[wpa_supplicant] Use os_exec() for action script execution (CVE-2014-3686)
Daniel Williams
dcbw at fedoraproject.org
Thu Oct 23 00:02:26 UTC 2014
commit 05ce9ccd8e1ba1dca03b0ebae8edaab6dce97b38
Author: Dan Williams <dcbw at redhat.com>
Date: Wed Oct 22 19:02:24 2014 -0500
Use os_exec() for action script execution (CVE-2014-3686)
...d-os_exec-helper-to-run-external-programs.patch | 143 +++++++
...i-Use-os_exec-for-action-script-execution.patch | 67 ++++
... rh1032758-fix-pmksa-cache-entry-clearing.patch | 0
rh948453-man-page.patch | 397 ++++++++++++++++++++
wpa_supplicant.spec | 22 +-
5 files changed, 626 insertions(+), 3 deletions(-)
---
diff --git a/0001-Add-os_exec-helper-to-run-external-programs.patch b/0001-Add-os_exec-helper-to-run-external-programs.patch
new file mode 100644
index 0000000..4b774bd
--- /dev/null
+++ b/0001-Add-os_exec-helper-to-run-external-programs.patch
@@ -0,0 +1,143 @@
+From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni at qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 16:27:44 +0300
+Subject: [PATCH 1/2] Add os_exec() helper to run external programs
+
+Signed-off-by: Jouni Malinen <jouni at qca.qualcomm.com>
+---
+ src/utils/os.h | 9 +++++++++
+ src/utils/os_unix.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/utils/os_win32.c | 6 ++++++
+ 3 files changed, 70 insertions(+)
+
+diff --git a/src/utils/os.h b/src/utils/os.h
+index f196209..b9247d8 100644
+--- a/src/utils/os.h
++++ b/src/utils/os.h
+@@ -597,14 +597,23 @@ size_t os_strlcpy(char *dest, const char *src, size_t siz);
+ * Returns: Total length of the target string (length of src) (not including
+ * NUL-termination)
+ *
+ * This function matches in behavior with the strlcpy(3) function in OpenBSD.
+ */
+ size_t os_strlcpy(char *dest, const char *src, size_t siz);
+
++/**
++ * os_exec - Execute an external program
++ * @program: Path to the program
++ * @arg: Command line argument string
++ * @wait_completion: Whether to wait until the program execution completes
++ * Returns: 0 on success, -1 on error
++ */
++int os_exec(const char *program, const char *arg, int wait_completion);
++
+
+ #ifdef OS_REJECT_C_LIB_FUNCTIONS
+ #define malloc OS_DO_NOT_USE_malloc
+ #define realloc OS_DO_NOT_USE_realloc
+ #define free OS_DO_NOT_USE_free
+ #define memcpy OS_DO_NOT_USE_memcpy
+ #define memmove OS_DO_NOT_USE_memmove
+diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c
+index 7498967..523a4d0 100644
+--- a/src/utils/os_unix.c
++++ b/src/utils/os_unix.c
+@@ -5,14 +5,15 @@
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+ #include "includes.h"
+
+ #include <time.h>
++#include <sys/wait.h>
+
+ #ifdef ANDROID
+ #include <linux/capability.h>
+ #include <linux/prctl.h>
+ #include <private/android_filesystem_config.h>
+ #endif /* ANDROID */
+
+@@ -550,7 +551,61 @@ char * os_strdup(const char *s)
+ return NULL;
+ os_memcpy(d, s, len);
+ d[len] = '\0';
+ return d;
+ }
+
+ #endif /* WPA_TRACE */
++
++
++int os_exec(const char *program, const char *arg, int wait_completion)
++{
++ pid_t pid;
++ int pid_status;
++
++ pid = fork();
++ if (pid < 0) {
++ perror("fork");
++ return -1;
++ }
++
++ if (pid == 0) {
++ /* run the external command in the child process */
++ const int MAX_ARG = 30;
++ char *_program, *_arg, *pos;
++ char *argv[MAX_ARG + 1];
++ int i;
++
++ _program = os_strdup(program);
++ _arg = os_strdup(arg);
++
++ argv[0] = _program;
++
++ i = 1;
++ pos = _arg;
++ while (i < MAX_ARG && pos && *pos) {
++ while (*pos == ' ')
++ pos++;
++ if (*pos == '\0')
++ break;
++ argv[i++] = pos;
++ pos = os_strchr(pos, ' ');
++ if (pos)
++ *pos++ = '\0';
++ }
++ argv[i] = NULL;
++
++ execv(program, argv);
++ perror("execv");
++ os_free(_program);
++ os_free(_arg);
++ exit(0);
++ return -1;
++ }
++
++ if (wait_completion) {
++ /* wait for the child process to complete in the parent */
++ waitpid(pid, &pid_status, 0);
++ }
++
++ return 0;
++}
+diff --git a/src/utils/os_win32.c b/src/utils/os_win32.c
+index 55937de..57ee132 100644
+--- a/src/utils/os_win32.c
++++ b/src/utils/os_win32.c
+@@ -254,7 +254,13 @@ int os_memcmp_const(const void *a, const void *b, size_t len)
+ *dest = '\0';
+ while (*s++)
+ ; /* determine total src string length */
+ }
+
+ return s - src - 1;
+ }
++
++
++int os_exec(const char *program, const char *arg, int wait_completion)
++{
++ return -1;
++}
+--
+1.9.3
+
