Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package wpa_supplicant for openSUSE:Factory 
checked in at 2026-07-10 17:34:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/wpa_supplicant (Old)
 and      /work/SRC/openSUSE:Factory/.wpa_supplicant.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "wpa_supplicant"

Fri Jul 10 17:34:53 2026 rev:102 rq:1364749 version:2.11

Changes:
--------
--- /work/SRC/openSUSE:Factory/wpa_supplicant/wpa_supplicant.changes    
2026-02-21 21:02:27.682121778 +0100
+++ /work/SRC/openSUSE:Factory/.wpa_supplicant.new.1991/wpa_supplicant.changes  
2026-07-10 17:35:43.057655222 +0200
@@ -1,0 +2,20 @@
+Thu Jul  9 15:08:24 UTC 2026 - Clemens Famulla-Conrad <[email protected]>
+
+- Add Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch
+  https://w1.fi/security/2026-2/
+- Add SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch
+  https://w1.fi/security/2026-3/
+
+-------------------------------------------------------------------
+Wed Jul  8 10:04:36 UTC 2026 - Clemens Famulla-Conrad <[email protected]>
+
+- Add CVE-2026-58374.patch: Missing multi-link parsing validation in
+  wpa_supplicant and hostapd (bsc#1269892)
+
+-------------------------------------------------------------------
+Wed Jul  8 02:01:21 UTC 2026 - Jonathan Kang <[email protected]>
+
+- Add wpa_supplicant_support_pem_encoded_chain.patch: OpenSSL:
+  Support PEM encoded chain from ca_cert blob (bsc#1258365).
+
+-------------------------------------------------------------------

New:
----
  CVE-2026-58374.patch
  Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch
  SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch
  wpa_supplicant_support_pem_encoded_chain.patch

----------(New B)----------
  New:
- Add CVE-2026-58374.patch: Missing multi-link parsing validation in
  wpa_supplicant and hostapd (bsc#1269892)
  New:
- Add Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch
  https://w1.fi/security/2026-2/
  New:  https://w1.fi/security/2026-2/
- Add SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch
  https://w1.fi/security/2026-3/
  New:
- Add wpa_supplicant_support_pem_encoded_chain.patch: OpenSSL:
  Support PEM encoded chain from ca_cert blob (bsc#1258365).
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ wpa_supplicant.spec ++++++
--- /var/tmp/diff_new_pack.SR6r6s/_old  2026-07-10 17:35:46.505773205 +0200
+++ /var/tmp/diff_new_pack.SR6r6s/_new  2026-07-10 17:35:46.509773342 +0200
@@ -43,6 +43,14 @@
 Patch7:         CVE-2025-24912.patch
 # PATCH-FIX-UPSTREAM 
https://w1.fi/cgit/hostap/commit/?id=2ed9806275f9ae37545ca30d9bcce1e94fba1d97
 Patch8:         0001-wpa_gui-Port-to-Qt6.patch
+# PATCH-FIX-UPSTREAM bsc#1258365, 
https://git.w1.fi/cgit/hostap/commit/?id=9bb25b01fe843924113883a93236d43bb77d4cb1
+Patch9:         wpa_supplicant_support_pem_encoded_chain.patch
+# PATCH-FIX-UPSTREAM CVE-2026-58374, bsc#1269892 Missing multi-link parsing 
validation
+Patch10:        CVE-2026-58374.patch
+# PATCH-FIX-UPSTREAM https://w1.fi/security/2026-2/
+Patch11:        Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch
+# PATCH-FIX-UPSTREAM https://w1.fi/security/2026-3/
+Patch12:        SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch
 BuildRequires:  pkgconfig
 BuildRequires:  readline-devel
 BuildRequires:  systemd-rpm-macros

++++++ CVE-2026-58374.patch ++++++
>From 00d121cd31b70654f47fc63811bbc7ec9da06240 Mon Sep 17 00:00:00 2001
From: Clemens Famulla-Conrad <[email protected]>
Date: Tue, 7 Jul 2026 12:21:36 +0200
Subject: [PATCH] CVE-2026-58374 Missing multi-link parsing validation

