarRMHUIX1gqSrrFscbqm4N2GFNTKGgUovQ
BNSNAvrzlcqyjfjj3ONM1dVc9qB8kgYoLC6ktEqCEvZulbiD6AeH3ZqHw2w1PDd6
DHkM1qbHT1wUJmdelkrf/LjQbayOS1QqE8qXQLEmNxWr2e5dpdy3dOOulzsmEhyt
78+8rLThaHI+lBEBhseu2KYNoKpbHV8gEkbXtTrQWNAsR8C84ja06flJqzROttcd
AaIkhf9+01k7N3JOgKRk7qCiDf5qpGsCRcYQ6UOPivCx61Wwgbc+IlWqHsyvjPi4
ccN6NP/9ui/RsfqbNYicnfMTnHdm8cIKtuMqvYWZ4M+vVSYAqMI+Sk/h/OtD/u4x
LlAKQ7pUfvaMMNeQeNt19l1XGOGIXGqQdFc14AKkQ1Hta6vBL8FRi8K36JCbtrJL
dj0JKBWNu/FSWZEFhlE/rpOmvwdX6ix9AOnpJwC6NGvVJGBypJ9MsjxiTaUM3Qag
tydNLdJiGWs4wiKR2ZKA
=WWfa
-----END PGP SIGNATURE-----
--- End Message ---