diff --git a/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch b/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
new file mode 100644
index 0000000..2ff9301
--- /dev/null
+++ b/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
@@ -0,0 +1,67 @@
+From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni at qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 17:25:52 +0300
+Subject: [PATCH 2/2] wpa_cli: Use os_exec() for action script execution
+
+Use os_exec() to run the action script operations to avoid undesired
+command line processing for control interface event strings. Previously,
+it could have been possible for some of the event strings to include
+unsanitized data which is not suitable for system() use. (CVE-2014-3686)
+
+Signed-off-by: Jouni Malinen <jouni at qca.qualcomm.com>
+---
+ wpa_supplicant/wpa_cli.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
+index 18b9b77..fe30b41 100644
+--- a/wpa_supplicant/wpa_cli.c
++++ b/wpa_supplicant/wpa_cli.c
+@@ -3155,36 +3155,27 @@ static int str_match(const char *a, const char *b)
+ return os_strncmp(a, b, os_strlen(b)) == 0;
+ }
+
+
+ static int wpa_cli_exec(const char *program, const char *arg1,
+ const char *arg2)
+ {
+- char *cmd;
++ char *arg;
+ size_t len;
+ int res;
+- int ret = 0;
+
+- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
+- cmd = os_malloc(len);
+- if (cmd == NULL)
++ len = os_strlen(arg1) + os_strlen(arg2) + 2;
++ arg = os_malloc(len);
++ if (arg == NULL)
+ return -1;
+- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
+- if (res < 0 || (size_t) res >= len) {
+- os_free(cmd);
+- return -1;
+- }
+- cmd[len - 1] = '\0';
+-#ifndef _WIN32_WCE
+- if (system(cmd) < 0)
+- ret = -1;
+-#endif /* _WIN32_WCE */
+- os_free(cmd);
++ os_snprintf(arg, len, "%s %s", arg1, arg2);
++ res = os_exec(program, arg, 1);
++ os_free(arg);
+
+- return ret;
++ return res;
+ }
+
+
+ static void wpa_cli_action_process(const char *msg)
+ {
+ const char *pos;
+ char *copy = NULL, *id, *pos2;
+--
+1.9.3
+
diff --git a/0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch b/rh1032758-fix-pmksa-cache-entry-clearing.patch
similarity index 100%
rename from 0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch
rename to rh1032758-fix-pmksa-cache-entry-clearing.patch
diff --git a/rh948453-man-page.patch b/rh948453-man-page.patch
new file mode 100644
index 0000000..06e95ca
--- /dev/null
+++ b/rh948453-man-page.patch
@@ -0,0 +1,397 @@
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml
+--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml.man-page 2014-01-20 16:40:02.340869189 -0600
++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/eapol_test.sgml 2014-01-20 16:40:02.340869189 -0600
+@@ -0,0 +1,205 @@
++<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
++
++<refentry>
++ <refmeta>
++ <refentrytitle>eapol_test</refentrytitle>
++ <manvolnum>8</manvolnum>
++ </refmeta>
++ <refnamediv>
++ <refname>eapol_test</refname>
++
++ <refpurpose>EAP peer and RADIUS client testing</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv>
++ <cmdsynopsis>
++ <command>eapol_test</command>
++ <arg>-nWS</arg>
++ <arg>-c<replaceable>config file</replaceable></arg>
++ <arg>-a<replaceable>server IP address</replaceable></arg>
++ <arg>-A<replaceable>client IP address</replaceable></arg>
++ <arg>-p<replaceable>UDP port</replaceable></arg>
++ <arg>-s<replaceable>shared secret</replaceable></arg>
++ <arg>-r<replaceable>re-authentications</replaceable></arg>
++ <arg>-t<replaceable>timeout</replaceable></arg>
++ <arg>-C<replaceable>Connect-Info</replaceable></arg>
++ <arg>-M<replaceable>MAC address</replaceable></arg>
++ <arg>-o<replaceable>file</replaceable></arg>
++ <arg>-N<replaceable>attr spec</replaceable></arg>
++ </cmdsynopsis>
++ <cmdsynopsis>
++ <command>eapol_test scard</command>
++ </cmdsynopsis>
++ <cmdsynopsis>
++ <command>eapol_test sim</command>
++ <arg>PIN</arg>
++ <arg>num triplets</arg>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1>
++ <title>Overview</title>
++
++ <para>eapol_test is a program that links together the same EAP
++ peer implementation that wpa_supplicant is using and the RADIUS
++ authentication client code from hostapd. In addition, it has
++ minimal glue code to combine these two components in similar
++ ways to IEEE 802.1X/EAPOL Authenticator state machines. In other
++ words, it integrates IEEE 802.1X Authenticator (normally, an
