Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package wpa_supplicant for openSUSE:Factory checked in at 2021-02-11 12:46:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wpa_supplicant (Old) and /work/SRC/openSUSE:Factory/.wpa_supplicant.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wpa_supplicant" Thu Feb 11 12:46:54 2021 rev:85 rq:869590 version:2.9 Changes: -------- --- /work/SRC/openSUSE:Factory/wpa_supplicant/wpa_supplicant.changes 2020-11-02 09:40:33.949619854 +0100 +++ /work/SRC/openSUSE:Factory/.wpa_supplicant.new.28504/wpa_supplicant.changes 2021-02-11 12:47:54.917534992 +0100 @@ -1,0 +2,6 @@ +Thu Feb 4 12:27:02 UTC 2021 - Clemens Famulla-Conrad <[email protected]> + +- Add CVE-2021-0326.patch -- P2P group information processing vulnerability + (bsc#1181777) + +------------------------------------------------------------------- New: ---- CVE-2021-0326.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wpa_supplicant.spec ++++++ --- /var/tmp/diff_new_pack.biLchb/_old 2021-02-11 12:47:55.553535918 +0100 +++ /var/tmp/diff_new_pack.biLchb/_new 2021-02-11 12:47:55.557535924 +0100 @@ -1,7 +1,7 @@ # # spec file for package wpa_supplicant # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,7 @@ Patch6: restore-old-dbus-interface.patch Patch7: CVE-2019-16275.patch Patch8: wpa_supplicant-p2p_iname_size.diff +Patch9: CVE-2021-0326.patch BuildRequires: pkgconfig BuildRequires: readline-devel BuildRequires: systemd-rpm-macros ++++++ CVE-2021-0326.patch ++++++ >From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 From: Jouni Malinen <[email protected]> Date: Mon, 9 Nov 2020 11:43:12 +0200 Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group client Parsing and copying of WPS secondary device types list was verifying that the contents is not too long for the internal maximum in the case of WPS messages, but similar validation was missing from the case of P2P group information which encodes this information in a different attribute. This could result in writing beyond the memory area assigned for these entries and corrupting memory within an instance of struct p2p_device. This could result in invalid operations and unexpected behavior when trying to free pointers from that corrupted memory. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") Signed-off-by: Jouni Malinen <[email protected]> --- src/p2p/p2p.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c index 74b7b52ae05c..5cbfc217fc1f 100644 --- a/src/p2p/p2p.c +++ b/src/p2p/p2p.c @@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, dev->info.config_methods = cli->config_methods; os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; + if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) + dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, dev->info.wps_sec_dev_type_list_len); } -- 2.25.1
