Your message dated Fri, 24 Apr 2015 11:03:57 +0000 with message-id <e1ylbon-0003hm...@franck.debian.org> and subject line Bug#783148: fixed in wpa 2.3-2 has caused the Debian Bug report #783148, regarding wpa: CVE-2015-1863: wpa_supplicant P2P SSID processing vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 783148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783148 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wpa Version: 2.3-1 Severity: grave Tags: security upstream patch Justification: user security hole Hi, the following vulnerability was published for wpa. CVE-2015-1863[0]: | P2P SSID processing vulnerability: | A vulnerability was found in how wpa_supplicant uses SSID information | parsed from management frames that create or update P2P peer entries | (e.g., Probe Response frame or number of P2P Public Action frames). SSID | field has valid length range of 0-32 octets. However, it is transmitted | in an element that has a 8-bit length field and potential maximum | payload length of 255 octets. wpa_supplicant was not sufficiently | verifying the payload length on one of the code paths using the SSID | received from a peer device. | | This can result in copying arbitrary data from an attacker to a fixed | length buffer of 32 bytes (i.e., a possible overflow of up to 223 | bytes). The SSID buffer is within struct p2p_device that is allocated | from heap. The overflow can override couple of variables in the struct, | including a pointer that gets freed. In addition about 150 bytes (the | exact length depending on architecture) can be written beyond the end of | the heap allocation. | | This could result in corrupted state in heap, unexpected program | behavior due to corrupted P2P peer device information, denial of service | due to wpa_supplicant process crash, exposure of memory contents during | GO Negotiation, and potentially arbitrary code execution. | | Vulnerable versions/configurations | | wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled | | Attacker (or a system controlled by the attacker) needs to be within | radio range of the vulnerable system to send a suitably constructed | management frame that triggers a P2P peer device information to be | created or updated. | | The vulnerability is easiest to exploit while the device has started an | active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control | interface command in progress). However, it may be possible, though | significantly more difficult, to trigger this even without any active | P2P operation in progress. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-1863 [1] http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt [2] http://w1.fi/security/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wpa Source-Version: 2.3-2 We believe that the bug you reported is fixed in the latest version of wpa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 783...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Lippers-Hollmann <s....@gmx.de> (supplier of updated wpa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 23 Apr 2015 05:02:21 +0200 Source: wpa Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb Architecture: source amd64 Version: 2.3-2 Distribution: unstable Urgency: high Maintainer: Debian wpasupplicant Maintainers <pkg-wpa-de...@lists.alioth.debian.org> Changed-By: Stefan Lippers-Hollmann <s....@gmx.de> Description: hostapd - IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator wpagui - graphical user interface for wpa_supplicant wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i) wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb) Closes: 780552 783148 Changes: wpa (2.3-2) unstable; urgency=high . * remove Kel Modderman from Uploaders as per his request, many thanks for all past efforts Kel. * fix systemd unit dependencies for wpasupplicant, it needs to be started before the network target (Closes: 780552), many thanks to Michael Biebl <bi...@debian.org> for reporting and suggesting the patch. * hostapd: avoid segfault with driver=wired, by merging upstream commit e9b783d58c23a7bb50b2f25bce7157f1f3b5d58b "Fix hostapd operation without hw_mode driver data." * import "P2P: Validate SSID element length before copying it (CVE-2015-1863)" from upstream (Closes: #783148). Checksums-Sha1: 9815a37a6dd20b9a5e620ff38e740362164e5927 2436 wpa_2.3-2.dsc 0db649acd8fe7429df74034aef5409c005292b21 76068 wpa_2.3-2.debian.tar.xz Checksums-Sha256: 860dad76e4fcbc8e9bbce4e231c231c8366eea8f810319a3dc859853caa35e40 2436 wpa_2.3-2.dsc 2d4c34e56c8c40a2ed9d2cbb6264fced2e222b787416e46f9b25df90e5ec546c 76068 wpa_2.3-2.debian.tar.xz Files: 231bfc62c9242f4e34fa5c16a6550a5b 2436 net optional wpa_2.3-2.dsc 5fb495b5aacd7daa0649d55b105e70e5 76068 net optional wpa_2.3-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVOfq0AAoJEAVMuPMTQ89EcVcP/RCsdMxE3OjZdUaWwTtQKSwT nxZiD4A2DsDwO5UXQ+GYNX/zqImzt5dQ3rhFC5Np7rtH9Kbl9skh4FaztLCWyVAg xiaHdp+ycXSUavaJn+GhPFXnZgJPLVqw7zZsZNDWb7q4fNuzKHPwC7486mUXS7W1 rlZ0FFaNatojSHS6k0q2N9IY0zJviB5hfibT9stbEoqSoSjrYdB0Q9wpRw6nZqy1 GsCgQpJszljUdZvvBL1xX9RwUmINnmRdzZ5hcm0AqTSUVlksCtUcLeO/YGvBwMug CqdA6pL+5h2+uqMBNuQx9AidK/wEwEqj+KVBvcjJK42bnOipxBbZqTK1zMw0DBoD koCuq+cu4+fGO8KLQwjfUW2GOnAO67FApowDnEWEDNgI/RJ4557UII7bbO8QsKMO V857TL+aU5Z0d04t57n0/ztHLRxq980guNzbOK7xF/RxyptD7BXewMwSFtEw8CIY uXI1EkDpBikU7xjwYaaOatBlzaU6y2z7KFXsmjpLBCWwXFwRlhR65CfrL1uCX0RC wAvrh7UXc1VEkvN+IXtPMVaujUvB1aOAQzkMMaMtKbUMnX2T1dZ3ENXd2rhKnqnp LZZcsqv0IresnOeFa5namHrB4579eB9ypfjov4R3GoyB8MWWezipigHP+D4AJBAQ G5ZE+oetV/T34JRhkGzx =79po -----END PGP SIGNATURE-----
--- End Message ---