++ access point) and IEEE 802.1X Supplicant (normally, a wireless
++ client) together to generate a single program that can be used to
++ test EAP methods without having to setup an access point and a
++ wireless client.</para>
++
++ <para>The main uses for eapol_test are in interoperability testing
++ of EAP methods against RADIUS servers and in development testing
++ for new EAP methods. It can be easily used to automate EAP testing
++ for interoperability and regression since the program can be run
++ from shell scripts without require additional test components apart
++ from a RADIUS server. For example, the automated EAP tests described
++ in eap_testing.txt are implemented with eapol_test. Similarly,
++ eapol_test could be used to implement an automated regression
++ test suite for a RADIUS authentication server.</para>
++
++
++ <para>As an example:</para>
++
++<blockquote><programlisting>
++eapol_test -ctest.conf -a127.0.0.1 -p1812 -ssecret -r1
++</programlisting></blockquote>
++
++ <para>tries to complete EAP authentication based on the network
++ configuration from test.conf against the RADIUS server running
++ on the local host. A re-authentication is triggered to test fast
++ re-authentication. The configuration file uses the same format for
++ network blocks as wpa_supplicant.</para>
++
++ </refsect1>
++ <refsect1>
++ <title>Command Arguments</title>
++ <variablelist>
++ <varlistentry>
++ <term>-c configuration file path</term>
++
++ <listitem><para>A configuration to use. The configuration should
++ use the same format for network blocks as wpa_supplicant.
++ </para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-a AS address</term>
++
++ <listitem><para>IP address of the authentication server. The
++ default is '127.0.0.1'.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-A client address</term>
++
++ <listitem><para>IP address of the client. The default is to
++ select an address automatically.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-p AS port</term>
++
++ <listitem><para>UDP port of the authentication server. The
++ default is '1812'.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-s AS secret</term>
++
++ <listitem><para>Shared secret with the authentication server.
++ The default is 'radius'.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-r count</term>
++
++ <listitem><para>Number of reauthentications.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-t timeout</term>
++
++ <listitem><para>Timeout in seconds. The default is 30.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-C info</term>
++
++ <listitem><para>RADIUS Connect-Info. The default is
++ 'CONNECT 11Mbps 802.11b'.</para></listitem>
++ </varlistentry>
++
++
++ <varlistentry>
++ <term>-M mac address</term>
++
++ <listitem><para>Client MAC address (Calling-Station-Id). The
++ default is '02:00:00:00:00:01'.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-o file</term>
++
++ <listitem><para>Location to write out server certificate.
++ </para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-N attr spec</term>
++
++ <listitem><para>Send arbitrary attribute specific by
++ attr_id:syntax:value, or attr_id alone. attr_id should be the numeric
++ ID of the attribute, and syntax should be one of 's' (string),
++ 'd' (integer), or 'x' (octet string). The value is the attribute value
++ to send. When attr_id is given alone, NULL is used as the attribute
++ value. Multiple attributes can be specified by using the option
++ several times.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-n</term>
++
++ <listitem><para>Indicates that no MPPE keys are expected.
++ </para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-W</term>
++
++ <listitem><para>Wait for a control interface monitor before starting.
++ </para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-S</term>
++
++ <listitem><para>Save configuration after authentication.
++ </para></listitem>
++ </varlistentry>
++
++ </variablelist>
++ </refsect1>
++ <refsect1>
++ <title>See Also</title>
++ <para>
++ <citerefentry>
++ <refentrytitle>wpa_supplicant</refentrytitle>
++ <manvolnum>8</manvolnum>
++ </citerefentry>
++ </para>
++ </refsect1>
++ <refsect1>
++ <title>Legal</title>
++ <para>wpa_supplicant is copyright (c) 2003-2012,
++ Jouni Malinen <email>j at w1.fi</email> and
++ contributors.
++ All Rights Reserved.</para>
++
++ <para>This program is licensed under the BSD license (the one with
++ advertisement clause removed).</para>
++ </refsect1>
++</refentry>
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile
+--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile.man-page 2013-01-12 09:42:53.000000000 -0600
++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/Makefile 2014-01-20 16:40:02.342869164 -0600
+@@ -1,4 +1,4 @@
+-all: man html pdf
++all: man
+
+ FILES += wpa_background
+ FILES += wpa_cli
+@@ -7,6 +7,7 @@ FILES += wpa_passphrase
+ FILES += wpa_priv
+ FILES += wpa_supplicant.conf
+ FILES += wpa_supplicant
++FILES += eapol_test
+
+ man:
+ for i in $(FILES); do docbook2man $$i.sgml; done
+@@ -20,7 +21,7 @@ pdf:
+
+
+ clean:
+- rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8
++ rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 eapol_test.8
+ rm -f wpa_supplicant.conf.5
+ rm -f manpage.links manpage.refs
+ rm -f $(FILES:%=%.pdf)
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml
+--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml.man-page 2013-01-12 09:42:53.000000000 -0600
++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_cli.sgml 2014-01-20 16:40:02.339869202 -0600
+@@ -15,10 +15,12 @@
+ <cmdsynopsis>
+ <command>wpa_cli</command>
+ <arg>-p <replaceable>path to ctrl sockets</replaceable></arg>
++ <arg>-g <replaceable>path to global ctrl_interface socket</replaceable></arg>
+ <arg>-i <replaceable>ifname</replaceable></arg>
+ <arg>-hvB</arg>
+ <arg>-a <replaceable>action file</replaceable></arg>
+ <arg>-P <replaceable>pid file</replaceable></arg>
++ <arg>-G <replaceable>ping interval</replaceable></arg>
+ <arg><replaceable>command ...</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+@@ -111,6 +113,14 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed
+ </varlistentry>
+
+ <varlistentry>
++ <term>-g control socket path</term>
++
++ <listitem><para>Connect to the global control socket at the
++ indicated path rather than an interface-specific control
++ socket.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-i ifname</term>
+
+ <listitem><para>Specify the interface that is being
+@@ -161,6 +171,13 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed
+ </varlistentry>
+
+ <varlistentry>
++ <term>-G ping interval</term>
++
++ <listitem><para>Set the interval (in seconds) at which
++ wpa_cli pings the supplicant.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>command</term>
+
+ <listitem><para>Run a command. The available commands are
+diff -up wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
+--- wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml.man-page 2013-01-12 09:42:53.000000000 -0600
++++ wpa_supplicant-2.0/wpa_supplicant/doc/docbook/wpa_supplicant.sgml 2014-01-20 16:40:02.339869202 -0600
+@@ -12,7 +12,7 @@
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>wpa_supplicant</command>
+- <arg>-BddfhKLqqtuvW</arg>
++ <arg>-BddfhKLqqsTtuvW</arg>
+ <arg>-i<replaceable>ifname</replaceable></arg>
+ <arg>-c<replaceable>config file</replaceable></arg>
+ <arg>-D<replaceable>driver</replaceable></arg>
+@@ -344,9 +344,20 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term>-e entropy file</term>
++ <listitem>
++ <para>File for <command>wpa_supplicant</command> to use to
++ maintain its internal entropy store in over restarts.</para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-f output file</term>
+ <listitem>
+- <para>Log output to specified file instead of stdout.</para>
++ <para>Log output to specified file instead of stdout. (This
++ is only available if <command>wpa_supplicant</command> was
++ built with the <literal>CONFIG_DEBUG_FILE</literal>
++ option.)</para>
+ </listitem>
+ </varlistentry>
+
+@@ -387,6 +398,22 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term>-o override driver</term>
++ <listitem>
++ <para>Override the driver parameter for new
++ interfaces.</para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-O override ctrl_interface</term>
++ <listitem>
++ <para>Override the ctrl_interface parameter for new
++ interfaces.</para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-p</term>
