diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2021-04-15 23:53:51 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2021-04-19 16:32:18 +0300 |
| commit | e34f89623c246d261efb7fd0f2ce4a30b10bd59d (patch) | |
| tree | f61e6dd5e5fc96c077c7bf85bb78c55a4c777bbd /meta-openembedded/meta-oe/recipes-connectivity/hostapd | |
| parent | f1e440673465aa768f31e78c0c201002f9f767b7 (diff) | |
| download | openbmc-e34f89623c246d261efb7fd0f2ce4a30b10bd59d.tar.xz | |
meta-openembedded: subtree update:da393545a2..08c0280b7c
Andreas Müller (8):
networkmanager-openvpn: Fix packageing
mousepad: upgrade 0.5.3 -> 0.5.4
xfce4-battery-plugin: upgrade 1.1.3 -> 1.1.4
gigolo: upgrade 0.5.1 -> 0.5.2
thunar: upgrade 4.16.4 -> 4.16.6
poppler: upgrade 21.03.0 -> 21.04.0
catfish: add python3-dbus to RDEPENDS
fluidsynth: upgrade 2.1.7 -> 2.2.0
Andrew Geissler (1):
nodejs: ppc64le machine support
Awais Belal (1):
libnet-ssleay-perl: add rdep on perl-module-autoloader
Hermes Zhang (1):
gpsd: backport d-bus message time patch from upstream
Hongxu Jia (1):
debootstrap: 1.0.67 -> 1.0.123
Kamil Dziezyk (1):
bats: upgrade 1.1.0 -> 1.3.0
Kartikey Rameshbhai Parmar (1):
fluidsynth: update SRC_URI to remove non-existing 2.1.x branch
Khem Raj (12):
mariadb: Fix build on newer 32bit architectures
iwd: Upgade to 1.13
libmanette: Add recipe
pidgin-sipe: Fix build with glib-2.0 >= 2.68
gjs: Fix build with gcc11
poppler: Backport patches to fix build with glib-2.0 2.68+ and GCC11
opencv: Upgrade to 5.4.2
Revert "iwd: Upgade to 1.13"
core-image-minimal-xfce: Use graphical.target as default
tbb: Fix build with musl
vnstat: Disable install parallism to fix a potential install race
open-vm-tools: Fix build with gcc 11
Leon Anavi (57):
python3-sqlalchemy: Upgrade 1.4.3 -> 1.4.4
python3-bitarray: Upgrade 1.8.1 -> 1.8.2
python3-httplib2: Upgrade 0.19.0 -> 0.19.1
python3-parso: Upgrade 0.8.1 -> 0.8.2
python3-matplotlib: Upgrade 3.3.4 -> 3.4.1
python3-pyroute2: Upgrade 0.5.15 -> 0.5.16
python3-h5py: Upgrade 3.1.0 -> 3.2.1
python3-cheetah: Upgrade 3.2.6 -> 3.2.6.post1
python3-google-api-python-client: Upgrade 2.0.2 -> 2.1.0
python3-xlsxwriter: Upgrade 1.3.7 -> 1.3.8
python3-pymisp: Upgrade 2.4.140 -> 2.4.141
python3-tqdm: Upgrade 4.58.0 -> 4.59.0
python3-contextlib2: Upgrade 0.6.0 -> 0.6.0.post1
python3-typeguard: Upgrade 2.11.1 -> 2.12.0
python3-decorator: Upgrade 4.4.2 -> 5.0.1
python3-pillow: Upgrade 8.1.2 -> 8.2.0
python3-aiohttp: Upgrade 3.7.4 -> 3.7.4.post0
python3-networkx: Upgrade 2.5 -> 2.5.1
python3-pysonos: Upgrade 0.0.40 -> 0.0.41
python3-docutils: Upgrade 0.16 -> 0.17
python3-bitarray: Upgrade 1.8.2 -> 1.9.0
python3-regex: Upgrade 2021.3.17 -> 2021.4.4
python3-sqlalchemy: Upgrade 1.4.4 -> 1.4.5
python3-pychromecast: Upgrade 9.1.1 -> 9.1.2
python3-decorator: Upgrade 5.0.1 -> 5.0.5
python3-pymisp: Upgrade 2.4.141 -> 2.4.141.1
python3-pyroute2: Upgrade 0.5.16 -> 0.5.17
python3-transitions: Upgrade 0.8.7 -> 0.8.8
python3-sqlalchemy: Upgrade 1.4.5 -> 1.4.6
python3-bitarray: Upgrade 1.9.0 -> 1.9.1
python3-pysonos: Upgrade 0.0.41 -> 0.0.42
python3-django: Upgrade 3.1.7 -> 3.2
python3-tqdm: Upgrade 4.59.0 -> 4.60.0
python3-xmlschema: Upgrade 1.5.3 -> 1.6.0
python3-ruamel-yaml: Upgrade 0.17.2 -> 0.17.4
python3-croniter: Upgrade 1.0.10 -> 1.0.11
python3-decorator: Upgrade 5.0.5 -> 5.0.6
python3-grpcio-tools: Upgrade 1.36.1 -> 1.37.0
python3-speedtest-cli: Upgrade 2.1.2 -> 2.1.3
python3-python-vlc: Upgrade 3.0.11115 -> 3.0.12117
python3-robotframework: Upgrade 4.0 -> 4.0.1
python3-grpcio: Upgrade 1.36.1 -> 1.37.0
python3-cerberus: Upgrade 1.3.2 -> 1.3.3
python3-humanize: Upgrade 3.3.0 -> 3.4.0
python3-monotonic: Upgrade 1.5 -> 1.6
python3-sqlalchemy: Upgrade 1.4.6 -> 1.4.7
python3-typed-ast: Upgrade 1.4.2 -> 1.4.3
python3-backports-functools-lru-cache: Upgrade 1.6.3 -> 1.6.4
python3-xmlschema: Upgrade 1.6.0 -> 1.6.1
python3-pyroute2: Upgrade 0.5.17 -> 0.5.18
python3-sympy: Upgrade 1.7.1 -> 1.8
python3-pandas: Upgrade 1.2.3 -> 1.2.4
python3-humanize: Upgrade 3.4.0 -> 3.4.1
python3-decorator: Upgrade 5.0.6 -> 5.0.7
python3-colorlog: Upgrade 4.8.0 -> 5.0.1
python3-google-api-python-client: Upgrade 2.1.0 -> 2.2.0
python3-croniter: Upgrade 1.0.11 -> 1.0.12
Martin Jansa (13):
packagegroup-meta-oe: include glfw, icewm, geis only with x11 in DISTRO_FEATURES
phonet-utils: remove
packagegroup-meta-oe: use 4 spaces for identation
telepathy-glib: respect GI_DATA_ENABLED when enabling vala-bindings
uml-utilities: fix installed-vs-shipped with usrmerge
libsmi: use /bin/sh instead of ${base_bindir}/sh to silence QA error with usrmerge
libyui: switch to libyui-old repo which still has this SRCREV
libyui(-ncurses): upgrade to 4.1.1, libyui repo was rewritten completely
android-tools: use PN instead of BPN in RDEPENDS
pidgin-sipe: fix g_memdup2 changes to be backwards compatible with glib-1.67
pidgin: upgrade to 2.14.2
opencv: fetch wechat_qrcode files used by dnn PACKAGECONFIG
opencv: link sfm module with Glog
Mingli Yu (2):
freeradius: Upgrade to 3.0.21
hostapd: fix CVE-2021-0326 and CVE-2021-27803
Naveen Saini (2):
tbb: upgrade 2020.3 -> 2021.2.0
ocl-icd: upgrade 2.2.14 -> 2.3.0
Randy MacLeod (2):
doxygen: Upgrade 1.8.20 -> 1.9.1
open-vm-tools: upgrade 11.0.1 -> 11.2.5
Ross Burton (1):
fwts: upgrade to 21.03.00
Stefan Ghinea (1):
hostapd: fix CVE-2021-30004
Vinicius Aquino (1):
networkmanager: upgrade 1.28.0 -> 1.30.2
Vinícius Ossanes Aquino (2):
modemmanager: upgrade 1.14.10 -> 1.16.2
libqmi: upgrade 1.26.6 -> 1.28.2
Yi Fan Yu (2):
rsyslog: fix some of the ptests
redis: upgrade 6.0.9 -> 6.2.1
hasan.men (2):
librdkafka: Add initial recipe v1.6.1
libcppkafka: Add initial recipe for cppkafka wrapper
persianpros (5):
PEP8 double aggressive E701, E70 and E502
PEP8 double aggressive E20 and E211
PEP8 double aggressive E22, E224, E241, E242 and E27
PEP8 double aggressive E301 ~ E306
PEP8 double aggressive W291 ~ W293 and W391
wangmy (2):
mariadb: upgrade 10.5.8 -> 10.5.9
uftrace: Fix error on aarch64 when binutils update to 2.35.1
zangrc (14):
gnome-autoar: upgrade 0.2.4 -> 0.3.1
emacs: upgrade 27.1 -> 27.2
fbgrab: upgrade 1.4 -> 1.5
ostree: upgrade 2020.8 -> 2021.1
zabbix: upgrade 5.2.5 -> 5.2.6
libxaw: upgrade 1.0.13 -> 1.0.14
mosquitto: upgrade 2.0.9 -> 2.0.10
nbdkit: upgrade 1.25.4 -> 1.25.5
stunnel: upgrade 5.58 -> 5.59
usbredir: upgrade 0.8.0 -> 0.9.0
hwdata: upgrade 0.345 -> 0.346
live555: upgrade 20210322 -> 20210406
rabbitmq-c: upgrade 0.10.0 -> 0.11.0
xterm: upgrade 366 -> 367
zhengruoqin (7):
fetchmail: upgrade 6.4.17 -> 6.4.18
lldpd: upgrade 1.0.4 -> 1.0.8
networkmanager-openvpn: upgrade 1.8.12 -> 1.8.14
snort: upgrade 2.9.17 -> 2.9.17.1
python3-absl: upgrade 0.10.0 -> 0.12.0
python3-astroid: upgrade 2.5.2 -> 2.5.3
python3-bitarray: upgrade 1.9.1 -> 1.9.2
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I1f0f809aeda70e82140fec5e3310cbf89c760ad4
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-connectivity/hostapd')
4 files changed, 223 insertions, 0 deletions
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch new file mode 100644 index 0000000000..54c405b539 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch @@ -0,0 +1,43 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group + client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +CVE: CVE-2021-0326 + +Upstream-Status: Backport + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index 74b7b52ae..5cbfc217f 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch new file mode 100644 index 0000000000..fedff76b18 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch @@ -0,0 +1,54 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +CVE: CVE-2021-27803 + +Upstream-Status: Backport + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f..05fd59349 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index 1f38eee0ff..e586018685 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb @@ -13,6 +13,9 @@ SRC_URI = " \ file://hostapd.service \ file://CVE-2019-16275.patch \ file://CVE-2019-5061.patch \ + file://CVE-2021-0326.patch \ + file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8" |