commit: 26f3af490963324c8f66f25ec281645368eb163b
Author: Bjarke Istrup Pedersen <gurligebis <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 28 08:37:57 2016 +0000
Commit: Bjarke Istrup Pedersen <gurligebis <AT> gentoo <DOT> org>
CommitDate: Tue Jun 28 08:38:57 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26f3af49
net-wireless/wpa_supplicant: Bumping to 2.5-r2, adding several security fixes.
Package-Manager: portage-2.3.0
...-peer-Fix-last-fragment-length-validation.patch | 54 +++
...erver-Fix-last-fragment-length-validation.patch | 51 +++
...r-Fix-error-path-for-unexpected-Confirm-m.patch | 34 ++
...ject-a-Credential-with-invalid-passphrase.patch | 82 +++++
...parameter-set-with-invalid-passphrase-cha.patch | 51 +++
...ines-from-wpa_supplicant-config-network-o.patch | 82 +++++
...CRED-commands-with-newline-characters-in-.patch | 62 ++++
...commands-with-newline-characters-in-the-s.patch | 50 +++
.../wpa_supplicant/wpa_supplicant-2.5-r2.ebuild | 408 +++++++++++++++++++++
9 files changed, 874 insertions(+)
diff --git
a/net-wireless/wpa_supplicant/files/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
b/net-wireless/wpa_supplicant/files/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
new file mode 100644
index 0000000..82c2639
--- /dev/null
+++
b/net-wireless/wpa_supplicant/files/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
@@ -0,0 +1,54 @@
+From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j...@w1.fi>
+Date: Sun, 1 Nov 2015 18:18:17 +0200
+Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
+
+All but the last fragment had their length checked against the remaining
+room in the reassembly buffer. This allowed a suitably constructed last
+fragment frame to try to add extra data that would go beyond the buffer.
+The length validation code in wpabuf_put_data() prevents an actual
+buffer write overflow from occurring, but this results in process
+termination. (CVE-2015-5315)
+
+Signed-off-by: Jouni Malinen <j...@w1.fi>
+---
+ src/eap_peer/eap_pwd.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 1f78544..75ceef1 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct
eap_method_ret *ret,
+ /*
+ * buffer and ACK the fragment
+ */
+- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ data->in_frag_pos += len;
+ if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
+ wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
+@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct
eap_method_ret *ret,
+ return NULL;
+ }
+ wpabuf_put_data(data->inbuf, pos, len);
+-
++ }
++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
+ EAP_PWD_HDR_SIZE,
+ EAP_CODE_RESPONSE, eap_get_id(reqData));
+@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct
eap_method_ret *ret,
+ * we're buffering and this is the last fragment
+ */
+ if (data->in_frag_pos) {
+- wpabuf_put_data(data->inbuf, pos, len);
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+ (int) len);
+- data->in_frag_pos += len;
+ pos = wpabuf_head_u8(data->inbuf);
+ len = data->in_frag_pos;
+ }
+--
+1.9.1
+
diff --git
a/net-wireless/wpa_supplicant/files/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
b/net-wireless/wpa_supplicant/files/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
new file mode 100644
index 0000000..bfc4c74
--- /dev/null
+++
b/net-wireless/wpa_supplicant/files/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch
@@ -0,0 +1,51 @@
+From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j...@w1.fi>
+Date: Sun, 1 Nov 2015 18:24:16 +0200
+Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
+
+All but the last fragment had their length checked against the remaining
+room in the reassembly buffer. This allowed a suitably constructed last
+fragment frame to try to add extra data that would go beyond the buffer.
+The length validation code in wpabuf_put_data() prevents an actual
+buffer write overflow from occurring, but this results in process
+termination. (CVE-2015-5314)
+
+Signed-off-by: Jouni Malinen <j...@w1.fi>
+---
+ src/eap_server/eap_server_pwd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index cb83ff7..9f787ab 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ /*
+ * the first and all intermediate fragments have the M bit set
+ */
+- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
+ "attack detected! (%d+%d > %d)",
+@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ }
+ wpabuf_put_data(data->inbuf, pos, len);
+ data->in_frag_pos += len;
++ }
++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
+ (int) len);
+ return;
+@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
+ * buffering fragments so that's how we know it's the last)
+ */
+ if (data->in_frag_pos) {
+- wpabuf_put_data(data->inbuf, pos, len);
+- data->in_frag_pos += len;
+ pos = wpabuf_head_u8(data->inbuf);
+ len = data->in_frag_pos;
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+--
+1.9.1
+
diff --git
a/net-wireless/wpa_supplicant/files/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch
b/net-wireless/wpa_supplicant/files/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch
new file mode 100644
index 0000000..3088f6a
--- /dev/null
+++
b/net-wireless/wpa_supplicant/files/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch
@@ -0,0 +1,34 @@
+From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j...@w1.fi>
+Date: Sun, 1 Nov 2015 19:35:44 +0200
+Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
+
+If the Confirm message is received from the server before the Identity
+exchange has been completed, the group has not yet been determined and
+data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
+did not take this corner case into account and could end up
+dereferencing a NULL pointer and terminating the process if invalid
+message sequence is received. (CVE-2015-5316)
+
+Signed-off-by: Jouni Malinen <j...@w1.fi>
+---
+ src/eap_peer/eap_pwd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 75ceef1..892b590 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct
eap_pwd_data *data,
+ wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
+
+ fin:
+- bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
++ if (data->grp)
++ bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
+ BN_clear_free(x);
+ BN_clear_free(y);
+ if (data->outbuf == NULL) {
+--
+1.9.1
+
diff --git
a/net-wireless/wpa_supplicant/files/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
b/net-wireless/wpa_supplicant/files/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
new file mode 100644
index 0000000..acad6be
--- /dev/null
+++
b/net-wireless/wpa_supplicant/files/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
@@ -0,0 +1,82 @@
+From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jo...@qca.qualcomm.com>
+Date: Fri, 4 Mar 2016 17:20:18 +0200
+Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
+
+WPA/WPA2-Personal passphrase is not allowed to include control
+characters. Reject a Credential received from a WPS Registrar both as
+STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
+WPA2PSK authentication type and includes an invalid passphrase.
+
+This fixes an issue where hostapd or wpa_supplicant could have updated
+the configuration file PSK/passphrase parameter with arbitrary data from
+an external device (Registrar) that may not be fully trusted. Should
+such data include a newline character, the resulting configuration file
+could become invalid and fail to be parsed.
+
+Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com>
+---
+ src/utils/common.c | 12 ++++++++++++
+ src/utils/common.h | 1 +
+ src/wps/wps_attr_process.c | 10 ++++++++++
+ 3 files changed, 23 insertions(+)
+
+diff --git a/src/utils/common.c b/src/utils/common.c
+index 450e2c6..27b7c02 100644
+--- a/src/utils/common.c
++++ b/src/utils/common.c
+@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
+ }
+
+
++int has_ctrl_char(const u8 *data, size_t len)
++{
++ size_t i;
++
++ for (i = 0; i < len; i++) {
++ if (data[i] < 32 || data[i] == 127)
++ return 1;
++ }
++ return 0;
++}
++
++
+ size_t merge_byte_arrays(u8 *res, size_t res_len,
+ const u8 *src1, size_t src1_len,
+ const u8 *src2, size_t src2_len)
+diff --git a/src/utils/common.h b/src/utils/common.h
+index 701dbb2..a972240 100644
+--- a/src/utils/common.h
++++ b/src/utils/common.h
+@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
+
+ char * wpa_config_parse_string(const char *value, size_t *len);
+ int is_hex(const u8 *data, size_t len);
++int has_ctrl_char(const u8 *data, size_t len);
+ size_t merge_byte_arrays(u8 *res, size_t res_len,
+ const u8 *src1, size_t src1_len,
+ const u8 *src2, size_t src2_len);
+diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
+index eadb22f..e8c4579 100644
+--- a/src/wps/wps_attr_process.c
++++ b/src/wps/wps_attr_process.c
+@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential
*cred)
+ cred->key_len--;
+ #endif /* CONFIG_WPS_STRICT */
+ }
++
++
++ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
++ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
++ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid
WPA/WPA2-Personal passphrase");
++ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
++ cred->key, cred->key_len);
++ return -1;
++ }
++
+ return 0;
+ }
+
+--
+1.9.1
+
diff --git
a/net-wireless/wpa_supplicant/files/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
b/net-wireless/wpa_supplicant/files/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
new file mode 100644
index 0000000..507a96e
--- /dev/null
+++
b/net-wireless/wpa_supplicant/files/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
@@ -0,0 +1,51 @@
+From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jo...@qca.qualcomm.com>
+Date: Fri, 4 Mar 2016 18:46:41 +0200
+Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase
+ character
+
+WPA/WPA2-Personal passphrase is not allowed to include control
+characters. Reject a passphrase configuration attempt if that passphrase
+includes an invalid passphrase.
+
+This fixes an issue where wpa_supplicant could have updated the
+configuration file psk parameter with arbitrary data from the control
+interface or D-Bus interface. While those interfaces are supposed to be
+accessible only for trusted users/applications, it may be possible that
+an untrusted user has access to a management software component that
+does not validate the passphrase value before passing it to
+wpa_supplicant.
+
+This could allow such an untrusted user to inject up to 63 characters of
+almost arbitrary data into the configuration file. Such configuration
+file could result in wpa_supplicant trying to load a library (e.g.,
+opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
+load_dynamic_eap) from user controlled location when starting again.
+This would allow code from that library to be executed under the
+wpa_supplicant process privileges.
+
+Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com>
+---
+ wpa_supplicant/config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index b1c7870..fdd9643 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data
*data,
+ }
+ wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
+ (u8 *) value, len);
++ if (has_ctrl_char((u8 *) value, len)) {
++ wpa_printf(MSG_ERROR,
++ "Line %d: Invalid passphrase character",
++ line);
++ return -1;
++ }
+ if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
+ os_memcmp(ssid->passphrase, value, len) == 0) {
+ /* No change to the previously configured value */
+--
+1.9.1
+
diff --git
a/net-wireless/wpa_supplicant/files/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch
b/net-wireless/wpa_supplicant/files/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch
new file mode 100644
index 0000000..684d25d
--- /dev/null
+++
b/net-wireless/wpa_supplicant/files/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch
@@ -0,0 +1,82 @@
+From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
+From: Paul Stewart <ps...@google.com>
+Date: Thu, 3 Mar 2016 15:40:19 -0800
+Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network
+ output
+
+Spurious newlines output while writing the config file can corrupt the
+wpa_supplicant configuration. Avoid writing these for the network block
+parameters. This is a generic filter that cover cases that may not have
+been explicitly addressed with a more specific commit to avoid control
+characters in the psk parameter.
