diff options
| author | Mark H Weaver <mhw@netris.org> | 2015-10-08 08:42:13 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2015-10-08 09:15:30 -0400 |
| commit | e91e28d60c66362b7114d7a3ed7809609f2c1b4b (patch) | |
| tree | 38800abdc57a795673d6b71385703f2ac8421b26 /gnu/packages/patches/wpa-supplicant-2015-2-fix.patch | |
| parent | 797e1401feda5c32c67c2069afdbdc29792dfa78 (diff) | |
| download | guix-e91e28d60c66362b7114d7a3ed7809609f2c1b4b.tar guix-e91e28d60c66362b7114d7a3ed7809609f2c1b4b.tar.gz | |
gnu: wpa-supplicant: Update to 2.5.
* gnu/packages/patches/wpa-supplicant-2015-2-fix.patch,
gnu/packages/patches/wpa-supplicant-2015-3-fix.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt1.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt2.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt3.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt4.patch,
gnu/packages/patches/wpa-supplicant-2015-4-fix-pt5.patch,
gnu/packages/patches/wpa-supplicant-2015-5-fix.patch,
gnu/packages/patches/wpa-supplicant-CVE-2015-1863.patch: Delete files.
* gnu-system.am (dist_patch_DATA): Remove them.
* gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.5.
Remove patches.
Diffstat (limited to 'gnu/packages/patches/wpa-supplicant-2015-2-fix.patch')
| -rw-r--r-- | gnu/packages/patches/wpa-supplicant-2015-2-fix.patch | 51 |
1 files changed, 0 insertions, 51 deletions
diff --git a/gnu/packages/patches/wpa-supplicant-2015-2-fix.patch b/gnu/packages/patches/wpa-supplicant-2015-2-fix.patch deleted file mode 100644 index cd097006d2..0000000000 --- a/gnu/packages/patches/wpa-supplicant-2015-2-fix.patch +++ /dev/null @@ -1,51 +0,0 @@ -Patch copied from http://w1.fi/security/2015-2/ - -From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Tue, 28 Apr 2015 17:08:33 +0300 -Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser - -strtoul() return value may end up overflowing the int h->chunk_size and -resulting in a negative value to be stored as the chunk_size. This could -result in the following memcpy operation using a very large length -argument which would result in a buffer overflow and segmentation fault. - -This could have been used to cause a denial service by any device that -has been authorized for network access (either wireless or wired). This -would affect both the WPS UPnP functionality in a WPS AP (hostapd with -upnp_iface parameter set in the configuration) and WPS ER -(wpa_supplicant with WPS_ER_START control interface command used). - -Validate the parsed chunk length value to avoid this. In addition to -rejecting negative values, we can also reject chunk size that would be -larger than the maximum configured body length. - -Thanks to Kostya Kortchinsky of Google security team for discovering and -reporting this issue. - -Signed-off-by: Jouni Malinen <j@w1.fi> ---- - src/wps/httpread.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/wps/httpread.c b/src/wps/httpread.c -index 2f08f37..d2855e3 100644 ---- a/src/wps/httpread.c -+++ b/src/wps/httpread.c -@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) - if (!isxdigit(*cbp)) - goto bad; - h->chunk_size = strtoul(cbp, NULL, 16); -+ if (h->chunk_size < 0 || -+ h->chunk_size > h->max_bytes) { -+ wpa_printf(MSG_DEBUG, -+ "httpread: Invalid chunk size %d", -+ h->chunk_size); -+ goto bad; -+ } - /* throw away chunk header - * so we have only real data - */ --- -1.9.1 - |