Combined patch for CVE-2026-58374 bsc#1269892

https://w1.fi/security/2026-1/

0001-AP-MLD-Fix-link-ID-validation-in-Basic-MLE-parsing.patch
0002-BSS-Add-bounds-check-for-link_id-in-Basic-MLE-parsin.patch
0003-MLD-Validate-MLE-Link-ID-fields-in-association-rejec.patch
0004-AP-MLD-Verify-AP-MLD-link-ID-validity-before-updatin.patch
0005-MLD-Fix-length-check-in-common-info-for-association-.patch
---
 src/ap/beacon.c         |    5 ++++-
 src/ap/ieee802_11_eht.c |   10 ++++++++--
 wpa_supplicant/bss.c    |    5 +++++
 wpa_supplicant/events.c |   18 +++++++++++++++++-
 4 files changed, 34 insertions(+), 4 deletions(-)

--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -1305,6 +1305,7 @@
        for_each_element_id(sub, 0, pos, len) {
                const struct ieee80211_eht_per_sta_profile *sta;
                u16 sta_control;
+               u8 link_id;
 
                if (*links == 0xffff)
                        *links = 0;
@@ -1324,7 +1325,9 @@
                 * partial profile was requested.
                 */
                sta_control = le_to_host16(sta->sta_control);
-               *links |= BIT(sta_control & EHT_PER_STA_CTRL_LINK_ID_MSK);
+               link_id = sta_control & BASIC_MLE_STA_CTRL_LINK_ID_MASK;
+               if (link_id < MAX_NUM_MLD_LINKS)
+                       *links |= BIT(link_id);
        }
 
        if (!for_each_element_completed(sub, pos, len)) {
--- a/src/ap/ieee802_11_eht.c
+++ b/src/ap/ieee802_11_eht.c
@@ -1262,6 +1262,7 @@
                size_t sub_elem_len = *(pos + 1);
                size_t sta_info_len;
                u16 control;
+               u8 link_id;
 
                wpa_printf(MSG_DEBUG, "MLD: sub element len=%zu",
                           sub_elem_len);
@@ -1302,8 +1303,13 @@
                        goto out;
                }
                control = WPA_GET_LE16(pos);
-               link_info = &info->links[control &
-                                        EHT_PER_STA_CTRL_LINK_ID_MSK];
+               link_id = control & BASIC_MLE_STA_CTRL_LINK_ID_MASK;
+               if (link_id >= MAX_NUM_MLD_LINKS) {
+                       wpa_printf(MSG_DEBUG,
+                                  "MLD: Invalid Link ID in Per-STA Profile 
subelement");
+                       goto out;
+               }
+               link_info = &info->links[link_id];
                pos += 2;
                ml_len -= 2;
                sub_elem_len -= 2;
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -1710,6 +1710,11 @@
                          ETH_ALEN);
 
        link_id = ml_basic_common_info->variable[0] & EHT_ML_LINK_ID_MSK;
+       if (link_id >= MAX_NUM_MLD_LINKS) {
+               wpa_printf(MSG_DEBUG, "MLD: Invalid link ID %u in Basic MLE",
+                          link_id);
+               goto out;
+       }
 
        bss->mld_link_id = link_id;
        seen = bss->valid_links = BIT(link_id);
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3852,6 +3852,13 @@
                goto out;
        }
 
+       if (sizeof(*ml) + common_info->len > ml_len) {
+               wpa_printf(MSG_DEBUG,
+                          "MLD: Truncated common info (common_info->len=%u 
ml_len=%zu)",
+                          common_info->len, ml_len);
+               goto out;
+       }
+
        wpa_printf(MSG_DEBUG, "MLD: address: " MACSTR,
                   MAC2STR(common_info->mld_addr));
 
@@ -3864,7 +3871,12 @@
        pos = common_info->variable;
 
        /* Store the information for the association link */
-       ml_info[i].link_id = *pos;
+       ml_info[i].link_id = *pos & EHT_ML_LINK_ID_MSK;
+       if (ml_info[i].link_id >= MAX_NUM_MLD_LINKS) {
+               wpa_printf(MSG_DEBUG,
+                          "MLD: Invalid Link ID value for assoc link");
+               goto out;
+       }
        pos++;
 
        /* Skip the BSS Parameters Change Count */
@@ -3999,6 +4011,10 @@
                           MAC2STR(pos + 1), nstr_bitmap_len);
 
                ml_info[i].link_id = ctrl & EHT_PER_STA_CTRL_LINK_ID_MSK;
+               if (ml_info[i].link_id >= MAX_NUM_MLD_LINKS) {
+                       wpa_printf(MSG_DEBUG, "MLD: Invalid Link ID value");
+                       goto out;
+               }
                os_memcpy(ml_info[i].bssid, pos + 1, ETH_ALEN);
 
                pos += sta_info_len;

