Bug 29899

Summary: wpa_supplicant new side-channel attack security issue (upstream 2022-1, CVE-2022-23303)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: wpa_supplicant-2.9-8.2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-01-17 17:33:31 CET 
Upstream has issued an advisory on January 16:
https://w1.fi/security/2022-1/sae-eap-pwd-side-channel-attack-update-2.txt

The issue is fixed upstream in 2.10.

We are vulnerable because SAE is enabled in wpa_supplicant.  It is not enabled in hostapd, and EAP_PWD is enabled in neither.

Mageia 8 is also affected.
David Walser 2022-01-17 17:33:43 CET

Status comment: (none) => Fixed upstream in 2.10
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-01-17 19:28:56 CET 
This is one of those homeless pkgs variously maintained, so no choice but to assign this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-01-18 09:20:22 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

New side-channel attack security issue. (upstream 2022-1)

References:
https://w1.fi/security/2022-1/sae-eap-pwd-side-channel-attack-update-2.txt
========================

Updated packages in core/updates_testing:
========================
wpa_supplicant-gui-2.9-8.3.mga8
wpa_supplicant-2.9-8.3.mga8

from SRPM:
wpa_supplicant-2.9-8.3.mga8.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Source RPM: wpa_supplicant-2.9-13.mga9.src.rpm => wpa_supplicant-2.9-8.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 2.10 => (none)

Comment 3 Herman Viaene 2022-01-18 14:27:31 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Rebooted and wifi comes up OK.
Somethinng struck me as a bit strange: the package has the gui (wpa_gui command) in /usr/bin, so accessible to a normal user.
But when you run itas a normal user, all fiels (adapter, network...) are blank, and you cann't do absolutely nothing with it. Running the command as root is fine.
But in all OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-01-18 17:49:34 CET 
That does seem odd, but sounds as if it were somehow by design. 

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-01-18 19:21:07 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-01-18 20:31:03 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0025.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2022-01-30 19:23:22 CET 
This is CVE-2022-23303:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5F6SN2YLMKFIXVA2MABEIB6WB5PLHRTF/

Summary: wpa_supplicant new side-channel attack security issue (upstream 2022-1) => wpa_supplicant new side-channel attack security issue (upstream 2022-1, CVE-2022-23303)