Bug 727542

Summary:	<net-wireless/hostapd-2.9-r3: Multiple vulnerabilities (CVE-2020-12695)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ajak, alarig, andrey_utkin, sam, zerochaos
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt
See Also:	https://github.com/gentoo/gentoo/pull/15990 https://github.com/gentoo/gentoo/pull/17864
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	729302

Description Sam James archtester

2020-06-08 15:24:19 UTC

* "Such issues could allow a device connected to the local network (i.e., a
device that has been authorized to transmit packets in the network in
which the AP is located) could trigger the AP to initiate a HTTP
(TCP/IP) connection to an arbitrary URL"

* "[Other] issues could allow
local devices (i.e., devices that have been authorized to transmit
packets in the network in which the AP is located) to trigger
misbehavior in hostapd and cause the process to either get terminated or
to start using more CPU resources by using a specially constructed
SUBSCRIBE command."

Comment 1 Sam James archtester

2020-06-08 15:25:01 UTC

Patches:
* https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
* https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
* https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch

Comment 2 Sam James archtester

2020-06-23 12:21:40 UTC

@maintainer(s), please apply these patches.

Comment 3 Sam James archtester

2020-07-26 05:48:07 UTC

ping

Comment 4 Larry the Git Cow gentoo-dev

2020-09-27 16:56:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8c17aa77fa1271caf2d881c92e36cc121578b94

commit b8c17aa77fa1271caf2d881c92e36cc121578b94
Author:     Alarig Le Lay <alarig@swordarmor.fr>
AuthorDate: 2020-09-12 11:38:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-27 16:56:39 +0000

    net-wireless/hostapd: fix CVE-2020-12695
    
    Bug: https://bugs.gentoo.org/727542
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Alarig Le Lay <alarig@swordarmor.fr>
    Closes: https://github.com/gentoo/gentoo/pull/15990
    Signed-off-by: Sam James <sam@gentoo.org>

 ...-not-allow-event-subscriptions-with-URLs-.patch | 150 +++++++++++
 ...x-event-message-generation-using-a-long-U.patch |  59 +++++
 ...ndle-HTTP-initiation-failures-for-events-.patch |  47 ++++
 net-wireless/hostapd/hostapd-2.9-r1.ebuild         |   2 +-
 net-wireless/hostapd/hostapd-2.9-r3.ebuild         | 279 +++++++++++++++++++++
 5 files changed, 536 insertions(+), 1 deletion(-)

Comment 5 Sam James archtester

2020-09-29 11:42:43 UTC

ppc done

Comment 6 Sam James archtester

2020-09-29 22:17:04 UTC

arm64 done

Comment 7 Sam James archtester

2020-10-02 20:38:50 UTC

arm done

Comment 8 Sam James archtester

2020-10-03 16:54:24 UTC

amd64 done

Comment 9 Agostino Sarubbo gentoo-dev

2020-10-09 08:41:47 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 10 Gordon Bos 2020-10-14 09:16:31 UTC

A note on this revision:

There is a conflict with `bindist` USE flag set as this revision reintroduces linking to ECDH functions that the `internal-tls` USE flag should prevent. I have traced this issue back to the unconditional addition of the `Device Provisioning Protocol` (CONFIG_DPP) which I think should be moved to the SSL authentication methods block in the ebuild.

Comment 11 Gordon Bos 2020-10-14 09:54:07 UTC

Addendum:

It seems I had some residual changes hanging around. Above note in fact applies to ALL the added protocols:
* Dragonfly (CONFIG_SAE)
* Opportunistic Wireless Encryption (CONFIG_OWE)
* Device Provisioning Protocol (CONFIG_DPP)

Please make these depend on `internal-tls` NOT being set.

Comment 12 Alarig Le Lay 2020-10-15 21:19:12 UTC

I moved them in the internal-tls conditional block, see the MR for the diff

Comment 13 Larry the Git Cow gentoo-dev

2021-01-10 14:42:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4831a30d002e33c50e18114f257d1c228c922c8

commit f4831a30d002e33c50e18114f257d1c228c922c8
Author:     Alarig Le Lay <alarig@swordarmor.fr>
AuthorDate: 2020-10-15 21:06:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-10 14:42:32 +0000

    net-wireless/hostapd: Make bindist protocols depending on internal-tls
    
    * Dragonfly (CONFIG_SAE)
    * Opportunistic Wireless Encryption (CONFIG_OWE)
    * Device Provisioning Protocol (CONFIG_DPP)
    
    Bug: https://bugs.gentoo.org/727542
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Alarig Le Lay <alarig@swordarmor.fr>
    Closes: https://github.com/gentoo/gentoo/pull/17864
    Signed-off-by: Sam James <sam@gentoo.org>

 net-wireless/hostapd/hostapd-2.9-r3.ebuild | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

Comment 14 NATTkA bot gentoo-dev

2021-06-17 22:20:48 UTC

Unable to check for sanity:

> no match for package: net-wireless/hostapd-2.9-r3

Comment 15 John Helmert III archtester

2021-08-06 04:01:42 UTC

No GLSA like the other CallStranger bugs, all done!