Created attachment 158552 [details] wpa_supplicant-2.4_4.diff Good day. Upstream announced today on the oss-security mailing list a vulnerability with the WPS_NFC option. The option is off by default however patch attached to resolve it for anyone using the option. References: http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt http://w1.fi/security/2015-2/0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
Created attachment 158553 [details] Poudriere testport log from 10.1-RELEASE jail Per the log the builds were done with the WPS_NFC set to on to ensure the change was hit at compile time. ... WPS_NFC=on: Near Field Communication (NFC) configuration ... Builds were also done on all supported releases along with CURRENT. 8.4-RELEASE-p31 amd64 8.4-RELEASE-p31 i386 9.3-RELEASE-p17 amd64 9.3-RELEASE-p17 i386 10.1-RELEASE-p14 amd64 10.1-RELEASE-p14 i386 11.0-CURRENT r284725 amd64 11.0-CURRENT r284725 i386
Created attachment 158554 [details] security/vuxml entry for wpa_supplicant-2.4_4 There is no CVE assigned as of yet since it was just announced. == Validation == # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit wpa_supplicant-2.4_3 wpa_supplicant-2.4_3 is vulnerable: wpa_supplicant -- WPS_NFC option payload length validation vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/c93c9395-25e1-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit wpa_supplicant-2.4_4 0 problem(s) in the installed packages found.
Lastly, hostapd is listed however the net/hostapd port has no way to turn on the WPS_NFC option.
Comment on attachment 158554 [details] security/vuxml entry for wpa_supplicant-2.4_4 Committed, thanks!
A commit references this bug: Author: delphij Date: Fri Jul 10 00:31:40 UTC 2015 New revision: 391686 URL: https://svnweb.freebsd.org/changeset/ports/391686 Log: Document wpa_supplicant WPS_NFC option payload length validation vulnerability PR: 201432 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: marino Date: Sun Jul 12 11:22:12 UTC 2015 New revision: 391779 URL: https://svnweb.freebsd.org/changeset/ports/391779 Log: security/wpa_supplicant: Address security issue (2015-5) There was a vulnerability to the WPS_NFC option which is off by default. The port is being bumped anyway since people using that option will want the latest version. PR: 201432 Submitted by: Jason Unovitch Changes: head/security/wpa_supplicant/Makefile head/security/wpa_supplicant/files/patch-src_wps_ndef.c
As always, thanks!
(In reply to John Marino from comment #7) Thanks John. Being a security fix this should be worthy of an MFH to 2015Q3.
Hi Jason, I have a number of philosophical issues with the quarterly branches. I don't they they are properly supported via portsnap, administrative, etc. It's also a PITA to backport if one's key has passphrases. Frankly the only motivation I have to do it is to shut up pkg-fallout messages if it's actually not building anymore. So basically -- until branches are properly and professionally supported, I'm pretty much ignoring them. What's in place now doesn't cut it. It seems half-finished, probably due to lack of volunteer support, but the cause doesn't interest me as much as the result.
A commit references this bug: Author: feld Date: Sat Jul 18 21:47:56 UTC 2015 New revision: 392466 URL: https://svnweb.freebsd.org/changeset/ports/392466 Log: MFH: r391779 security/wpa_supplicant: Address security issue (2015-5) There was a vulnerability to the WPS_NFC option which is off by default. The port is being bumped anyway since people using that option will want the latest version. PR: 201432 Submitted by: Jason Unovitch Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/security/wpa_supplicant/Makefile branches/2015Q3/security/wpa_supplicant/files/patch-src_wps_ndef.c
A commit references this bug: Author: junovitch Date: Tue Nov 10 03:25:28 UTC 2015 New revision: 401185 URL: https://svnweb.freebsd.org/changeset/ports/401185 Log: Document CVE assignment on wpa_supplicant 2015-5 advisory PR: 201432 Security: CVE-2015-8041 Security: https://vuxml.FreeBSD.org/freebsd/c93c9395-25e1-11e5-a4a5-002590263bf5.html Changes: head/security/vuxml/vuln.xml