+
+Signed-off-by: Paul Stewart <ps...@google.com>
+---
+ src/utils/common.c | 11 +++++++++++
+ src/utils/common.h | 1 +
+ wpa_supplicant/config.c | 15 +++++++++++++--
+ 3 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/utils/common.c b/src/utils/common.c
+index 27b7c02..9856463 100644
+--- a/src/utils/common.c
++++ b/src/utils/common.c
+@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len)
+ }
+
+
++int has_newline(const char *str)
++{
++ while (*str) {
++ if (*str == '\n' || *str == '\r')
++ return 1;
++ str++;
++ }
++ return 0;
++}
++
++
+ size_t merge_byte_arrays(u8 *res, size_t res_len,
+ const u8 *src1, size_t src1_len,
+ const u8 *src2, size_t src2_len)
+diff --git a/src/utils/common.h b/src/utils/common.h
+index a972240..d19927b 100644
+--- a/src/utils/common.h
++++ b/src/utils/common.h
+@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
+ char * wpa_config_parse_string(const char *value, size_t *len);
+ int is_hex(const u8 *data, size_t len);
+ int has_ctrl_char(const u8 *data, size_t len);
++int has_newline(const char *str);
+ size_t merge_byte_arrays(u8 *res, size_t res_len,
+ const u8 *src1, size_t src1_len,
+ const u8 *src2, size_t src2_len);
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index fdd9643..eb97cd5 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char
*var)
+
+ for (i = 0; i < NUM_SSID_FIELDS; i++) {
+ const struct parse_data *field = &ssid_fields[i];
+- if (os_strcmp(var, field->name) == 0)
+- return field->writer(field, ssid);
++ if (os_strcmp(var, field->name) == 0) {
++ char *ret = field->writer(field, ssid);
++
++ if (ret && has_newline(ret)) {
++ wpa_printf(MSG_ERROR,
++ "Found newline in value for %s; not
returning it",
++ var);
++ os_free(ret);
++ ret = NULL;
++ }
++
++ return ret;
++ }
+ }
+
+ return NULL;
+--
+1.9.1
+
diff --git
a/net-wireless/wpa_supplicant/files/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
b/net-wireless/wpa_supplicant/files/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
new file mode 100644
index 0000000..2dd38fe
--- /dev/null
+++
b/net-wireless/wpa_supplicant/files/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
@@ -0,0 +1,62 @@
+From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jo...@qca.qualcomm.com>
+Date: Tue, 5 Apr 2016 23:33:10 +0300
+Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the
+ string values
+
+Most of the cred block parameters are written as strings without
+filtering and if there is an embedded newline character in the value,
+unexpected configuration file data might be written.
+
+This fixes an issue where wpa_supplicant could have updated the
+configuration file cred parameter with arbitrary data from the control
+interface or D-Bus interface. While those interfaces are supposed to be
+accessible only for trusted users/applications, it may be possible that
+an untrusted user has access to a management software component that
+does not validate the credential value before passing it to
+wpa_supplicant.
+
+This could allow such an untrusted user to inject almost arbitrary data
+into the configuration file. Such configuration file could result in
+wpa_supplicant trying to load a library (e.g., opensc_engine_path,
+pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
+controlled location when starting again. This would allow code from that
+library to be executed under the wpa_supplicant process privileges.
+
+Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com>
+---
+ wpa_supplicant/config.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index eb97cd5..69152ef 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const
char *var,
+
+ if (os_strcmp(var, "password") == 0 &&
+ os_strncmp(value, "ext:", 4) == 0) {
++ if (has_newline(value))
++ return -1;
+ str_clear_free(cred->password);
+ cred->password = os_strdup(value);
+ cred->ext_password = 1;
+@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const
char *var,
+ }
+
+ val = wpa_config_parse_string(value, &len);
+- if (val == NULL) {
++ if (val == NULL ||
++ (os_strcmp(var, "excluded_ssid") != 0 &&
++ os_strcmp(var, "roaming_consortium") != 0 &&
++ os_strcmp(var, "required_roaming_consortium") != 0 &&
++ has_newline(val))) {
+ wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
+ "value '%s'.", line, var, value);
++ os_free(val);
+ return -1;
+ }
+
+--
+1.9.1
+
diff --git
a/net-wireless/wpa_supplicant/files/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch
b/net-wireless/wpa_supplicant/files/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch
new file mode 100644
index 0000000..5f42aa9
--- /dev/null
+++
b/net-wireless/wpa_supplicant/files/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch
@@ -0,0 +1,50 @@
+From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jo...@qca.qualcomm.com>
+Date: Tue, 5 Apr 2016 23:55:48 +0300
+Subject: [PATCH 5/5] Reject SET commands with newline characters in the
+ string values
+
+Many of the global configuration parameters are written as strings
+without filtering and if there is an embedded newline character in the
+value, unexpected configuration file data might be written.
