Bug 18335

Summary: wpa_supplicant new security issues CVE-2016-4476 and CVE-2016-4477
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, makowski.mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/687592/
Whiteboard: has_procedure advisory MGA5-32-OK mga5-64-ok
Source RPM: wpa_supplicant-2.5-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-05-03 11:36:55 CEST 
CVEs have been assigned for the latest upstream advisory:
http://openwall.com/lists/oss-security/2016/05/03/2

The upstream advisory is here:
http://w1.fi/security/2016-1/psk-parameter-config-update.txt

Patches to fix the issue are in that same directory, and it will be fixed in 2.6.

We are not vulnerable in our default configuration, as update_config=1 is commented out in /etc/wpa_supplicant.conf.

Our hostapd package is not vulnerable at all as CONFIG_WPS is not enabled in our build.
David Walser 2016-05-03 11:37:23 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-05-03 12:44:56 CEST 
Assigning to maintainer (tmb)

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => tmb

David Walser 2016-05-17 21:20:11 CEST

URL: (none) => http://lwn.net/Vulnerabilities/687592/

Comment 2 David Walser 2016-05-18 22:48:06 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated wpa_suppliant packages fix security vulnerabilities:

A vulnerability was found in how wpa_supplicant writes the configuration file
update for the WPA/WPA2 passphrase parameter. If this parameter has been
updated to include control characters either through a WPS operation
(CVE-2016-4476) or through local configuration change over the wpa_supplicant
control interface (CVE-2016-4477), the resulting configuration file may prevent
the wpa_supplicant from starting when the updated file is used. In addition, it
may be possible to load a local library file and execute code from there with
the same privileges under which the wpa_supplicant process runs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4477
http://w1.fi/security/2016-1/psk-parameter-config-update.txt
========================

Updated packages in core/updates_testing:
========================
wpa_supplicant-2.3-3.1.mga5
wpa_supplicant-gui-2.3-3.1.mga5

from wpa_supplicant-2.3-3.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: tmb => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 Thomas Andrews 2016-05-20 03:46:17 CEST 
Linksys  WRT54G router, 32-bit system with BCM4318 wifi, already updated to the 4.4.9 kernel. Update installed cleanly, no issues. 

Rebooted into the 4.4.9 kernel, no issues noted. Secured wifi connection came up cleanly, did some browsing with Firefox 38.

Rebooted into the 4.1.15 kernel, no issues noted. Secured wifi connection came up cleanly, did some browsing with Firefox 38.

CC: (none) => andrewsfarm

claire robinson 2016-05-21 20:47:38 CEST

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 4 claire robinson 2016-05-21 20:54:24 CEST 
Testing complete mga5 64 with wpa2

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-ok

claire robinson 2016-05-21 21:45:54 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure advisory MGA5-32-OK mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2016-05-22 00:12:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0199.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED