Bug 1219449 (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
Summary: | CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146 wpa_supplicant and hostapd: EAP-pwd missing payload length validation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | carnil, dcbw, linville, negativo17, rkhan |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | hostapd 2.5, wpa_supplicant 2.5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-05-13 13:33:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1219452, 1219453, 1219454, 1219455 | ||
Bug Blocks: | 1219461 |
Description
Martin Prpič
2015-05-07 11:56:07 UTC
Created hostapd tracking bugs for this issue: Affects: fedora-all [bug 1219453] Affects: epel-6 [bug 1219454] Affects: epel-7 [bug 1219455] Created wpa_supplicant tracking bugs for this issue: Affects: fedora-all [bug 1219452] We are not enabling the option with the reported problem. Upstream commits: http://w1.fi/cgit/hostap/commit/?id=dd2f043c9c43d156494e33d7ce22db96e6ef42c7 http://w1.fi/cgit/hostap/commit/?id=e28a58be26184c2a23f80b410e0997ef1bd5d578 http://w1.fi/cgit/hostap/commit/?id=477c74395acd0123340457ba6f15ab345d42016e http://w1.fi/cgit/hostap/commit/?id=3035cc2894e08319b905bd6561e8bddc8c2db9fa http://w1.fi/cgit/hostap/commit/?id=28a069a545b06b99eb55ad53f63f2c99e65a98f6 Affected code does not exist in wpa_supplicant versions in Red Hat Enterprise Linux 6 and earlier. The wpa_supplicant packages in Red Hat Enterprise Linux 7, and the wpa_supplicant and hostapd packages in Fedora and Fedora EPEL are not built with the CONFIG_EAP_PWD configuration option and hence are also unaffected. Statement: Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 5, 6, and 7. I fear however that if we get a request to add EAP-PWD in the future, that we'll miss this security fix and just add CONFIG_EAP_PWD to the build config and re-introduce the vulnerability... It's unlikely that we'll rebase the supplicant (and thus pick up the fix) due to the QE impact of doing so. Four CVEs were assigned to fixes under this upstream advisory. Quoting form: http://seclists.org/oss-sec/2015/q2/595 """ Use CVE-2015-4143 for the "The length of the received Commit and Confirm message payloads was not checked before reading them. This could result in a buffer read overflow when processing an invalid message." issues in both 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch and 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch. Use CVE-2015-4144 for "The remaining number of bytes in the message could be smaller than the Total-Length field size, so the length needs to be explicitly checked prior to reading the field and decrementing the len variable. This could have resulted in the remaining length becoming negative and interpreted as a huge positive integer." in both 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch. Use CVE-2015-4145 for "check that there is no already started fragment in progress before allocating a new buffer for reassembling fragments. This avoid a potential memory leak when processing invalid message." in both 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch and 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch. Use CVE-2015-4146 for 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch. """ |