+
+This fixes an issue where wpa_supplicant could have updated the
+configuration file global parameter with arbitrary data from the control
+interface or D-Bus interface. While those interfaces are supposed to be
+accessible only for trusted users/applications, it may be possible that
+an untrusted user has access to a management software component that
+does not validate the value of a parameter before passing it to
+wpa_supplicant.
+
+This could allow such an untrusted user to inject almost arbitrary data
+into the configuration file. Such configuration file could result in
+wpa_supplicant trying to load a library (e.g., opensc_engine_path,
+pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
+controlled location when starting again. This would allow code from that
+library to be executed under the wpa_supplicant process privileges.
+
+Signed-off-by: Jouni Malinen <jo...@qca.qualcomm.com>
+---
+ wpa_supplicant/config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
+index 69152ef..d9a1603 100644
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct
global_parse_data *data,
+ return -1;
+ }
+
++ if (has_newline(pos)) {
++ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
++ line, data->name);
++ return -1;
++ }
++
+ tmp = os_strdup(pos);
+ if (tmp == NULL)
+ return -1;
+--
+1.9.1
+
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.5-r2.ebuild
b/net-wireless/wpa_supplicant/wpa_supplicant-2.5-r2.ebuild
new file mode 100644
index 0000000..fd19716
--- /dev/null
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.5-r2.ebuild
@@ -0,0 +1,408 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils toolchain-funcs qt4-r2 qmake-utils systemd multilib
+
+DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"
+HOMEPAGE="http://hostap.epitest.fi/wpa_supplicant/";
+SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz";
+LICENSE="|| ( GPL-2 BSD )"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86
~x86-fbsd"
+IUSE="ap dbus gnutls eap-sim fasteap +hs2-0 libressl p2p ps3 qt4 qt5 readline
selinux smartcard ssl tdls uncommon-eap-types wimax wps kernel_linux
kernel_FreeBSD"
+REQUIRED_USE="fasteap? ( !gnutls !ssl ) smartcard? ( ssl ) ?? ( qt4 qt5 )"
+
+CDEPEND="dbus? ( sys-apps/dbus )
+ kernel_linux? (
+ eap-sim? ( sys-apps/pcsc-lite )
+ dev-libs/libnl:3
+ net-wireless/crda
+ )
+ !kernel_linux? ( net-libs/libpcap )
+ qt4? (
+ dev-qt/qtcore:4
+ dev-qt/qtgui:4
+ dev-qt/qtsvg:4
+ )
+ qt5? (
+ dev-qt/qtcore:5
+ dev-qt/qtgui:5
+ dev-qt/qtwidgets:5
+ dev-qt/qtsvg:5
+ )
+ readline? (
+ sys-libs/ncurses:0=
+ sys-libs/readline:0
+ )
+ ssl? (
+ !libressl? ( dev-libs/openssl:0 )
+ libressl? ( dev-libs/libressl )
+ )
+ !ssl? (
+ gnutls? (
+ net-libs/gnutls
+ dev-libs/libgcrypt:*
+ )
+ !gnutls? ( dev-libs/libtommath )
+ )
+"
+DEPEND="${CDEPEND}
+ virtual/pkgconfig
+"
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-networkmanager )
+"
+
+S="${WORKDIR}/${P}/${PN}"
+
+Kconfig_style_config() {
+ #param 1 is CONFIG_* item
+ #param 2 is what to set it = to, defaulting in y
+ CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1"
+ setting="${2:-y}"
+
+ if [ ! $setting = n ]; then
+ #first remove any leading "# " if $2 is not n
+ sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo
"Kconfig_style_config error uncommenting $CONFIG_PARAM"
+ #set item = $setting (defaulting to y)
+ sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config ||
echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting"
+ else
+ #ensure item commented out
+ sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/#
$CONFIG_PARAM/" .config || echo "Kconfig_style_config error commenting
$CONFIG_PARAM"
+ fi
+}
+
+pkg_setup() {
+ if use gnutls && use ssl ; then
+ elog "You have both 'gnutls' and 'ssl' USE flags enabled:
defaulting to USE=\"ssl\""
+ fi
+}
+
+src_prepare() {
+ # net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD
+ sed -i \
+ -e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \
+ ../src/l2_packet/l2_packet_freebsd.c || die
+
+ # People seem to take the example configuration file too literally (bug
#102361)
+ sed -i \
+ -e "s:^\(opensc_engine_path\):#\1:" \
+ -e "s:^\(pkcs11_engine_path\):#\1:" \
+ -e "s:^\(pkcs11_module_path\):#\1:" \
+ wpa_supplicant.conf || die
+
+ # Change configuration to match Gentoo locations (bug #143750)
+ sed -i \
+ -e "s:/usr/lib/opensc:/usr/$(get_libdir):" \
+ -e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \
+ wpa_supplicant.conf || die
+
+ #if use dbus; then
+ # epatch "${FILESDIR}/${P}-dbus-path-fix.patch"
+ #fi
+
+ # systemd entries to D-Bus service files (bug #372877)
+ echo 'SystemdService=wpa_supplicant.service' \
+ | tee -a dbus/*.service >/dev/null || die
+
+ cd "${WORKDIR}/${P}"
+
+ if use wimax; then
+ # generate-libeap-peer.patch comes before
+ # fix-undefined-reference-to-random_get_bytes.patch
+ epatch "${FILESDIR}/${P}-generate-libeap-peer.patch"
+
+ # multilib-strict fix (bug #373685)
+ sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i
src/eap_peer/Makefile
+ fi
+
+ # bug (320097)
+ epatch
"${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch"
+
+ # TODO - NEED TESTING TO SEE IF STILL NEEDED, NOT COMPATIBLE WITH 1.0
OUT OF THE BOX,
+ # SO WOULD BE NICE TO JUST DROP IT, IF IT IS NOT NEEDED.
+ # bug (374089)
+ #epatch "${FILESDIR}/${P}-dbus-WPAIE-fix.patch"
+
+ # bug (565270)
+ epatch "${FILESDIR}/${P}-libressl.patch"
+
+ # Security patches
+ epatch
"${FILESDIR}/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch"
+ epatch
"${FILESDIR}/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch"
+ epatch
"${FILESDIR}/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch"
+ epatch
"${FILESDIR}/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch"
+ epatch
"${FILESDIR}/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch"
+ epatch
"${FILESDIR}/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch"
+ epatch
"${FILESDIR}/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch"
+ epatch
"${FILESDIR}/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch"
+}
+
+src_configure() {
+ # Toolchain setup
+ tc-export CC
+
+ cp defconfig .config
+
+ # Basic setup
+ Kconfig_style_config CTRL_IFACE
+ Kconfig_style_config BACKEND file
+ Kconfig_style_config IBSS_RSN
+ Kconfig_style_config IEEE80211W
+ Kconfig_style_config IEEE80211R
+
+ # Basic authentication methods
+ # NOTE: we don't set GPSK or SAKE as they conflict
+ # with the below options
+ Kconfig_style_config EAP_GTC
+ Kconfig_style_config EAP_MD5
+ Kconfig_style_config EAP_OTP
+ Kconfig_style_config EAP_PAX
+ Kconfig_style_config EAP_PSK
+ Kconfig_style_config EAP_TLV
+ Kconfig_style_config EAP_EXE
+ Kconfig_style_config IEEE8021X_EAPOL
+ Kconfig_style_config PKCS12
+ Kconfig_style_config PEERKEY
+ Kconfig_style_config EAP_LEAP
+ Kconfig_style_config EAP_MSCHAPV2
+ Kconfig_style_config EAP_PEAP
+ Kconfig_style_config EAP_TLS
+ Kconfig_style_config EAP_TTLS
+
+ # Enabling background scanning.
+ Kconfig_style_config BGSCAN_SIMPLE
+ Kconfig_style_config BGSCAN_LEARN
+
+ # Enabling mesh networks.
