Source: wpa Version: 2.3-1 Severity: grave Tags: security upstream patch Justification: user security hole
Hi, the following vulnerability was published for wpa. CVE-2015-1863[0]: | P2P SSID processing vulnerability: | A vulnerability was found in how wpa_supplicant uses SSID information | parsed from management frames that create or update P2P peer entries | (e.g., Probe Response frame or number of P2P Public Action frames). SSID | field has valid length range of 0-32 octets. However, it is transmitted | in an element that has a 8-bit length field and potential maximum | payload length of 255 octets. wpa_supplicant was not sufficiently | verifying the payload length on one of the code paths using the SSID | received from a peer device. | | This can result in copying arbitrary data from an attacker to a fixed | length buffer of 32 bytes (i.e., a possible overflow of up to 223 | bytes). The SSID buffer is within struct p2p_device that is allocated | from heap. The overflow can override couple of variables in the struct, | including a pointer that gets freed. In addition about 150 bytes (the | exact length depending on architecture) can be written beyond the end of | the heap allocation. | | This could result in corrupted state in heap, unexpected program | behavior due to corrupted P2P peer device information, denial of service | due to wpa_supplicant process crash, exposure of memory contents during | GO Negotiation, and potentially arbitrary code execution. | | Vulnerable versions/configurations | | wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled | | Attacker (or a system controlled by the attacker) needs to be within | radio range of the vulnerable system to send a suitably constructed | management frame that triggers a P2P peer device information to be | created or updated. | | The vulnerability is easiest to exploit while the device has started an | active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control | interface command in progress). However, it may be possible, though | significantly more difficult, to trigger this even without any active | P2P operation in progress. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-1863 [1] http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt [2] http://w1.fi/security/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org