Description: "A vulnerability was discovered in how wpa_supplicant processing P2P (Wi-Fi Direct) group information from active group owners. The actual parsing of that information validates field lengths appropriately, but processing of the parsed information misses a length check when storing a copy of the secondary device types. This can result in writing attacker controlled data into the peer entry after the area assigned for the secondary device type. The overflow can result in corrupting pointers for heap allocations. This can result in an attacker within radio range of the device running P2P discovery being able to cause unexpected behavior, including termination of the wpa_supplicant process and potentially arbitrary code execution." Advisory: https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt Patch: https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch
Please apply the patch, thanks!
Ping
There's also 2021-1: https://w1.fi/security/2021-1/ Vulnerability A vulnerability was discovered in how wpa_supplicant processes P2P (Wi-Fi Direct) provision discovery requests. Under a corner case condition, an invalid Provision Discovery Request frame could end up reaching a state where the oldest peer entry needs to be removed. With a suitably constructed invalid frame, this could result in use (read+write) of freed memory. This can result in an attacker within radio range of the device running P2P discovery being able to cause unexpected behavior, including termination of the wpa_supplicant process and potentially code execution. Vulnerable versions/configurations
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a67f782dde9b277d96bdc762475a4ff551268061 commit a67f782dde9b277d96bdc762475a4ff551268061 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-08 05:39:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-08 05:41:14 +0000 net-wireless/wpa_supplicant: add security patches Patches for: * Upstream advisories 2020-2, 2021-1 * CVE-2021-30004 Bug: https://bugs.gentoo.org/768759 Bug: https://bugs.gentoo.org/780138 Signed-off-by: Sam James <sam@gentoo.org> net-wireless/wpa_supplicant/Manifest | 1 + .../wpa_supplicant/wpa_supplicant-2.9-r3.ebuild | 475 +++++++++++++++++++++ 2 files changed, 476 insertions(+)
amd64 done
Unable to check for sanity: > no match for package: net-wireless/wpa_supplicant-2.9-r3
ppc stable
ppc64 stable
x86 stable
commit did not drop any keywords: commit 99e1e98f29e5d21a2baf0aaaa79455f611f25096 Author: Thomas Deutschmann <whissi@gentoo.org> Date: Fri Jun 18 00:07:03 2021 +0200 net-wireless/wpa_supplicant: rev bump for commit f9b8bde6b + KEYWORDS="~alpha amd64 arm arm64 ~ia64 ~mips ppc ppc64 ~sparc x86"
(In reply to Sergei Trofimovich from comment #10) > commit did not drop any keywords: > > commit 99e1e98f29e5d21a2baf0aaaa79455f611f25096 > Author: Thomas Deutschmann <whissi@gentoo.org> > Date: Fri Jun 18 00:07:03 2021 +0200 > > net-wireless/wpa_supplicant: rev bump for commit f9b8bde6b > > + KEYWORDS="~alpha amd64 arm arm64 ~ia64 ~mips ppc ppc64 ~sparc x86" I’m not sure what you mean… we were already stabilising for a security bug. We’re stable keywords accidentally added?
(In reply to Sam James from comment #11) > (In reply to Sergei Trofimovich from comment #10) > > commit did not drop any keywords: > > > > commit 99e1e98f29e5d21a2baf0aaaa79455f611f25096 > > Author: Thomas Deutschmann <whissi@gentoo.org> > > Date: Fri Jun 18 00:07:03 2021 +0200 > > > > net-wireless/wpa_supplicant: rev bump for commit f9b8bde6b > > > > + KEYWORDS="~alpha amd64 arm arm64 ~ia64 ~mips ppc ppc64 ~sparc x86" > > I’m not sure what you mean… we were already stabilising for a security bug. > We’re stable keywords accidentally added? Aha: https://bugs.gentoo.org/780135#c8.
x86 done
arm done
arm64 done all arches done
Please cleanup.
cleanup complete, anything else I can do to help get this closed?
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=0195ea9f2ff90e0c5b9aab4eb5154bdb3fdb3ed7 commit 0195ea9f2ff90e0c5b9aab4eb5154bdb3fdb3ed7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-30 08:38:51 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-09-30 08:39:50 +0000 [ GLSA 202309-16 ] wpa_supplicant, hostapd: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/768759 Bug: https://bugs.gentoo.org/780135 Bug: https://bugs.gentoo.org/780138 Bug: https://bugs.gentoo.org/831332 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202309-16.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+)