++++++ Require-network_ctx-and-AKMP-match-for-accepting-PMK.patch ++++++
>From de5e73a03c34d83568afb3183b2b28c8d7641a30 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <[email protected]>
Date: Mon, 6 Jul 2026 15:33:11 +0300
Subject: [PATCH] Require network_ctx and AKMP match for accepting PMKSA entry

When wpa_supplicant was processing EAPOL-Key msg 1/4 with a PMKID
indicated by the AP/Authenticator, a PMKSA for the same AA was accepted
without enforcing matching network_ctx (i.e., same network configuration
block) and AKMP. This could allow misbehaving APs to make wpa_supplicant
use an unacceptable PMKSA entry that was generated for a different
network for AKMP under certain conditions. This could result in showing
a connection to an incorrect network when an attacker has credentials to
one network in wpa_supplicant configuration, but not to another network.

Fix this by accepting the PMKID to set the PMKSA for an association only
if the PMKSA with the same PMKID is for the same network and was
generated using the same AKMP.

Signed-off-by: Jouni Malinen <[email protected]>
---
 src/rsn_supp/wpa.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -321,7 +321,7 @@
                 * matching PMKSA cache entry here. */
                sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr,
                                                sm->own_addr, pmkid,
-                                               NULL, 0);
+                                               sm->network_ctx, sm->key_mgmt);
                if (sm->cur_pmksa) {
                        wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
                                "RSN: found matching PMKID from PMKSA cache");

++++++ SAE-Fix-crash-due-to-NULL-pointer-dereference-in-H2E.patch ++++++
>From f12d55ff652ab2e367425c1392510d10d8b9f638 Mon Sep 17 00:00:00 2001
From: Jimi Chen <[email protected]>
Date: Thu, 21 May 2026 06:56:54 +0000
Subject: [PATCH] SAE: Fix crash due to NULL pointer dereference in H2E parsing

In H2E (Hash-to-Element) mode, sae_parse_commit() parses the optional
Anti-Clogging Token Container by calling sae_parse_token_container().

However, callers of sae_parse_commit() that do not require retrieving
the anti-clogging token (such as PASN initiator/responder and SME auth)
pass NULL for the token and token_len output arguments.

If the peer sends a Commit frame containing a valid Anti-Clogging
Token Container element, sae_parse_token_container() unconditionally
sets *token and *token_len, resulting in a NULL pointer dereference
(SIGSEGV) and crashing wpa_supplicant.

Fix this by adding NULL checks before writing to token and token_len.
Update the debug log to print the token directly using 'pos'.

Fixes: 5e32fb0170f4 ("SAE: Use Anti-Clogging Token Container element with H2E")
Signed-off-by: Amarnath Hullur Subramanyam <[email protected]>
---
 src/common/sae.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1881,10 +1881,12 @@
                    pos, end - pos);
        if (!sae_is_token_container_elem(pos, end))
                return;
-       *token = pos + 3;
-       *token_len = pos[1] - 1;
+       if (token)
+               *token = pos + 3;
+       if (token_len)
+               *token_len = pos[1] - 1;
        wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token (in container)",
-                   *token, *token_len);
+                   pos + 3, pos[1] - 1);
 }
 
 

++++++ wpa_supplicant_support_pem_encoded_chain.patch ++++++
>From 9bb25b01fe843924113883a93236d43bb77d4cb1 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <[email protected]>
Date: Fri, 19 Dec 2025 12:09:05 +0100
Subject: OpenSSL: Support PEM encoded chain from ca_cert blob

Support configuring a chain of certificates through a ca_cert blob.

Since the code to to add the certificate to the store is used in
multiple places in tls_connection_ca_cert(), extract it to a separate
function.

