Bug 15876

Summary: hostapd new security issue fixed upstream in 2.5 (upstream advisory 2015-3, CVE-2015-4142)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/644282/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: hostapd-2.3-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-05-07 16:07:10 CEST 
Upstream has issued an advisory on May 4:
http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt

Since AP and P2P are not enabled in our wpa_supplicant package, it is not affected.

Due to our configurations, we are also not affected by upstream advisories 2015-2 and 2015-4, also issued on May 4:
http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt
http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt

Since it wasn't previously stated in Bugzilla (that I can recall), we also were not affected by the previous CVE-2015-1863 (upstream advisory 2015-1) issue, as P2P is not enabled in our wpa_supplicant package:
http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt

The only thing we are affected by is 2015-3 in hostapd.

Upstream patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-07 16:07:23 CEST

Blocks: (none) => 14674
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-05-08 16:21:36 CEST 
Patched package uploaded for Mageia 4.

Advisory:
========================

Updated hostapd packages fix security vulnerability:

A vulnerability was found in hostapd that can be used to perform denial of
service attacks by an attacker that is within radio range of the AP that uses hostapd for MLME/SME operations.

References:
http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt
========================

Updated packages in core/updates_testing:
========================
hostapd-2.0-2.2.mga4

from hostapd-2.0-2.2.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 David Walser 2015-05-08 16:25:51 CEST 
CVE request:
http://openwall.com/lists/oss-security/2015/05/07/6
Comment 3 David Walser 2015-05-10 18:59:44 CEST 
More formal CVE request:
http://openwall.com/lists/oss-security/2015/05/09/5
Comment 4 claire robinson 2015-05-11 15:59:12 CEST 
Testing complete mga4 32 

Just ensuring it updates cleanly during mga5 final release cycle.

Whiteboard: (none) => mga4-32-ok

Comment 5 claire robinson 2015-05-11 18:07:51 CEST 
Advisory uploaded.

Whiteboard: mga4-32-ok => advisory mga4-32-ok

Comment 6 claire robinson 2015-05-12 17:06:22 CEST 
Testing complete mga4 64

Set the wifi device name (from iwconfig) in /etc/hostapd/hostapd.conf and started the hostapd service. Ensured the service was able to restart OK with the update installed.

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: advisory mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-05-12 21:38:34 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0216.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-13 20:12:04 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644282/

Comment 8 David Walser 2015-06-01 12:41:00 CEST 
CVE-2015-4142 has been assigned for the 2015-3 issue we fixed in this update:
http://openwall.com/lists/oss-security/2015/05/31/6

Summary: hostapd new security issue fixed upstream in 2.5 (upstream advisory 2015-3) => hostapd new security issue fixed upstream in 2.5 (upstream advisory 2015-3, CVE-2015-4142)

Comment 9 David Walser 2015-06-11 20:46:42 CEST 
(In reply to David Walser from comment #8)
> CVE-2015-4142 has been assigned for the 2015-3 issue we fixed in this update:
> http://openwall.com/lists/oss-security/2015/05/31/6

LWN reference with the recent CVEs:
http://lwn.net/Vulnerabilities/647929/
Comment 10 David Walser 2015-10-13 14:10:09 CEST 
*** Bug 16953 has been marked as a duplicate of this bug. ***

CC: (none) => tmb