sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-05-25 07:26:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
ports/security/wpa_supplicant/files/patch-2016_1_4-Reject-SET_CRED-commands-with-newline-characters-in
John Marino 5c93ecbe9e security/wpa_supplicant: Add security patch set 2016-1 
A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If this
parameter has been updated to include control characters either through
a WPS operation (CVE-2016-4476) or through local configuration change
over the wpa_supplicant control interface (CVE-2016-4477), the resulting
configuration file may prevent the hostapd and wpa_supplicant from
starting when the updated file is used. In addition for wpa_supplicant,
it may be possible to load a local library file and execute code from
there with the same privileges under which the wpa_supplicant process
runs.

These patches were developed upstream and published as a response
to the security advisories CVE-2016-4476 and CVE-2016-4477.

PR:		209564
Requested by:	Sevan Janiyan
2016-05-19 21:12:07 +00:00

60 lines
2.3 KiB
Text
Raw Blame History

From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 5 Apr 2016 23:33:10 +0300
Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the
string values
Most of the cred block parameters are written as strings without
filtering and if there is an embedded newline character in the value,
unexpected configuration file data might be written.
This fixes an issue where wpa_supplicant could have updated the
configuration file cred parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the credential value before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
wpa_supplicant/config.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- wpa_supplicant/config.c
+++ wpa_supplicant/config.c
@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
if (os_strcmp(var, "password") == 0 &&
os_strncmp(value, "ext:", 4) == 0) {
+ if (has_newline(value))
+ return -1;
str_clear_free(cred->password);
cred->password = os_strdup(value);
cred->ext_password = 1;
@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
}
val = wpa_config_parse_string(value, &len);
- if (val == NULL) {
+ if (val == NULL ||
+ (os_strcmp(var, "excluded_ssid") != 0 &&
+ os_strcmp(var, "roaming_consortium") != 0 &&
+ os_strcmp(var, "required_roaming_consortium") != 0 &&
+ has_newline(val))) {
wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
"value '%s'.", line, var, value);
+ os_free(val);
return -1;
}
--
1.9.1
Reference in a new issue View git blame Copy permalink