Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685860 (CVE-2019-11555) - <net-wireless/wpa_supplicant-2.8: Improper fragmentation reassembly state validation in EAP peer leading to DoS (CVE-2019-11555)
Summary: <net-wireless/wpa_supplicant-2.8: Improper fragmentation reassembly state val...
Status: RESOLVED FIXED
Alias: CVE-2019-11555
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://w1.fi/security/2019-5/eap-pwd...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-13 15:30 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-15 19:18 UTC (History)
0 users

See Also:
Package list:
net-wireless/wpa_supplicant-2.8-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 15:30:40 UTC
CVE-2019-11555 (https://nvd.nist.gov/vuln/detail/CVE-2019-11555):
  The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
  wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation
  reassembly state properly for a case where an unexpected fragment could be
  received. This could result in process termination due to a NULL pointer
  dereference (denial of service). This affects eap_server/eap_server_pwd.c
  and eap_peer/eap_pwd.c.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-08-11 00:57:29 UTC
@maintainer, please drop vulnerable.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2019-08-15 16:08:21 UTC
(In reply to Aaron Bauman from comment #1)
> @maintainer, please drop vulnerable.

Nevermind, this still needs to be stabilized.
Comment 3 Rick Farina (Zero_Chaos) gentoo-dev 2019-08-16 02:01:40 UTC
ACK, let's stabilize wpa_supplicant-2.8-r1
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-08-16 18:47:52 UTC
arm64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-16 22:40:23 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-08-17 20:50:42 UTC
ppc/ppc64 stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2019-08-18 02:32:00 UTC
This issue was resolved and addressed in
 GLSA 201908-25 at https://security.gentoo.org/glsa/201908-25
by GLSA coordinator Aaron Bauman (b-man).
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2019-08-18 02:32:57 UTC
re-opened for final arches
Comment 9 Agostino Sarubbo gentoo-dev 2019-08-18 21:52:07 UTC
amd64 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:05:11 UTC
arm stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2019-09-02 22:41:21 UTC
@maintainer, please drop vulnerable.
Comment 12 Rick Farina (Zero_Chaos) gentoo-dev 2020-02-13 18:59:11 UTC
vulnerables have been long dropped, sorry for forgetting to post that status here.

This is security's bug now
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:18:24 UTC
Repository is clean, all done!