663172 – (CVE-2018-14526) <net-wireless/wpa_supplicant-2.6-r10: Unauthenticated EAPOL-Key decryption in wpa_supplicant

Bug 663172 (CVE-2018-14526) - <net-wireless/wpa_supplicant-2.6-r10: Unauthenticated EAPOL-Key decryption in wpa_supplicant

Summary: <net-wireless/wpa_supplicant-2.6-r10: Unauthenticated EAPOL-Key decryption in...

Status:	RESOLVED FIXED

Alias:	CVE-2018-14526

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-08-08 16:14 UTC by Hanno Böck
Modified:	2020-03-15 19:17 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=net-wireless/wpa_supplicant-2.6-r10
Runtime testing required:	Yes

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2018-08-08 16:14:26 UTC

See
https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
https://twitter.com/vanhoefm/status/1027206021763293185

Patch:
https://w1.fi/security/2018-1/

Comment 1 Rick Farina (Zero_Chaos) gentoo-dev

2018-12-05 20:49:05 UTC

wpa_supplicant-2.6-r10 is in the tree with a fix.  I'd also like it stabilized anyway, so I've opened a bug

https://bugs.gentoo.org/672584

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2018-12-07 02:43:45 UTC

x86 stable

Comment 3 Mikle Kolyada (RETIRED) archtester

2018-12-07 12:31:22 UTC

amd64 stable

Comment 4 Matt Turner gentoo-dev

2018-12-07 23:20:37 UTC

ppc/ppc64 stable

Comment 5 Mikle Kolyada (RETIRED) archtester

2018-12-08 12:11:19 UTC

arm stable

Comment 6 cono 2018-12-09 22:38:22 UTC

I'm having issues with this wpa_supplicant version. No errors in the log, just ping of the gateway stuck for a moment, than recovers by itself, than stuck again (not only ping, like whole connection, just tested by the ping).
Reverting back to 2.6-r6 resolves the problem.

My WIFI: Killer AC-1535

03:00.0 Network controller [0280]: Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter [168c:003e] (rev 32)
	Subsystem: Bigfoot Networks, Inc. QCA6174 802.11ac Wireless Network Adapter [1a56:1535]
	Kernel driver in use: ath10k_pci
	Kernel modules: ath10k_pci

Not sure what else I can provide, please suggest.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2018-12-09 23:36:07 UTC

Please file an own bug for your issue.

Comment 8 Yury German Gentoo Infrastructure

2019-03-10 02:52:23 UTC

GLSA Vote: No
Arches and Maintainer(s), Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).