Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package wpa_supplicant for openSUSE:Factory checked in at 2026-07-10 17:34:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wpa_supplicant (Old) and /work/SRC/openSUSE:Factory/.wpa_supplicant.new.1991 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wpa_supplicant" Fri Jul 10 17:34:53 2026 rev:102 rq:1364749 version:2.11 Changes: -------- --- /work/SRC/openSUSE:Factory/wpa_supplicant/wpa_supplicant.changes 2026-02-21 21:02:27.682121778 +0100 +++ /work/SRC/openSUSE:Factory/.wpa_supplicant.new.1991/wpa_supplicant.changes 2026-07-10 17:35:43.057655222 +0200 @@ -1,0 +2,20 @@ +Thu Jul 9 15:08:24 UTC 2026 - Clemens Famulla-Conrad <[email protected]> + +- Add Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch + https://w1.fi/security/2026-2/ +- Add SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch + https://w1.fi/security/2026-3/ + +------------------------------------------------------------------- +Wed Jul 8 10:04:36 UTC 2026 - Clemens Famulla-Conrad <[email protected]> + +- Add CVE-2026-58374.patch: Missing multi-link parsing validation in + wpa_supplicant and hostapd (bsc#1269892) + +------------------------------------------------------------------- +Wed Jul 8 02:01:21 UTC 2026 - Jonathan Kang <[email protected]> + +- Add wpa_supplicant_support_pem_encoded_chain.patch: OpenSSL: + Support PEM encoded chain from ca_cert blob (bsc#1258365). + +------------------------------------------------------------------- New: ---- CVE-2026-58374.patch Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch wpa_supplicant_support_pem_encoded_chain.patch ----------(New B)---------- New: - Add CVE-2026-58374.patch: Missing multi-link parsing validation in wpa_supplicant and hostapd (bsc#1269892) New: - Add Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch https://w1.fi/security/2026-2/ New: https://w1.fi/security/2026-2/ - Add SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch https://w1.fi/security/2026-3/ New: - Add wpa_supplicant_support_pem_encoded_chain.patch: OpenSSL: Support PEM encoded chain from ca_cert blob (bsc#1258365). ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wpa_supplicant.spec ++++++ --- /var/tmp/diff_new_pack.SR6r6s/_old 2026-07-10 17:35:46.505773205 +0200 +++ /var/tmp/diff_new_pack.SR6r6s/_new 2026-07-10 17:35:46.509773342 +0200 @@ -43,6 +43,14 @@ Patch7: CVE-2025-24912.patch # PATCH-FIX-UPSTREAM https://w1.fi/cgit/hostap/commit/?id=2ed9806275f9ae37545ca30d9bcce1e94fba1d97 Patch8: 0001-wpa_gui-Port-to-Qt6.patch +# PATCH-FIX-UPSTREAM bsc#1258365, https://git.w1.fi/cgit/hostap/commit/?id=9bb25b01fe843924113883a93236d43bb77d4cb1 +Patch9: wpa_supplicant_support_pem_encoded_chain.patch +# PATCH-FIX-UPSTREAM CVE-2026-58374, bsc#1269892 Missing multi-link parsing validation +Patch10: CVE-2026-58374.patch +# PATCH-FIX-UPSTREAM https://w1.fi/security/2026-2/ +Patch11: Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch +# PATCH-FIX-UPSTREAM https://w1.fi/security/2026-3/ +Patch12: SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch BuildRequires: pkgconfig BuildRequires: readline-devel BuildRequires: systemd-rpm-macros ++++++ CVE-2026-58374.patch ++++++ >From 00d121cd31b70654f47fc63811bbc7ec9da06240 Mon Sep 17 00:00:00 2001 From: Clemens Famulla-Conrad <[email protected]> Date: Tue, 7 Jul 2026 12:21:36 +0200 Subject: [PATCH] CVE-2026-58374 Missing multi-link parsing validation