A security issue has been announced today (October 9): http://openwall.com/lists/oss-security/2014/10/09/28 http://w1.fi/security/2014-1/wpacli-action-scripts.txt The issue is fixed upstream in version 2.3. I've commited it in Cauldron SVN and requested a freeze push. There are also patches available here: http://w1.fi/security/2014-1/ Our hostapd package isn't currently vulnerable as WPS isn't enabled, but someone could have an issue if they enabled it and rebuilt it themselves. Our wpa_supplicant package does have it enabled and is vulnerable. Mageia 3 and Mageia 4 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Patches checked into Mageia 3 and Mageia 4 SVN.
Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated wpa_supplicant and hostapd packages fix security vulnerability: A vulnerability was found in the mechanism wpa_cli and hostapd_cli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system() call resulting in arbitrary command execution under the privileges of the wpa_cli/hostapd_cli process (which may be root in common use cases) (CVE-2014-3686). Using the Mageia wpa_supplicant package, systems are exposed to the vulnerability if operating as a WPS registrar. The Mageia hostapd package was not vulnerable with the configuration with which it was built, but if a sysadmin had rebuilt it with WPS enabled, it would be vulnerable. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686 http://w1.fi/security/2014-1/wpacli-action-scripts.txt ======================== Updated packages in core/updates_testing: ======================== wpa_supplicant-1.1-4.1.mga3 wpa_supplicant-gui-1.1-4.1.mga3 hostapd-1.1-2.1.mga3 wpa_supplicant-2.0-2.1.mga4 wpa_supplicant-gui-2.0-2.1.mga4 hostapd-2.0-2.1.mga4 from SRPMS: wpa_supplicant-1.1-4.1.mga3.src.rpm hostapd-1.1-2.1.mga3.src.rpm wpa_supplicant-2.0-2.1.mga4.src.rpm hostapd-2.0-2.1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
wpa_supplicant-2.0-2.1.mga4 from core updates testing Installed these afterwards from core updates testing wpa_supplicant-gui-2.0-2.1.mga4 hostapd-2.0-2.1.mga4 The latter pulled in lib64nl1 from core release. Invoked wpa_gui to try to get some clue about what to do. Looks like a network manager but have no idea where to go with that and it may not be relevant given that the advisory points to the *_cli as being vulnerable. Will look at the link posted above to see what action scripts are.
CC: (none) => tarazed25
Severity: normal => critical
Ubuntu has issued an advisory for this on October 14: http://www.ubuntu.com/usn/usn-2383-1/
URL: (none) => http://lwn.net/Vulnerabilities/616270/
Tested general use, mga4-64. Installed update, rebooted system. Wifi with wpa/wpa2 encryption started normally.
CC: (none) => wrw105Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Tested mga3-64 as above. wifi started normally. I don't have a 32-bit install with wifi, so I'll leave that to someone else to test.
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga3-64-ok
Testing on Mageia4-32 (as advised by Claire Robinson, disabled networkmanager service, rebooted, otherwise I was not able to connect through wifi) With current packages : --------------------- wpa_supplicant-2.0-2.mga4 wpa_supplicant-gui 2.0.-2.mga4 Could connect through encrypted and non-encrypted wifi. wpa_gui (run as root) showed : - on non-encrypted Authentification : NONE Encryption : NONE - on encrypted Authentification : WPA-PSK Encryption : CCMP + TKIP With update-testing : ------------------- wpa_supplicant-2.0-2.1.mga4 wpa_supplicant-gui-2.0-2.1.mga4 + reboot Could connect through encrypted and non-encrypted wifi. wpa_gui verified ok as before. Works goog
CC: (none) => olchalWhiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK => MGA3TOO mga4-64-ok mga3-64-ok MGA4-32-OK advisory
Validating. Could sysadmin please push to 3 & 4 updates Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0429.html
Status: NEW => RESOLVEDResolution: (none) => FIXED