Bug 7746

Summary: hostapd new security issue CVE-2012-4445
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: cjw, dmorganec, oe, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/518914/
Whiteboard: MGA2-32-OK, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK
Source RPM: hostapd-0.7.3-4.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-10-09 13:27:57 CEST 
Debian has issued an advisory on October 8:
http://www.debian.org/security/2012/dsa-2557

The RedHat bug has more details and a link to the fix:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4445

Mageia 1 and Mageia 2 are also likely to be affected.
David Walser 2012-10-09 13:28:05 CEST

CC: (none) => dmorganec

David Walser 2012-10-09 13:28:21 CEST

CC: (none) => cjw

David Walser 2012-10-09 13:36:33 CEST

Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 David Walser 2012-10-09 14:42:39 CEST 
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

This also fixes a minor permissions issue, CVE-2012-2389.

Advisory:
========================

Updated hostapd package fixes security vulnerabilities:

hostapd 0.7.3, and possibly other versions before 1.0, uses 0644
permissions for /etc/hostapd/hostapd.conf, which might allow local users
to obtain sensitive information such as credentials (CVE-2012-2389).

Timo Warns discovered that the internal authentication server of hostapd,
a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator,
is vulnerable to a buffer overflow when processing fragmented EAP-TLS
messages.  As a result, an internal overflow checking routine terminates
the process.  An attacker can abuse this flaw to conduct denial of
service attacks via crafted EAP-TLS messages prior to any authentication
(CVE-2012-4445).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082475.html
http://www.debian.org/security/2012/dsa-2557
========================

Updated packages in core/updates_testing:
========================
hostapd-0.7.3-2.1.mga1
hostapd-0.7.3-4.1.mga2

from SRPMS:
hostapd-0.7.3-2.1.mga1.src.rpm
hostapd-0.7.3-4.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 2 Marc Lattemann 2012-10-10 14:26:07 CEST 
permission of hostapd.conf changed from 644 to 600. Tests successfully on mga1 and mga2 (both i586 and x86_64).

Updates validated. Please see advisory and SRCRPM in Comment #1

Could someone of the sysadmin team push it to Core-Updates? Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO => MGA2-32-OK, MGA2-64-OK, MGA1-32-OK, MGA1-64-OK

Comment 3 Thomas Backlund 2012-10-11 09:49:19 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0291

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 4 Oden Eriksson 2012-10-15 09:56:48 CEST 
This affects wpa_supplicant as well. Same fix applies.

Hey, there's a quite nifty way with mdv/mga to find possible affected code. Activate main and updates debug packages then just do "urpmf eap_server_tls_common.c".

Cheers.

Status: RESOLVED => REOPENED
CC: (none) => oe
Resolution: FIXED => (none)

Comment 5 Oden Eriksson 2012-10-15 11:21:38 CEST 
Whoops. The affected code is not used. Sorry.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED