[hostapd/f19] Apply fixes for CVE-2014-3686
John W. Linville
linville at fedoraproject.org
Thu Oct 23 20:10:28 UTC 2014
commit 6bf0486c1584aec673a85a6d5aec84139144ced1
Author: John W. Linville <linville at tuxdriver.com>
Date: Thu Oct 23 16:10:30 2014 -0400
Apply fixes for CVE-2014-3686
...d-os_exec-helper-to-run-external-programs.patch | 113 ++++++++++++++++++++
...i-Use-os_exec-for-action-script-execution.patch | 55 ++++++++++
hostapd.spec | 13 ++-
3 files changed, 180 insertions(+), 1 deletions(-)
---
diff --git a/hostapd-Add-os_exec-helper-to-run-external-programs.patch b/hostapd-Add-os_exec-helper-to-run-external-programs.patch
new file mode 100644
index 0000000..10d2bd1
--- /dev/null
+++ b/hostapd-Add-os_exec-helper-to-run-external-programs.patch
@@ -0,0 +1,113 @@
+From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni at qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 16:27:44 +0300
+Subject: [PATCH 1/3] Add os_exec() helper to run external programs
+
+Signed-off-by: Jouni Malinen <jouni at qca.qualcomm.com>
+---
+ src/utils/os.h | 9 +++++++++
+ src/utils/os_unix.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/utils/os_win32.c | 6 ++++++
+ 3 files changed, 70 insertions(+)
+
+diff -up hostapd-2.0/src/utils/os.h.helper hostapd-2.0/src/utils/os.h
+--- hostapd-2.0/src/utils/os.h.helper 2013-01-12 10:42:53.000000000 -0500
++++ hostapd-2.0/src/utils/os.h 2014-10-23 16:04:33.241498961 -0400
+@@ -506,6 +506,15 @@ static inline void * os_realloc_array(vo
+ */
+ size_t os_strlcpy(char *dest, const char *src, size_t siz);
+
++/**
++ * os_exec - Execute an external program
++ * @program: Path to the program
++ * @arg: Command line argument string
++ * @wait_completion: Whether to wait until the program execution completes
++ * Returns: 0 on success, -1 on error
++ */
++int os_exec(const char *program, const char *arg, int wait_completion);
++
+
+ #ifdef OS_REJECT_C_LIB_FUNCTIONS
+ #define malloc OS_DO_NOT_USE_malloc
+diff -up hostapd-2.0/src/utils/os_unix.c.helper hostapd-2.0/src/utils/os_unix.c
+--- hostapd-2.0/src/utils/os_unix.c.helper 2013-01-12 10:42:53.000000000 -0500
++++ hostapd-2.0/src/utils/os_unix.c 2014-10-23 16:04:33.242498969 -0400
+@@ -9,6 +9,7 @@
+ #include "includes.h"
+
+ #include <time.h>
++#include <sys/wait.h>
+
+ #ifdef ANDROID
+ #include <linux/capability.h>
+@@ -486,3 +487,57 @@ char * os_strdup(const char *s)
+ }
+
+ #endif /* WPA_TRACE */
++
++
++int os_exec(const char *program, const char *arg, int wait_completion)
++{
++ pid_t pid;
++ int pid_status;
++
++ pid = fork();
++ if (pid < 0) {
++ perror("fork");
++ return -1;
++ }
++
++ if (pid == 0) {
++ /* run the external command in the child process */
++ const int MAX_ARG = 30;
++ char *_program, *_arg, *pos;
++ char *argv[MAX_ARG + 1];
++ int i;
++
++ _program = os_strdup(program);
++ _arg = os_strdup(arg);
++
++ argv[0] = _program;
++
++ i = 1;
++ pos = _arg;
++ while (i < MAX_ARG && pos && *pos) {
++ while (*pos == ' ')
++ pos++;
++ if (*pos == '\0')
++ break;
++ argv[i++] = pos;
++ pos = os_strchr(pos, ' ');
++ if (pos)
++ *pos++ = '\0';
++ }
++ argv[i] = NULL;
++
++ execv(program, argv);
++ perror("execv");
++ os_free(_program);
++ os_free(_arg);
++ exit(0);
++ return -1;
++ }
++
++ if (wait_completion) {
++ /* wait for the child process to complete in the parent */
++ waitpid(pid, &pid_status, 0);
++ }
++
++ return 0;
++}
+diff -up hostapd-2.0/src/utils/os_win32.c.helper hostapd-2.0/src/utils/os_win32.c
+--- hostapd-2.0/src/utils/os_win32.c.helper 2013-01-12 10:42:53.000000000 -0500
++++ hostapd-2.0/src/utils/os_win32.c 2014-10-23 16:04:33.242498969 -0400