Signed-off-by: Beniamino Galvani <[email protected]>
---
 src/crypto/tls_openssl.c | 113 +++++++++++++++++++++++++++++++++--------------
 1 file changed, 79 insertions(+), 34 deletions(-)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 2f51b37ef..d6f254371 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2968,6 +2968,31 @@ static int tls_load_ca_der(struct tls_data *data, const 
char *ca_cert)
 #endif /* OPENSSL_NO_STDIO */
 
 
+static int tls_add_ca_cert(SSL_CTX *ssl_ctx, X509 *cert)
+{
+       unsigned long err;
+
+       if (X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx), cert) == 1)
+               return 0;
+
+       err = ERR_peek_error();
+
+       if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+           ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+               ERR_get_error();
+               wpa_printf(MSG_DEBUG,
+                          "OpenSSL: %s - ignoring cert already in hash table 
error",
+                          __func__);
+               return 0;
+       }
+
+       tls_show_errors(MSG_WARNING, __func__,
+                       "Failed to add ca_cert_blob to certificate store");
+
+       return -1;
+}
+
+
 static int tls_connection_ca_cert(struct tls_data *data,
                                  struct tls_connection *conn,
                                  const char *ca_cert, const u8 *ca_cert_blob,
@@ -3030,49 +3055,69 @@ static int tls_connection_ca_cert(struct tls_data *data,
        }
 
        if (ca_cert_blob) {
-               X509 *cert = d2i_X509(NULL,
-                                     (const unsigned char **) &ca_cert_blob,
-                                     ca_cert_blob_len);
-               if (cert == NULL) {
-                       BIO *bio = BIO_new_mem_buf(ca_cert_blob,
-                                                  ca_cert_blob_len);
-
-                       if (bio) {
-                               cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
-                               BIO_free(bio);
-                       }
+               unsigned long err;
+               X509 *cert;
+               int count;
+               BIO *bio;
 
-                       if (!cert) {
-                               tls_show_errors(MSG_WARNING, __func__,
-                                               "Failed to parse ca_cert_blob");
+               cert = d2i_X509(NULL,
+                               (const unsigned char **) &ca_cert_blob,
+                               ca_cert_blob_len);
+               if (cert) {
+                       if (tls_add_ca_cert(ssl_ctx, cert) < 0) {
+                               X509_free(cert);
                                return -1;
                        }
 
-                       while (ERR_get_error()) {
-                               /* Ignore errors from DER conversion. */
-                       }
+                       wpa_printf(MSG_DEBUG,
+                                  "OpenSSL: %s - added ca_cert_blob to 
certificate store",
+                                  __func__);
+                       X509_free(cert);
+                       return 0;
                }
 
-               if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
-                                        cert)) {
-                       unsigned long err = ERR_peek_error();
-                       tls_show_errors(MSG_WARNING, __func__,
-                                       "Failed to add ca_cert_blob to "
-                                       "certificate store");
-                       if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
-                           ERR_GET_REASON(err) ==
-                           X509_R_CERT_ALREADY_IN_HASH_TABLE) {
-                               wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
-                                          "cert already in hash table error",
-                                          __func__);
-                       } else {
+               count = 0;
+               bio = BIO_new_mem_buf(ca_cert_blob, ca_cert_blob_len);
+               if (bio) {
+                       while ((cert = PEM_read_bio_X509(bio, NULL, NULL,
+                                                        NULL))) {
+                               if (count == 0) {
+                                       /* Ignore errors from DER conversion
+                                        * if we detect a certificate in PEM
+                                        * format. */
+                                       ERR_clear_error();
+                               }
+                               count++;
+                               if (tls_add_ca_cert(ssl_ctx, cert) < 0) {
+                                       X509_free(cert);
+                                       BIO_free(bio);
+                                       return -1;
+                               }
                                X509_free(cert);
-                               return -1;
                        }
+                       BIO_free(bio);
                }
-               X509_free(cert);
-               wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob "
-                          "to certificate store", __func__);
+
+               if (count == 0) {
+                       tls_show_errors(MSG_WARNING, __func__,
+                                       "Failed to parse ca_cert_blob");
+                       return -1;
+               }
+
+               /* When the loop ends successfully, it's because of EOF */
+               err = ERR_peek_last_error();
+               if (ERR_GET_LIB(err) != ERR_LIB_PEM ||
+                   ERR_GET_REASON(err) != PEM_R_NO_START_LINE) {
+                       tls_show_errors(MSG_WARNING, __func__,
+                                       "Failed to parse ca_cert_blob bundle");
+                       return -1;
+               }
+
+               ERR_clear_error();
+
+               wpa_printf(MSG_DEBUG,
+                          "OpenSSL: %s - added %d ca_cert_blob certificates to 
certificate store",
+                          __func__, count);
                return 0;
        }
 
-- 
cgit v1.2.3

Reply via email to