Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: w...@packages.debian.org
Control: affects -1 + src:wpa
User: release.debian....@packages.debian.org
Usertags: pu


[ Reason ]
CVE-2022-37660

[ Impact ]
security problem low

[ Tests ]
no but patch is straight forward


[ Risks ]
Low

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Fix CVE-2022-37660: the PKEX code remains active even after a successful PKEX
association. An attacker that successfully bootstrapped public keys with
another entity using PKEX in the past, will be able to subvert a future
bootstrapping by passively observing public keys, re-using the encrypting
element Qi and subtracting it from the captured message M (X = M - Qi). This
will result in the public ephemeral key X; the only element required to 
subvert
the PKEX association


[ Other info ]
No
diff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog
--- wpa-2.10/debian/changelog	2024-08-05 21:07:00.000000000 +0200
+++ wpa-2.10/debian/changelog	2025-04-11 16:29:46.000000000 +0200
@@ -1,3 +1,20 @@
+wpa (2:2.10-12+deb12u3) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * debian/patches/CVE-2022-37660.patch: Add hostapd_dpp_pkex_clear_code()
+    and wpas_dpp_pkex_clear_code(), and clear code reusage in
+    ./src/ap/dpp_hostapd.c and ./wpa_supplicant/dpp_supplicant.c
+  * Fix CVE-2022-37660: the PKEX code remains active even after
+    a successful PKEX association. An attacker that successfully
+    bootstrapped public keys with another entity using PKEX in
+    the past, will be able to subvert a future bootstrapping by
+    passively observing public keys, re-using the encrypting
+    element Qi and subtracting it from the captured message
+    M (X = M - Qi). This will result in the public ephemeral
+    key X; the only element required to subvert the PKEX association
+
+ -- Bastien Roucariès <ro...@debian.org>  Fri, 11 Apr 2025 16:29:46 +0200
+
 wpa (2:2.10-12+deb12u2) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru wpa-2.10/debian/patches/CVE-2022-37660.patch wpa-2.10/debian/patches/CVE-2022-37660.patch
--- wpa-2.10/debian/patches/CVE-2022-37660.patch	1970-01-01 01:00:00.000000000 +0100
+++ wpa-2.10/debian/patches/CVE-2022-37660.patch	2025-04-11 16:29:46.000000000 +0200
@@ -0,0 +1,117 @@
+From 15af83cf1846870873a011ed4d714732f01cd2e4 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jo...@quicinc.com>
+Date: Tue, 19 Jul 2022 21:23:04 +0300
+Subject: DPP: Delete PKEX code and identifier on success completion of PKEX
+
+We are not supposed to reuse these without being explicitly requested to
+perform PKEX again. There is not a strong use case for being able to
+provision an Enrollee multiple times with PKEX, so this should have no
+issues on the Enrollee. For a Configurator, there might be some use
+cases that would benefit from being able to use the same code with
+multiple Enrollee devices, e.g., for guess access with a laptop and a
+smart phone. That case will now require a new DPP_PKEX_ADD command on
+the Configurator after each completion of the provisioning exchange.
+
+Signed-off-by: Jouni Malinen <quic_jo...@quicinc.com>
+
+[hostapd_dpp_pkex_done() in dpp_hostapd.c and wpas_dpp_pkex_done() in
+dpp_supplicant.c were introduced in 2.11 --Hlib Korzhynskyy]
+
+Origin: backport, 15af83cf1846870873a011ed4d714732f01cd2e4
+---