+@@ -233,3 +233,9 @@ size_t os_strlcpy(char *dest, const char
+
+ return s - src - 1;
+ }
++
++
++int os_exec(const char *program, const char *arg, int wait_completion)
++{
++ return -1;
++}
diff --git a/hostapd-hostapd_cli-Use-os_exec-for-action-script-execution.patch b/hostapd-hostapd_cli-Use-os_exec-for-action-script-execution.patch
new file mode 100644
index 0000000..3abbf92
--- /dev/null
+++ b/hostapd-hostapd_cli-Use-os_exec-for-action-script-execution.patch
@@ -0,0 +1,55 @@
+From 5d4fa2a29bef013e61185beb21a3ec110885eb9a Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni at qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 18:49:01 +0300
+Subject: [PATCH 3/3] hostapd_cli: Use os_exec() for action script execution
+
+Use os_exec() to run the action script operations to avoid undesired
+command line processing for control interface event strings. Previously,
+it could have been possible for some of the event strings to include
+unsanitized data which is not suitable for system() use. (CVE-2014-3686)
+
+Signed-off-by: Jouni Malinen <jouni at qca.qualcomm.com>
+---
+ hostapd/hostapd_cli.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+diff -up hostapd-2.0/hostapd/hostapd_cli.c.hostapd_cli hostapd-2.0/hostapd/hostapd_cli.c
+--- hostapd-2.0/hostapd/hostapd_cli.c.hostapd_cli 2013-01-12 10:42:53.000000000 -0500
++++ hostapd-2.0/hostapd/hostapd_cli.c 2014-10-23 16:07:23.953882112 -0400
+@@ -219,28 +219,19 @@ static int hostapd_cli_cmd_mib(struct wp
+ static int hostapd_cli_exec(const char *program, const char *arg1,
+ const char *arg2)
+ {
+- char *cmd;
++ char *arg;
+ size_t len;
+ int res;
+- int ret = 0;
+
+- len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
+- cmd = os_malloc(len);
+- if (cmd == NULL)
++ len = os_strlen(arg1) + os_strlen(arg2) + 2;
++ arg = os_malloc(len);
++ if (arg == NULL)
+ return -1;
+- res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
+- if (res < 0 || (size_t) res >= len) {
+- os_free(cmd);
+- return -1;
+- }
+- cmd[len - 1] = '\0';
+-#ifndef _WIN32_WCE
+- if (system(cmd) < 0)
+- ret = -1;
+-#endif /* _WIN32_WCE */
+- os_free(cmd);
++ os_snprintf(arg, len, "%s %s", arg1, arg2);
++ res = os_exec(program, arg, 1);
++ os_free(arg);
+
+- return ret;
++ return res;
+ }
+
+
diff --git a/hostapd.spec b/hostapd.spec
index a39bb28..d336a04 100644
--- a/hostapd.spec
+++ b/hostapd.spec
@@ -2,7 +2,7 @@
Name: hostapd
Version: 2.0
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
License: BSD
URL: http://w1.fi/hostapd
@@ -14,6 +14,9 @@ Source3: %{name}.sysconfig
Source4: %{name}.init
Patch0: %{name}-RPM_OPT_FLAGS.patch
Patch1: %{name}-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
+Patch2: %{name}-Add-os_exec-helper-to-run-external-programs.patch
+Patch3: %{name}-hostapd_cli-Use-os_exec-for-action-script-execution.patch
+
BuildRequires: libnl-devel >= 1.1
BuildRequires: openssl-devel
@@ -59,6 +62,11 @@ Logwatch scripts for hostapd.
# commit 586c446e0ff42ae00315b014924ec669023bd8de
%patch1 -p1
+# http://www.openwall.com/lists/oss-security/2014/10/09/28
+# http://w1.fi/security/2014-1/
+%patch2 -p1
+%patch3 -p1
+
# Prepare default config file
cat %{SOURCE2} | sed -e 's/HOSTAPD_VERSION/'%{version}'/' > %{name}.conf
@@ -170,6 +178,9 @@ fi
%{_sysconfdir}/logwatch/scripts/services/%{name}
%changelog
+* Thu Oct 23 2014 John W. Linville <linville at redhat.com> - 2.0-5
+- Apply fixes for CVE-2014-3686
+
* Wed Aug 07 2013 Simone Caronni <negativo17 at gmail.com> - 2.0-4
- Add EPEL 6 support.
- Remove obsolete EPEL 5 tags.
More information about the scm-commits
mailing list