+ Kconfig_style_config MESH
+
+ if use dbus ; then
+ Kconfig_style_config CTRL_IFACE_DBUS
+ Kconfig_style_config CTRL_IFACE_DBUS_NEW
+ Kconfig_style_config CTRL_IFACE_DBUS_INTRO
+ fi
+
+ # Enable support for writing debug info to a log file and syslog.
+ Kconfig_style_config DEBUG_FILE
+ Kconfig_style_config DEBUG_SYSLOG
+
+ if use hs2-0 ; then
+ Kconfig_style_config INTERWORKING
+ Kconfig_style_config HS20
+ fi
+
+ if use uncommon-eap-types; then
+ Kconfig_style_config EAP_GPSK
+ Kconfig_style_config EAP_SAKE
+ Kconfig_style_config EAP_GPSK_SHA256
+ Kconfig_style_config EAP_IKEV2
+ Kconfig_style_config EAP_EKE
+ fi
+
+ if use eap-sim ; then
+ # Smart card authentication
+ Kconfig_style_config EAP_SIM
+ Kconfig_style_config EAP_AKA
+ Kconfig_style_config EAP_AKA_PRIME
+ Kconfig_style_config PCSC
+ fi
+
+ if use fasteap ; then
+ Kconfig_style_config EAP_FAST
+ fi
+
+ if use readline ; then
+ # readline/history support for wpa_cli
+ Kconfig_style_config READLINE
+ else
+ #internal line edit mode for wpa_cli
+ Kconfig_style_config WPA_CLI_EDIT
+ fi
+
+ # SSL authentication methods
+ if use ssl ; then
+ Kconfig_style_config TLS openssl
+ elif use gnutls ; then
+ Kconfig_style_config TLS gnutls
+ Kconfig_style_config GNUTLS_EXTRA
+ else
+ Kconfig_style_config TLS internal
+ fi
+
+ if use smartcard ; then
+ Kconfig_style_config SMARTCARD
+ fi
+
+ if use tdls ; then
+ Kconfig_style_config TDLS
+ fi
+
+ if use kernel_linux ; then
+ # Linux specific drivers
+ Kconfig_style_config DRIVER_ATMEL
+ Kconfig_style_config DRIVER_HOSTAP
+ Kconfig_style_config DRIVER_IPW
+ Kconfig_style_config DRIVER_NL80211
+ Kconfig_style_config DRIVER_RALINK
+ Kconfig_style_config DRIVER_WEXT
+ Kconfig_style_config DRIVER_WIRED
+
+ if use ps3 ; then
+ Kconfig_style_config DRIVER_PS3
+ fi
+
+ elif use kernel_FreeBSD ; then
+ # FreeBSD specific driver
+ Kconfig_style_config DRIVER_BSD
+ fi
+
+ # Wi-Fi Protected Setup (WPS)
+ if use wps ; then
+ Kconfig_style_config WPS
+ Kconfig_style_config WPS2
+ # USB Flash Drive
+ Kconfig_style_config WPS_UFD
+ # External Registrar
+ Kconfig_style_config WPS_ER
+ # Universal Plug'n'Play
+ Kconfig_style_config WPS_UPNP
+ # Near Field Communication
+ Kconfig_style_config WPS_NFC
+ fi
+
+ # Wi-Fi Direct (WiDi)
+ if use p2p ; then
+ Kconfig_style_config P2P
+ Kconfig_style_config WIFI_DISPLAY
+ fi
+
+ # Access Point Mode
+ if use ap ; then
+ Kconfig_style_config AP
+ fi
+
+ # Enable mitigation against certain attacks against TKIP
+ Kconfig_style_config DELAYED_MIC_ERROR_REPORT
+
+ # If we are using libnl 2.0 and above, enable support for it
+ # Bug 382159
+ # Removed for now, since the 3.2 version is broken, and we don't
+ # support it.