+ src/ap/dpp_hostapd.c            | 22 +++++++++++++++++++++-
+ wpa_supplicant/dpp_supplicant.c | 21 ++++++++++++++++++++-
+ 2 files changed, 41 insertions(+), 2 deletions(-)
+
+--- a/src/ap/dpp_hostapd.c
++++ b/src/ap/dpp_hostapd.c
+@@ -216,6 +216,22 @@ static void hostapd_dpp_auth_resp_retry(
+ }
+ 
+ 
++static void hostapd_dpp_pkex_clear_code(struct hostapd_data *hapd)
++{
++	if (!hapd->dpp_pkex_code && !hapd->dpp_pkex_identifier)
++		return;
++
++	/* Delete PKEX code and identifier on successful completion of
++	 * PKEX. We are not supposed to reuse these without being
++	 * explicitly requested to perform PKEX again. */
++	wpa_printf(MSG_DEBUG, "DPP: Delete PKEX code/identifier");
++	os_free(hapd->dpp_pkex_code);
++	hapd->dpp_pkex_code = NULL;
++	os_free(hapd->dpp_pkex_identifier);
++	hapd->dpp_pkex_identifier = NULL;
++}
++
++
+ void hostapd_dpp_tx_status(struct hostapd_data *hapd, const u8 *dst,
+ 			   const u8 *data, size_t data_len, int ok)
+ {
+@@ -1842,6 +1858,7 @@ hostapd_dpp_rx_pkex_commit_reveal_req(st
+ 				wpabuf_head(msg), wpabuf_len(msg));
+ 	wpabuf_free(msg);
+ 
++	hostapd_dpp_pkex_clear_code(hapd);
+ 	bi = dpp_pkex_finish(hapd->iface->interfaces->dpp, pkex, src, freq);
+ 	if (!bi)
+ 		return;
+@@ -1873,6 +1890,7 @@ hostapd_dpp_rx_pkex_commit_reveal_resp(s
+ 		return;
+ 	}
+ 
++	hostapd_dpp_pkex_clear_code(hapd);
+ 	bi = dpp_pkex_finish(hapd->iface->interfaces->dpp, pkex, src, freq);
+ 	if (!bi)
+ 		return;
+@@ -2215,7 +2233,7 @@ int hostapd_dpp_pkex_remove(struct hosta
+ 			return -1;
+ 	}
+ 
+-	if ((id_val != 0 && id_val != 1) || !hapd->dpp_pkex_code)
++	if ((id_val != 0 && id_val != 1))
+ 		return -1;
+ 
+ 	/* TODO: Support multiple PKEX entries */
+--- a/wpa_supplicant/dpp_supplicant.c
++++ b/wpa_supplicant/dpp_supplicant.c
+@@ -2557,6 +2557,22 @@ static int wpas_dpp_pkex_next_channel(st
+ }
+ 
+ 
++static void wpas_dpp_pkex_clear_code(struct wpa_supplicant *wpa_s)
++{
++	if (!wpa_s->dpp_pkex_code && !wpa_s->dpp_pkex_identifier)
++		return;
++
++	/* Delete PKEX code and identifier on successful completion of
++	 * PKEX. We are not supposed to reuse these without being
++	 * explicitly requested to perform PKEX again. */
++	os_free(wpa_s->dpp_pkex_code);
++	wpa_s->dpp_pkex_code = NULL;
++	os_free(wpa_s->dpp_pkex_identifier);
++	wpa_s->dpp_pkex_identifier = NULL;
++
++}
++
++
+ static void wpas_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx)
+ {
+ 	struct wpa_supplicant *wpa_s = eloop_ctx;
+@@ -2739,6 +2755,7 @@ wpas_dpp_pkex_finish(struct wpa_supplica
+ {
+ 	struct dpp_bootstrap_info *bi;
+ 
++	wpas_dpp_pkex_clear_code(wpa_s);
+ 	bi = dpp_pkex_finish(wpa_s->dpp, wpa_s->dpp_pkex, peer, freq);
+ 	if (!bi)
+ 		return NULL;
+@@ -3369,7 +3386,7 @@ int wpas_dpp_pkex_remove(struct wpa_supp
+ 			return -1;
+ 	}
+ 
+-	if ((id_val != 0 && id_val != 1) || !wpa_s->dpp_pkex_code)
++	if ((id_val != 0 && id_val != 1))
+ 		return -1;
+ 
+ 	/* TODO: Support multiple PKEX entries */
diff -Nru wpa-2.10/debian/patches/series wpa-2.10/debian/patches/series
--- wpa-2.10/debian/patches/series	2024-08-05 21:07:00.000000000 +0200
+++ wpa-2.10/debian/patches/series	2025-04-11 16:29:46.000000000 +0200
@@ -12,3 +12,4 @@
 wpa_service_netdev.patch
 0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch
 CVE-2024-5290-lib_engine_trusted_path.patch
+CVE-2022-37660.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to