Combined patch for CVE-2026-58374 bsc#1269892 https://w1.fi/security/2026-1/ 0001-AP-MLD-Fix-link-ID-validation-in-Basic-MLE-parsing.patch 0002-BSS-Add-bounds-check-for-link_id-in-Basic-MLE-parsin.patch 0003-MLD-Validate-MLE-Link-ID-fields-in-association-rejec.patch 0004-AP-MLD-Verify-AP-MLD-link-ID-validity-before-updatin.patch 0005-MLD-Fix-length-check-in-common-info-for-association-.patch --- src/ap/beacon.c | 5 ++++- src/ap/ieee802_11_eht.c | 10 ++++++++-- wpa_supplicant/bss.c | 5 +++++ wpa_supplicant/events.c | 18 +++++++++++++++++- 4 files changed, 34 insertions(+), 4 deletions(-) --- a/src/ap/beacon.c +++ b/src/ap/beacon.c @@ -1305,6 +1305,7 @@ for_each_element_id(sub, 0, pos, len) { const struct ieee80211_eht_per_sta_profile *sta; u16 sta_control; + u8 link_id; if (*links == 0xffff) *links = 0; @@ -1324,7 +1325,9 @@ * partial profile was requested. */ sta_control = le_to_host16(sta->sta_control); - *links |= BIT(sta_control & EHT_PER_STA_CTRL_LINK_ID_MSK); + link_id = sta_control & BASIC_MLE_STA_CTRL_LINK_ID_MASK; + if (link_id < MAX_NUM_MLD_LINKS) + *links |= BIT(link_id); } if (!for_each_element_completed(sub, pos, len)) { --- a/src/ap/ieee802_11_eht.c +++ b/src/ap/ieee802_11_eht.c @@ -1262,6 +1262,7 @@ size_t sub_elem_len = *(pos + 1); size_t sta_info_len; u16 control; + u8 link_id; wpa_printf(MSG_DEBUG, "MLD: sub element len=%zu", sub_elem_len); @@ -1302,8 +1303,13 @@ goto out; } control = WPA_GET_LE16(pos); - link_info = &info->links[control & - EHT_PER_STA_CTRL_LINK_ID_MSK]; + link_id = control & BASIC_MLE_STA_CTRL_LINK_ID_MASK; + if (link_id >= MAX_NUM_MLD_LINKS) { + wpa_printf(MSG_DEBUG, + "MLD: Invalid Link ID in Per-STA Profile subelement"); + goto out; + } + link_info = &info->links[link_id]; pos += 2; ml_len -= 2; sub_elem_len -= 2; --- a/wpa_supplicant/bss.c +++ b/wpa_supplicant/bss.c @@ -1710,6 +1710,11 @@ ETH_ALEN); link_id = ml_basic_common_info->variable[0] & EHT_ML_LINK_ID_MSK; + if (link_id >= MAX_NUM_MLD_LINKS) { + wpa_printf(MSG_DEBUG, "MLD: Invalid link ID %u in Basic MLE", + link_id); + goto out; + } bss->mld_link_id = link_id; seen = bss->valid_links = BIT(link_id); --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -3852,6 +3852,13 @@ goto out; } + if (sizeof(*ml) + common_info->len > ml_len) { + wpa_printf(MSG_DEBUG, + "MLD: Truncated common info (common_info->len=%u ml_len=%zu)", + common_info->len, ml_len); + goto out; + } + wpa_printf(MSG_DEBUG, "MLD: address: " MACSTR, MAC2STR(common_info->mld_addr)); @@ -3864,7 +3871,12 @@ pos = common_info->variable; /* Store the information for the association link */ - ml_info[i].link_id = *pos; + ml_info[i].link_id = *pos & EHT_ML_LINK_ID_MSK; + if (ml_info[i].link_id >= MAX_NUM_MLD_LINKS) { + wpa_printf(MSG_DEBUG, + "MLD: Invalid Link ID value for assoc link"); + goto out; + } pos++; /* Skip the BSS Parameters Change Count */ @@ -3999,6 +4011,10 @@ MAC2STR(pos + 1), nstr_bitmap_len); ml_info[i].link_id = ctrl & EHT_PER_STA_CTRL_LINK_ID_MSK; + if (ml_info[i].link_id >= MAX_NUM_MLD_LINKS) { + wpa_printf(MSG_DEBUG, "MLD: Invalid Link ID value"); + goto out; + } os_memcpy(ml_info[i].bssid, pos + 1, ETH_ALEN); pos += sta_info_len; ++++++ Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch ++++++ >From de5e73a03c34d83568afb3183b2b28c8d7641a30 Mon Sep 17 00:00:00 2001 From: Jouni Malinen <[email protected]> Date: Mon, 6 Jul 2026 15:33:11 +0300 Subject: [PATCH] Require network_ctx and