Bug 1070482 (reaver-wps)
Summary: | Review Request: reaver - Brute force attack against Wifi Protected Setup | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Wilson Harshaw IV <jwharshaw> | ||||||||
Component: | Package Review | Assignee: | Jaroslav Škarvada <jskarvad> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | rawhide | CC: | dcbw, gwync, itamar, jskarvad, jwharshaw, mail, olegon, package-review, pahan, rebus | ||||||||
Target Milestone: | --- | Flags: | jskarvad:
fedora-review+
gwync: fedora-cvs+ |
||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | reaver-1.4-3.el7 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2015-06-25 16:29:35 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 563471 | ||||||||||
Attachments: |
|
Description
James Wilson Harshaw IV
2014-02-26 23:27:25 UTC
Hi, Can you setup your _real name_ in bugzilla? Currently it's only an email address. Also for new packagers, please follow the steps described at: http://fedoraproject.org/wiki/Join_the_package_collection_maintainers#Introduce_yourself https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group Thanks. I think I've pointed out that this package bundles libraries, please solve them. Many libraries are modified specifically for this program, what shall I do about them? (In reply to Christopher Meng from comment #2) > I think I've pointed out that this package bundles libraries, please solve > them. * https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries * https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Standard_questions (In reply to Michael Schwendt from comment #5) > * https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries > * > https://fedoraproject.org/wiki/Packaging: > No_Bundled_Libraries#Standard_questions Noted, contacted upstream for list of modified libraries. Hi, unfortunately I packaged reaver in parallel :) So at least I can share my patches and observations. It seems reaver is bundling wireless-tools and wpa_supplicant. I wasn't able to detect any relevant changes of the wireles-tools, so I unbundled it. Regarding wpa_supplicant I am afraid it is not possible to unbundle it. There is no library we could link to, the part of the code is there used like copylib. In case you are interested, my spec, srpm with patches: http://fedorapeople.org/~jskarvad/reaver/ Feel free to cherrypick anything you need from it. Also I could help you co-maintain the package. (In reply to Jaroslav Škarvada from comment #7) > Hi, > > unfortunately I packaged reaver in parallel :) So at least I can share my > patches and observations. > > It seems reaver is bundling wireless-tools and wpa_supplicant. I wasn't able > to detect any relevant changes of the wireles-tools, so I unbundled it. > Regarding wpa_supplicant I am afraid it is not possible to unbundle it. > There is no library we could link to, the part of the code is there used > like copylib. > > In case you are interested, my spec, srpm with patches: > http://fedorapeople.org/~jskarvad/reaver/ > > Feel free to cherrypick anything you need from it. Also I could help you > co-maintain the package. No problem at all! I had also come to the realization that we couldn't unbundle the modified wpa_supplicant since it is integral to the functioning of reaver. I would love to co-maintain the package with you! We now just need to go on an make a case for the bundled (and modified) wpa_supplicant. Feel free to email me. -James (In reply to James Wilson Harshaw IV from comment #8) According to [1] I think we need: Provides: bundled(wpa_supplicant) = 0.7.3 I will create FESCO ticket for bundling exception. Also I will take the review. [1] https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Requirement_if_you_bundle Wunderbar. I think I currently cannot sponsor you, but I will try to become sponsor (I am already proven packager). I will open another ticket :) Thank you so much :) We need reply to the following question: Whether the bundled wpa_supplicant code was modified and if yes, how it was modified. I need it to open the FPC ticket. James, I noticed, you have already contacted upstream, could you ask them this question? Thanks. Also CCing wpa_supplicant maintainer in case he would have any comments. I have contacted upstream awhile ago asking that question, and have yet to receive a response. I will try again though. It does state in the README that "The following files have been taken from wpa_supplicant. Some have been modified from their original sources: o common/* o crypto/* o tls/* o utils/* o wps/* " but does not state which were modified. We could possibly just take those specific files from wpa_supplicant and see what code differs. (In reply to Jaroslav Škarvada from comment #11) > I think I currently cannot sponsor you, but I will try to become sponsor (I > am already proven packager). I will open another ticket :) Ticket: https://fedorahosted.org/packager-sponsors/ticket/125 I am sponsor now. I will add "sponsored" status to your FAS account once we progress through this review. Created attachment 883600 [details]
wpa_supplicant -> reaver diff
By looking into the code, I can confirm there is bundled wpa_supplicant 0.7.3. It cannot be easily unbundled, because it is not library and reaver moded it the way allowing extraction of credentials, force usage of small DH keys for fast computation on the AP side, etc. I doubt these changes could ever get upstream, because some of them are there to weaken the security, but the goal of the wpa_supplicant is the opposite. Attaching diff with the Fedora wpa_supplicant 0.7.3.