+ <listitem>
+ <para>Driver parameters. (Per interface)</para>
+@@ -409,10 +436,40 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term>-s</term>
++ <listitem>
++ <para>Log output to syslog instead of stdout. (This is only
++ available if <command>wpa_supplicant</command> was built
++ with the <literal>CONFIG_DEBUG_SYSLOG</literal>
++ option.)</para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-T</term>
++ <listitem>
++ <para>Log output to Linux tracing in addition to any other
++ destinations. (This is only available
++ if <command>wpa_supplicant</command> was built with
++ the <literal>CONFIG_DEBUG_LINUX_TRACING</literal>
++ option.)</para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-t</term>
++ <listitem>
++ <para>Include timestamp in debug messages.</para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-u</term>
+ <listitem>
+- <para>Enabled DBus control interface. If enabled, interface
+- definitions may be omitted.</para>
++ <para>Enable DBus control interface. If enabled, interface
++ definitions may be omitted. (This is only available
++ if <command>wpa_supplicant</command> was built with
++ the <literal>CONFIG_DBUS</literal> option.)</para>
+ </listitem>
+ </varlistentry>
+
+diff -up wpa_supplicant-2.0/wpa_supplicant/main.c.man-page wpa_supplicant-2.0/wpa_supplicant/main.c
+--- wpa_supplicant-2.0/wpa_supplicant/main.c.man-page 2013-01-12 09:42:53.000000000 -0600
++++ wpa_supplicant-2.0/wpa_supplicant/main.c 2014-01-20 16:40:02.340869189 -0600
+@@ -23,11 +23,11 @@ static void usage(void)
+ int i;
+ printf("%s\n\n%s\n"
+ "usage:\n"
+- " wpa_supplicant [-BddhKLqqstuvW] [-P<pid file>] "
++ " wpa_supplicant [-BddhKLqqtvW] [-P<pid file>] "
+ "[-g<global ctrl>] \\\n"
+ " -i<ifname> -c<config file> [-C<ctrl>] [-D<driver>] "
+ "[-p<driver_param>] \\\n"
+- " [-b<br_ifname>] [-f<debug file>] [-e<entropy file>] "
++ " [-b<br_ifname>] [-e<entropy file>] "
+ "\\\n"
+ " [-o<override driver>] [-O<override ctrl>] \\\n"
+ " [-N -i<ifname> -c<conf> [-C<ctrl>] "
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index ef4236c..fb8370c 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
Name: wpa_supplicant
Epoch: 1
Version: 2.0
-Release: 11%{?dist}
+Release: 12%{?dist}
License: BSD
Group: System Environment/Base
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@@ -42,8 +42,13 @@ Patch6: wpa_supplicant-gui-qt4.patch
Patch7: libnl3-includes.patch
# Less aggressive roaming; signal strength is wildly variable
Patch8: rh837402-less-aggressive-roaming.patch
+# Add missing command-line options to man page, also filed upstream
+Patch9: rh948453-man-page.patch
# Don't evict current AP from PMKSA cache when it's large
-Patch9: 0001-Fix-OKC-based-PMKSA-cache-entry-clearing.patch
+Patch10: rh1032758-fix-pmksa-cache-entry-clearing.patch
+# CVE-2014-3686
+Patch11: 0001-Add-os_exec-helper-to-run-external-programs.patch
+Patch12: 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
%if %{build_libeap}
# Dirty hack for WiMAX
@@ -61,6 +66,7 @@ BuildRequires: readline-devel
BuildRequires: dbus-devel
BuildRequires: libnl3-devel
BuildRequires: systemd-units
+BuildRequires: docbook-utils
Requires(post): systemd-sysv
Requires(post): systemd-units
Requires(preun): systemd-units
@@ -113,7 +119,10 @@ Don't use this unless you know what you're doing.
%patch6 -p1 -b .qt4
%patch7 -p1 -b .libnl3
%patch8 -p1 -b .rh837402-less-aggressive-roaming
-%patch9 -p1 -b .okc-current-fix
+%patch9 -p1 -b .man-page
+%patch10 -p1 -b .pmksa-clear-fix
+%patch11 -p1 -b .CVE-2014-3686-1
+%patch12 -p1 -b .CVE-2014-3686-2
%build
pushd wpa_supplicant
@@ -131,6 +140,10 @@ pushd wpa_supplicant
make eapol_test
popd
+pushd wpa_supplicant/doc/docbook
+ make
+popd
+
%install
# init scripts
install -D -m 0755 %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service
@@ -257,6 +270,9 @@ fi
%endif
%changelog
+* Wed Oct 22 2014 Dan Williams <dcbw at redhat.com> - 1:2.0-12
+- Use os_exec() for action script execution (CVE-2014-3686)
+
* Thu Aug 21 2014 Kevin Fenzi <kevin at scrye.com> - 1:2.0-11
- Rebuild for rpm bug 1131960
More information about the scm-commits
mailing list