[pkg-wpa-devel] r1780 - in /wpa/trunk/debian: changelog patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch patches/series

slh-guest at users.alioth.debian.org slh-guest at users.alioth.debian.org
Mon Oct 8 15:34:24 UTC 2012 

Author: slh-guest
Date: Mon Oct  8 15:34:24 2012
New Revision: 1780

URL: http://svn.debian.org/wsvn/pkg-wpa/?sc=1&rev=1780
Log:
Fix DoS via specially crafted EAP-TLS messages with longer message
length than TLS data length (CVE-2012-4445).

Added:
    wpa/trunk/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
Modified:
    wpa/trunk/debian/changelog
    wpa/trunk/debian/patches/series

Modified: wpa/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-wpa/wpa/trunk/debian/changelog?rev=1780&op=diff
==============================================================================
--- wpa/trunk/debian/changelog (original)
+++ wpa/trunk/debian/changelog Mon Oct  8 15:34:24 2012
@@ -1,14 +1,15 @@
-wpa (1.0-3) UNRELEASED; urgency=low
-
-  * NOT RELEASED YET
+wpa (1.0-3) unstable; urgency=high
+
   * enable IBSS RSN, thanks to Nicolas Cavallari <batchman at free.fr>
     (Closes: #678147).
   * revert to GNU readline for wpa_cli, instead of using the internal readline
     implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl
     is GPL-2 (only) - switching back to the internal readline implementation is
     targeted for wheezy+1 (Closes: #677993, #678077).
-
- -- Stefan Lippers-Hollmann <s.l-h at gmx.de>  Fri, 22 Jun 2012 00:42:43 +0200
+  * Fix DoS via specially crafted EAP-TLS messages with longer message
+    length than TLS data length (CVE-2012-4445).
+
+ -- Stefan Lippers-Hollmann <s.l-h at gmx.de>  Mon, 08 Oct 2012 17:30:16 +0200
 
 wpa (1.0-2) unstable; urgency=low
 

Added: wpa/trunk/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
URL: http://svn.debian.org/wsvn/pkg-wpa/wpa/trunk/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch?rev=1780&op=file
==============================================================================
--- wpa/trunk/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch (added)
+++ wpa/trunk/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch Mon Oct  8 15:34:24 2012
@@ -1,0 +1,43 @@
+From: Jouni Malinen <j at w1.fi>
+Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300)
+Subject: EAP-TLS server: Fix TLS Message Length validation
+X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de
+
+EAP-TLS server: Fix TLS Message Length validation
+
+EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
+Message Length value properly and could end up trying to store more
+information into the message buffer than the allocated size if the first
+fragment is longer than the indicated size. This could result in hostapd
+process terminating in wpabuf length validation. Fix this by rejecting
+messages that have invalid TLS Message Length value.
+
+This would affect cases that use the internal EAP authentication server
+in hostapd either directly with IEEE 802.1X or when using hostapd as a
+RADIUS authentication server and when receiving an incorrectly
+constructed EAP-TLS message. Cases where hostapd uses an external
+authentication are not affected.
+
+Thanks to Timo Warns for finding and reporting this issue.
+
+Signed-hostap: Jouni Malinen <j at w1.fi>
+intended-for: hostap-1
+---
+
+--- a/src/eap_server/eap_server_tls_common.c
++++ b/src/eap_server/eap_server_tls_common.c
+@@ -224,6 +224,14 @@ static int eap_server_tls_process_fragme
+ 			return -1;
+ 		}
+ 
++		if (len > message_length) {
++			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++				   "first fragment of frame (TLS Message "
++				   "Length %d bytes)",
++				   (int) len, (int) message_length);
++			return -1;
++		}
++
+ 		data->tls_in = wpabuf_alloc(message_length);
+ 		if (data->tls_in == NULL) {
+ 			wpa_printf(MSG_DEBUG, "SSL: No memory for message");

Modified: wpa/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-wpa/wpa/trunk/debian/patches/series?rev=1780&op=diff
==============================================================================
--- wpa/trunk/debian/patches/series (original)
+++ wpa/trunk/debian/patches/series Mon Oct  8 15:34:24 2012
@@ -6,3 +6,4 @@
 12_wpa_gui_knotify_support.patch
 13_human_readable_signal.patch
 libnl3-includes.patch
+EAP-TLS-server_fix-TLS-Message-length-validation.patch

More information about the Pkg-wpa-devel mailing list