AKMP match for accepting PMKSA entry When wpa_supplicant was processing EAPOL-Key msg 1/4 with a PMKID indicated by the AP/Authenticator, a PMKSA for the same AA was accepted without enforcing matching network_ctx (i.e., same network configuration block) and AKMP. This could allow misbehaving APs to make wpa_supplicant use an unacceptable PMKSA entry that was generated for a different network for AKMP under certain conditions. This could result in showing a connection to an incorrect network when an attacker has credentials to one network in wpa_supplicant configuration, but not to another network. Fix this by accepting the PMKID to set the PMKSA for an association only if the PMKSA with the same PMKID is for the same network and was generated using the same AKMP. Signed-off-by: Jouni Malinen <[email protected]> --- src/rsn_supp/wpa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -321,7 +321,7 @@ * matching PMKSA cache entry here. */ sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr, pmkid, - NULL, 0); + sm->network_ctx, sm->key_mgmt); if (sm->cur_pmksa) { wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: found matching PMKID from PMKSA cache"); ++++++ SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch ++++++ >From f12d55ff652ab2e367425c1392510d10d8b9f638 Mon Sep 17 00:00:00 2001 From: Jimi Chen <[email protected]> Date: Thu, 21 May 2026 06:56:54 +0000 Subject: [PATCH] SAE: Fix crash due to NULL pointer dereference in H2E parsing In H2E (Hash-to-Element) mode, sae_parse_commit() parses the optional Anti-Clogging Token Container by calling sae_parse_token_container(). However, callers of sae_parse_commit() that do not require retrieving the anti-clogging token (such as PASN initiator/responder and SME auth) pass NULL for the token and token_len output arguments. If the peer sends a Commit frame containing a valid Anti-Clogging Token Container element, sae_parse_token_container() unconditionally sets *token and *token_len, resulting in a NULL pointer dereference (SIGSEGV) and crashing wpa_supplicant. Fix this by adding NULL checks before writing to token and token_len. Update the debug log to print the token directly using 'pos'. Fixes: 5e32fb0170f4 ("SAE: Use Anti-Clogging Token Container element with H2E") Signed-off-by: Amarnath Hullur Subramanyam <[email protected]> --- src/common/sae.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/src/common/sae.c +++ b/src/common/sae.c @@ -1881,10 +1881,12 @@ pos, end - pos); if (!sae_is_token_container_elem(pos, end)) return; - *token = pos + 3; - *token_len = pos[1] - 1; + if (token) + *token = pos + 3; + if (token_len) + *token_len = pos[1] - 1; wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token (in container)", - *token, *token_len); + pos + 3, pos[1] - 1); } ++++++ wpa_supplicant_support_pem_encoded_chain.patch ++++++ >From 9bb25b01fe843924113883a93236d43bb77d4cb1 Mon Sep 17 00:00:00 2001 From: Beniamino Galvani <[email protected]> Date: Fri, 19 Dec 2025 12:09:05 +0100 Subject: OpenSSL: Support PEM encoded chain from ca_cert blob Support configuring a chain of certificates through a ca_cert blob. Since the code to to add the certificate to the store is used in multiple places in tls_connection_ca_cert(), extract it to a separate function. Signed-off-by: Beniamino Galvani <[email protected]> --- src/crypto/tls_openssl.c | 113 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 79 