Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 634436

Summary: <net-wireless/wpa_supplicant-2.6-r3: WPA packet number reuse with replayed messages and key reinstallation
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ago, alexander, arthur, bertrand, charles17, gentoo, gurligebis, luke, monsieurp, redneb, ryao, speedjack95, zerochaos
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Whiteboard: B4 [glsa]
Package list:
=net-wireless/wpa_supplicant-2.6-r3
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 634440    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-16 13:34:25 UTC
Incoming details
Comment 1 Richard Yao (RETIRED) gentoo-dev 2017-10-16 13:37:38 UTC
Details here:

https://www.krackattacks.com/

Both hostapd and wpa_supplicant are affected. Upstream has published patches:

https://w1.fi/security/2017-1/
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-16 13:53:17 UTC
See tracker bug 634440 for more details.
Comment 3 Rick Farina (Zero_Chaos) gentoo-dev 2017-10-16 13:53:45 UTC
The patches for this seem to break 802.11r/FT for me.  As no one has ever asked for that feature, nor reported a bug on it, I think that's okay.  I added it for me, and I'm breaking it for me.  I'll cry alone.

Ebuild is in the tree, intentionally holding for a test period before stabilizing.
Comment 4 Rick Farina (Zero_Chaos) gentoo-dev 2017-10-16 14:23:42 UTC
cc: arches which I didn't stable
Comment 5 Arfrever Frehtes Taifersar Arahesis 2017-10-17 00:48:27 UTC
*** Bug 634418 has been marked as a duplicate of this bug. ***
Comment 6 charles17 2017-10-20 07:18:07 UTC
*** Bug 619058 has been marked as a duplicate of this bug. ***
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-21 10:48:09 UTC
ppc/ppc64 stable
Comment 8 Markus Meier gentoo-dev 2017-10-24 17:38:34 UTC
arm stable, all arches done.
Comment 9 Aleksandr Wagner (Kivak) 2017-10-24 19:07:36 UTC
Thank you arches.

@ Maintainer(s): Please remove the vulnerable version from tree.
Comment 10 Rick Farina (Zero_Chaos) gentoo-dev 2017-10-26 20:54:49 UTC
Vulnerable removed, thanks
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-26 20:58:35 UTC
GLSA Vote: Yes!

New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-11-10 22:40:32 UTC
This issue was resolved and addressed in
 GLSA 201711-03 at https://security.gentoo.org/glsa/201711-03
by GLSA coordinator Aaron Bauman (b-man).