Bug 199678
| Summary: | security/wpa_supplicant: [PATCH][SECURITY] Patch for P2P SSID processing vuln -- CVE-2015-1863 | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||||
| Component: | Individual Port(s) | Assignee: | John Marino <marino> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Some People | Keywords: | patch | ||||||||
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(marino) |
||||||||
| Version: | Latest | ||||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Jason Unovitch
2015-04-25 03:35:15 UTC
Created attachment 155961 [details]
Poudriere Build Logs from 10.1-RELEASE amd64
looks fine. In fact, Matt Dillon added this patch to base wpa_supplicant in DragonFly yesterday. A commit references this bug: Author: marino Date: Sat Apr 25 06:19:17 UTC 2015 New revision: 384705 URL: https://svnweb.freebsd.org/changeset/ports/384705 Log: security/wpa_supplicant: Fix CVE-2015-1863 PR: 199678 Submitted by: Jason Unovitch Approved by: maintainer (marino) Changes: head/security/wpa_supplicant/Makefile head/security/wpa_supplicant/files/patch-src_p2p_p2p.c Thanks! Created attachment 155972 [details] security/vuxml entry for wpa_supplicant < 2.4_1 Thanks John for the quick fix. For completeness, here's a security/vuxml entry and my console log showing validation below. jason@xts-bsd:~/vuxml % make validate /bin/sh /usr/home/jason/vuxml/files/tidy.sh "/usr/home/jason/vuxml/files/tidy.xsl" "/usr/home/jason/vuxml/vuln.xml" > "/usr/home/jason/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/home/jason/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/home/jason/vuxml/files/extra-validation.py jason@xts-bsd:~/vuxml % env PKG_DBDIR=/home/jason/vuxml pkg audit wpa_supplicant-2.4 wpa_supplicant-2.4 is vulnerable: wpa_supplicant -- P2P SSID processing vulnerability CVE: CVE-2015-1863 WWW: http://vuxml.FreeBSD.org/freebsd/cb9d2fcd-eb47-11e4-b03e-002590263bf5.html 1 problem(s) in the installed packages found. jason@xts-bsd:~/vuxml % env PKG_DBDIR=/home/jason/vuxml pkg audit wpa_supplicant-2.4_1 0 problem(s) in the installed packages found. jason@xts-bsd:~/vuxml % A commit references this bug: Author: marino Date: Sat Apr 25 14:02:13 UTC 2015 New revision: 384729 URL: https://svnweb.freebsd.org/changeset/ports/384729 Log: security/wpa_supplicant: Add USES=CPE I just released that I fixed a CVE bug but WPA Supllicant was never provided any CPE information. Fix, bump, and reference previous PR. PR: 199678 Changes: head/security/wpa_supplicant/Makefile John, Any comments on getting the security/vuxml patch applied as well so 'pkg audit' works? Sorry for not having that patch in the PR at submission time. Jason i didn't notice it. Is it tested? How can I test it? My tests were in PR comment 5 above. It's the "security/vuxml entry ..." patch. The instructions for adding entries and testing the entries are at the top of 'security/vuxml/vuln.xml'. When I install the patch, it validates and it showed 2.4 as vulnerable, but it also shows 2.4_2 as vulnerable. So I confirmed vuxml less-than 2.4, and I confirm pkg info shows wpa_supplicant at 2.4_2 so it should not trip but it does. Can you update to 2.4_2 and see if you see what I am seeing? Here's the output from my console. I'm not seeing it trip on the 2.4_2. What is the exact output you see?
[root@XPS13] /usr/ports/security/vuxml# grep -A 1 '<name>wpa_supplicant' vuln.xml
<name>wpa_supplicant</name>
<range><lt>2.4_1</lt></range>
[root@XPS13] /usr/ports/security/vuxml# pkg info wpa_supplicant | grep Version
Version : 2.4_2
[root@XPS13] /usr/ports/security/vuxml# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit wpa_supplicant-2.4_2
0 problem(s) in the installed packages found.
[root@XPS13] /usr/ports/security/vuxml# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit wpa_supplicant-2.4_1
0 problem(s) in the installed packages found.
[root@XPS13] /usr/ports/security/vuxml# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit wpa_supplicant-2.4
wpa_supplicant-2.4 is vulnerable:
wpa_supplicant -- P2P SSID processing vulnerability
CVE: CVE-2015-1863
WWW: http://vuxml.FreeBSD.org/freebsd/cb9d2fcd-eb47-11e4-b03e-002590263bf5.html
> pkg audit wpa_supplicant wpa_supplicant is vulnerable: Affected versions: < 2.4_1 wpa_supplicant -- P2P SSID processing vulnerability CVE: CVE-2015-1863 WWW: http://vuxml.FreeBSD.org/freebsd/cb9d2fcd-eb47-11e4-b03e-002590263bf5.html 1 problem(s) in the installed packages found. > pkg info wpa_supplicant | grep -i version Version : 2.4_2 > (I had previously copied the proposed vuln.xml to /var/db/pkg) Ah, I see now. I can indeed replicate that if I leave the version number off wpa_supplicant. It seems in that case 'pkg audit' prints every vulnerability listed for that port. Try something like 'pkg audit firefox'. [jason@XPS13] ~% pkg audit wpa_supplicant wpa_supplicant is vulnerable: Affected versions: < 2.4_1 wpa_supplicant -- P2P SSID processing vulnerability CVE: CVE-2015-1863 WWW: http://vuxml.FreeBSD.org/freebsd/cb9d2fcd-eb47-11e4-b03e-002590263bf5.html 1 problem(s) in the installed packages found. [jason@XPS13] ~% pkg audit ... no wpa_supplicant -- below was truncated for brevity ... php55-5.5.23 is vulnerable: firefox-37.0.1,1 is vulnerable: ruby-2.0.0.645,1 is vulnerable: 3 problem(s) in the installed packages found. ah, ok. user "error" A commit references this bug: Author: marino Date: Sun Apr 26 16:32:35 UTC 2015 New revision: 384800 URL: https://svnweb.freebsd.org/changeset/ports/384800 Log: security/vuxml: Add entry for security/wpa_supplicant Security: CVE-2015-1863 PR: 199678 Changes: head/security/vuxml/vuln.xml |