Bug 14262

Patches checked into Mageia 3 and Mageia 4 SVN.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated wpa_supplicant and hostapd packages fix security vulnerability:

A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root in common use cases) (CVE-2014-3686).

Using the Mageia wpa_supplicant package, systems are exposed to the
vulnerability if operating as a WPS registrar.

The Mageia hostapd package was not vulnerable with the configuration with
which it was built, but if a sysadmin had rebuilt it with WPS enabled, it
would be vulnerable.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
http://w1.fi/security/2014-1/wpacli-action-scripts.txt
========================

Updated packages in core/updates_testing:
========================
wpa_supplicant-1.1-4.1.mga3
wpa_supplicant-gui-1.1-4.1.mga3
hostapd-1.1-2.1.mga3
wpa_supplicant-2.0-2.1.mga4
wpa_supplicant-gui-2.0-2.1.mga4
hostapd-2.0-2.1.mga4

from SRPMS:
wpa_supplicant-1.1-4.1.mga3.src.rpm
hostapd-1.1-2.1.mga3.src.rpm
wpa_supplicant-2.0-2.1.mga4.src.rpm
hostapd-2.0-2.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

wpa_supplicant-2.0-2.1.mga4 from core updates testing
Installed these afterwards from core updates testing
wpa_supplicant-gui-2.0-2.1.mga4
hostapd-2.0-2.1.mga4
The latter pulled in lib64nl1 from core release.

Invoked wpa_gui to try to get some clue about what to do.  Looks like a network manager but have no idea where to go with that and it may not be relevant given that the advisory points to the *_cli as being vulnerable.

Will look at the link posted above to see what action scripts are.

CC: (none) => tarazed25

Ubuntu has issued an advisory for this on October 14:
http://www.ubuntu.com/usn/usn-2383-1/

URL: (none) => http://lwn.net/Vulnerabilities/616270/

Tested general use, mga4-64.  Installed update, rebooted system.  Wifi with wpa/wpa2 encryption started normally.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Tested mga3-64 as above.  wifi started normally.

I don't have a 32-bit install with wifi, so I'll leave that to someone else to test.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga3-64-ok

Testing on Mageia4-32 (as advised by Claire Robinson, disabled networkmanager service, rebooted, otherwise I was not able to connect through wifi)

With current packages :
---------------------

wpa_supplicant-2.0-2.mga4
wpa_supplicant-gui 2.0.-2.mga4

Could connect through encrypted and non-encrypted wifi.

wpa_gui (run as root) showed :
- on non-encrypted
Authentification : NONE
Encryption : NONE

- on encrypted
Authentification : WPA-PSK
Encryption : CCMP + TKIP


With update-testing :
-------------------

wpa_supplicant-2.0-2.1.mga4
wpa_supplicant-gui-2.0-2.1.mga4
+ reboot

Could connect through encrypted and non-encrypted wifi.
wpa_gui verified ok as before.

Works goog

CC: (none) => olchal
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK

Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK => MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK advisory

Validating.

Could sysadmin please push to 3 & 4 updates

Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0429.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED