Created attachment 156021 [details] 11-CURRENT patch Apply patch to base for wpa_supplicant P2P SSID processing vulnerability [1][2]. Ports has already been fixed [3]. The CONFIG_P2P option is disabled by default however fix the code anyway so it doesn't get accidentally enabled. This follows DragonFly BSD in applying it even though P2P is off by default [4]. Noticed by: Kevin McAleavey in the FreeBSD Forums [5] Other comments: - 9.X and 8.X use wpa_supplicant versions earlier than the affected 1.0-2.4 from the advisory. - 10.1-STABLE uses wpa_supplicant 2.0 and should be patched. - 11.0-CURRENT uses wpa_supplicant 2.4 and should be patched. References: [1] Upstream Advisory: http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt [2] Upstream Patch: http://w1.fi/security/2015-1/0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch [3] Ports PR for security/wpa_supplicant (already fixed): https://bugs.freebsd.org/199678 [4] Follow DragonFly BSD in applying the same patch: http://gitweb.dragonflybsd.org/dragonfly.git/commit/584c4a9f0c9071cb62abe9c870a2b08afe746a88 [5] Forum Post https://forums.freebsd.org/threads/patch-for-wpa_supplicant.51368/
Created attachment 156022 [details] 10-STABLE patch
FreeBSD-current list: https://lists.freebsd.org/pipermail/freebsd-current/2015-April/055552.html https://lists.freebsd.org/pipermail/freebsd-current/2015-April/055618.html HardenedBSD: https://github.com/HardenedBSD/hardenedBSD/commit/6776d2a1a7a85efc530973eed6ead15b6674dc6c https://github.com/HardenedBSD/hardenedBSD/commit/e8637bb34a522de516e86e92b9efdb1e1c1964cd
rpaulo@, based off https://reviews.freebsd.org/D2436 it looks the direction here is to not applying patches from upstream since it's not enabled/compiled. Can you confirm that and I'll close the PR? Or go ahead and close as not a bug if you choose.
Yes, I think we can close this bug.
Submitter agrees that this can be closed.