+ if has_version ">=dev-libs/libnl-3.2"; then
+ Kconfig_style_config LIBNL32
+ fi
+
+ if use qt4 ; then
+ pushd "${S}"/wpa_gui-qt4 > /dev/null
+ eqmake4 wpa_gui.pro
+ popd > /dev/null
+ fi
+ if use qt5 ; then
+ pushd "${S}"/wpa_gui-qt4 > /dev/null
+ eqmake5 wpa_gui.pro
+ popd > /dev/null
+ fi
+}
+
+src_compile() {
+ einfo "Building wpa_supplicant"
+ emake V=1 BINDIR=/usr/sbin
+
+ if use wimax; then
+ emake -C ../src/eap_peer clean
+ emake -C ../src/eap_peer
+ fi
+
+ if use qt4 || use qt5; then
+ pushd "${S}"/wpa_gui-qt4 > /dev/null
+ einfo "Building wpa_gui"
+ emake
+ popd > /dev/null
+ fi
+}
+
+src_install() {
+ dosbin wpa_supplicant
+ dobin wpa_cli wpa_passphrase
+
+ # baselayout-1 compat
+ if has_version "<sys-apps/baselayout-2.0.0"; then
+ dodir /sbin
+ dosym /usr/sbin/wpa_supplicant /sbin/wpa_supplicant
+ dodir /bin
+ dosym /usr/bin/wpa_cli /bin/wpa_cli
+ fi
+
+ if has_version ">=sys-apps/openrc-0.5.0"; then
+ newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant
+ newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant
+ fi
+
+ exeinto /etc/wpa_supplicant/
+ newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh
+
+ dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \
+ wpa_supplicant.conf
+
+ newdoc .config build-config
+
+ doman doc/docbook/*.{5,8}
+
+ if use qt4 || use qt5 ; then
+ into /usr
+ dobin wpa_gui-qt4/wpa_gui
+ doicon wpa_gui-qt4/icons/wpa_gui.svg
+ make_desktop_entry wpa_gui "WPA Supplicant Administration GUI"
"wpa_gui" "Qt;Network;"
+ fi
+
+ use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install
+
+ if use dbus ; then
+ pushd "${S}"/dbus > /dev/null
+ insinto /etc/dbus-1/system.d
+ newins dbus-wpa_supplicant.conf wpa_supplicant.conf
+ insinto /usr/share/dbus-1/system-services
+ doins fi.epitest.hostap.WPASupplicant.service
fi.w1.wpa_supplicant1.service
+ popd > /dev/null
+
+ # This unit relies on dbus support, bug 538600.
+ systemd_dounit systemd/wpa_supplicant.service
+ fi
+
+ systemd_dounit "systemd/wpa_supplicant@.service"
+ systemd_dounit "systemd/wpa_supplicant-nl80211@.service"
+ systemd_dounit "systemd/wpa_supplicant-wired@.service"
+}
+
+pkg_postinst() {
+ elog "If this is a clean installation of wpa_supplicant, you"
+ elog "have to create a configuration file named"
+ elog "/etc/wpa_supplicant/wpa_supplicant.conf"
+ elog
+ elog "An example configuration file is available for reference in"
+ elog "/usr/share/doc/${PF}/"
+
+ if [[ -e ${ROOT}etc/wpa_supplicant.conf ]] ; then
+ echo
+ ewarn "WARNING: your old configuration file
${ROOT}etc/wpa_supplicant.conf"
+ ewarn "needs to be moved to
${ROOT}etc/wpa_supplicant/wpa_supplicant.conf"
+ fi
+
+ # Mea culpa, feel free to remove that after some time --mgorny.
+ local fn
+ for fn in wpa_supplicant{,@wlan0}.service; do
+ if [[ -e
"${ROOT}"/etc/systemd/system/network.target.wants/${fn} ]]
+ then
+ ebegin "Moving ${fn} to multi-user.target"
+ mv
"${ROOT}"/etc/systemd/system/network.target.wants/${fn} \
+
"${ROOT}"/etc/systemd/system/multi-user.target.wants/
+ eend ${?} \
+ "Please try to re-enable ${fn}"
+ fi
+ done
+}