By looking into the reaver source code and comparing it with the wireless-tools-29 I cannot find any differences, thus I think it can be safely unbundled as I did in comment 7 (but I haven't checked the functionality of the resulting binary :). James, please provide new spec/srpm with unbundled wireless-tools and with "Provides: bundled(wpa_supplicant) = 0.7.3". Also please consider moving reaver state file from the /etc to the /var as I also did in comment 7. FPC ticket for bundling exception: https://fedorahosted.org/fpc/ticket/418 (In reply to Jaroslav Škarvada from comment #21) > FPC ticket for bundling exception: > https://fedorahosted.org/fpc/ticket/418 Bundling exception got approved, see the ticket above for details. absal0m: ping, could you provide updated spec/srpm? Apologies, have been away for awhile. Glad to hear it has been approved! I will get right on the updated spec/srpm. any news about this ? (In reply to Itamar Reis Peixoto from comment #24) > any news about this ? Will hopefully be done before Saturday. Fixed assignee. (In reply to James Wilson Harshaw IV from comment #25) > (In reply to Itamar Reis Peixoto from comment #24) > > any news about this ? > > Will hopefully be done before Saturday. Please upload new SPEC and SRPM. SPEC : https://drive.google.com/file/d/0B9pYRhIhuHiqTkdzb2dTc1V3d1E/view?usp=sharing SRPM : https://drive.google.com/file/d/0B9pYRhIhuHiqbW9BTlNibE5aY0k/view?usp=sharing Sorry for the google drive location, will be setting up fedora hosted. Build tested, functionality remains intact after modifications. (In reply to James Wilson Harshaw IV from comment #28) Thanks, found issues: - you need to bump release if doing changes and adding changelog entry, i.e. change "Release: 1%{?dist}" to "Release: 2%{?dist}" and change the release in changelog appropriately, i.e.: * Fri Nov 14 2014 James W. Harshaw <jwharshaw> - 1.4-2 - Please add newline before %description and between changelog entries. - Please add link to FPC ticket with bundling exception (according to [1]), i.e. add the following comment: # https://fedorahosted.org/fpc/ticket/418 Provides: bundled(wpa_supplicant) = 0.7.3 Please upload updated SPEC and SRPM. [1] https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Requirement_if_you_bundle Created attachment 961379 [details]
reaver SPEC
New reaver SPEC file
Created attachment 961380 [details]
Reaver SRPM
New reaver SRPM
Thanks. The only blocker remaining now: - there is inconstitent release and changelog, please change: Release: 1%{?dist} to Release: 2%{?dist} The release number must be consistent with the changelog, there is 1.4-2 in the changelog, the number after the dash (2) is the release. Please re-upload updated SPEC and SRPM. (In reply to Jaroslav Škarvada from comment #32) > Thanks. The only blocker remaining now: > > - there is inconstitent release and changelog, please change: > Release: 1%{?dist} > to > Release: 2%{?dist} > > The release number must be consistent with the changelog, there is 1.4-2 in > the changelog, the number after the dash (2) is the release. > > Please re-upload updated SPEC and SRPM. SPEC: https://truck.it/p/0jUIzy9rD8 SRPM: https://truck.it/p/xBlu8Jl38L wrongs SRPM link: https://truck.it/p/wR5bEYqbVV I cannot see any problem now, approving. New Package SCM Request ======================= Package Name: reaver Short Description: Brute force attack against Wifi Protected Setup Upstream URL: http://code.google.com/p/reaver-wps/ Owners: absal0m, jskarvad Branches: f20 f21 f22 el6 epel7 InitialCC: WARNING: Requested package name reaver doesn't match bug summary reaver-wps (In reply to Jon Ciesla from comment #37) > WARNING: Requested package name reaver doesn't match bug summary reaver-wps New Package SCM Request ======================= Package Name: reaver-wps Short Description: Brute force attack against Wifi Protected Setup Upstream URL: http://code.google.com/p/reaver-wps/ Owners: absal0m, jskarvad Branches: f20 f21 f22 el6 epel7 InitialCC: Changed SPEC and SRPM to reflect package name reaver-wps. As seen above SCM request was also modified accordingly. Git done (by process-git-requests). Package Change Request ====================== Package Name: reawer-wps I would like to rename the package to 'reaver'. I think this name is more appropriate. Debian and gentoo also uses this name. Source archive and binaries are also named 'reaver'. I think it should be safely renamed in git, because there haven't been any successful build since import and it is not in repo. I am reviewer, co-maintainer. I am going to rename this review request to stay in sync. (In reply to Jaroslav Škarvada from comment #41) Package Change Request ====================== Package Name: reaver So this is probably the right request, for details see comment 41. Misformatted request. (In reply to Jon Ciesla from comment #43) > Misformatted request. ??? I proceeded according to https://fedoraproject.org/wiki/Package_SCM_admin_requests > If you need other special changes done which cannot be handled by the template > field, such as a package that was created with the wrong name that has never > been imported or built, or otherwise out of the scope of the template please > state your desire and justification below the template in your Bugzilla > comment. So what's misformatted? The last request must be complete, not simply a single field, so copy and paste the original, modify what you need, and reset the flag. Package Change Request ======================= Package Name: reaver Short Description: Brute force attack against Wifi Protected Setup Upstream URL: http://code.google.com/p/reaver-wps/ Owners: absal0m, jskarvad Branches: f20 f21 f22 el6 epel7 InitialCC: Sorry, it needs to be New Package since it doesn't exist yet. New Package SCM Request ======================= Package Name: reaver Short Description: Brute force attack against Wifi Protected Setup Upstream URL: http://code.google.com/p/reaver-wps/ Owners: absal0m, jskarvad Branches: f20 f21 f22 el6 epel7 InitialCC: Git done (by process-git-requests). (In reply to Jon Ciesla from comment #49) > Git done (by process-git-requests). Thanks, but the current state is still not correct. I wanted to rename reaver-wps to reaver, but currently there is: reaver reaver-wps and both are the same package. Could you delete reaver-wps? It hasn't been successfully build in koji since imported and it is not in repo. I can't rename it in place, you'll need to do: https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life on reaver-wps. reaver-1.4-3.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/reaver-1.4-3.fc22 reaver-1.4-3.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/reaver-1.4-3.fc21 reaver-1.4-3.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/reaver-1.4-3.el7 reaver-1.4-3.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/reaver-1.4-3.el6 reaver-1.4-3.fc22 has been pushed to the Fedora 22 stable repository. reaver-1.4-3.fc21 has been pushed to the Fedora 21 stable repository. reaver-1.4-3.el6 has been pushed to the Fedora EPEL 6 stable repository. reaver-1.4-3.el7 has been pushed to the Fedora EPEL 7 stable repository. |