insertions(+), 34 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 2f51b37ef..d6f254371 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2968,6 +2968,31 @@ static int tls_load_ca_der(struct tls_data *data, const char *ca_cert) #endif /* OPENSSL_NO_STDIO */ +static int tls_add_ca_cert(SSL_CTX *ssl_ctx, X509 *cert) +{ + unsigned long err; + + if (X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx), cert) == 1) + return 0; + + err = ERR_peek_error(); + + if (ERR_GET_LIB(err) == ERR_LIB_X509 && + ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) { + ERR_get_error(); + wpa_printf(MSG_DEBUG, + "OpenSSL: %s - ignoring cert already in hash table error", + __func__); + return 0; + } + + tls_show_errors(MSG_WARNING, __func__, + "Failed to add ca_cert_blob to certificate store"); + + return -1; +} + + static int tls_connection_ca_cert(struct tls_data *data, struct tls_connection *conn, const char *ca_cert, const u8 *ca_cert_blob, @@ -3030,49 +3055,69 @@ static int tls_connection_ca_cert(struct tls_data *data, } if (ca_cert_blob) { - X509 *cert = d2i_X509(NULL, - (const unsigned char **) &ca_cert_blob, - ca_cert_blob_len); - if (cert == NULL) { - BIO *bio = BIO_new_mem_buf(ca_cert_blob, - ca_cert_blob_len); - - if (bio) { - cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); - BIO_free(bio); - } + unsigned long err; + X509 *cert; + int count; + BIO *bio; - if (!cert) { - tls_show_errors(MSG_WARNING, __func__, - "Failed to parse ca_cert_blob"); + cert = d2i_X509(NULL, + (const unsigned char **) &ca_cert_blob, + ca_cert_blob_len); + if (cert) { + if (tls_add_ca_cert(ssl_ctx, cert) < 0) { + X509_free(cert); return -1; } - while (ERR_get_error()) { - /* Ignore errors from DER conversion. */ - } + wpa_printf(MSG_DEBUG, + "OpenSSL: %s - added ca_cert_blob to certificate store", + __func__); + X509_free(cert); + return 0; } - if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx), - cert)) { - unsigned long err = ERR_peek_error(); - tls_show_errors(MSG_WARNING, __func__, - "Failed to add ca_cert_blob to " - "certificate store"); - if (ERR_GET_LIB(err) == ERR_LIB_X509 && - ERR_GET_REASON(err) == - X509_R_CERT_ALREADY_IN_HASH_TABLE) { - wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring " - "cert already in hash table error", - __func__); - } else { + count = 0; + bio = BIO_new_mem_buf(ca_cert_blob, ca_cert_blob_len); + if (bio) { + while ((cert = PEM_read_bio_X509(bio, NULL, NULL, + NULL))) { + if (count == 0) { + /* Ignore errors from DER conversion + * if we detect a certificate in PEM + * format. */ + ERR_clear_error(); + } + count++; + if (tls_add_ca_cert(ssl_ctx, cert) < 0) { + X509_free(cert); + BIO_free(bio); + return -1; + } X509_free(cert); - return -1; } + BIO_free(bio); } - X509_free(cert); - wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob " - "to certificate store", __func__); + + if (count == 0) { + tls_show_errors(MSG_WARNING, __func__, + "Failed to parse ca_cert_blob"); + return -1; + } + + /* When the loop ends successfully, it's because of EOF */ + err = ERR_peek_last_error(); + if (ERR_GET_LIB(err) != ERR_LIB_PEM || + ERR_GET_REASON(err) != PEM_R_NO_START_LINE) { + tls_show_errors(MSG_WARNING, __func__, + "Failed to parse ca_cert_blob bundle"); + return -1; + } + + ERR_clear_error(); + + wpa_printf(MSG_DEBUG, + "OpenSSL: %s - added %d ca_cert_blob certificates to certificate store", + __func__, count); return 0; } -- cgit v1.2.3
