From patchwork Tue Jun 1 18:09:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Voss X-Patchwork-Id: 1486178 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FvgCm6LQcz9sW6 for ; Wed, 2 Jun 2021 04:09:24 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 450E2402AE; Tue, 1 Jun 2021 18:09:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aqhZtnjYnux1; Tue, 1 Jun 2021 18:09:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id 8CADC4029B; Tue, 1 Jun 2021 18:09:20 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 639D71BF4DB for ; Tue, 1 Jun 2021 18:09:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 5FCEC60784 for ; Tue, 1 Jun 2021 18:09:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bpeD2dYxtwBQ for ; Tue, 1 Jun 2021 18:09:17 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from da1vs02.rockwellcollins.com (da1vs02.rockwellcollins.com [205.175.227.29]) by smtp3.osuosl.org (Postfix) with ESMTPS id 57B7A60758 for ; Tue, 1 Jun 2021 18:09:17 +0000 (UTC) IronPort-SDR: NHZQlb1lupV3u5NPXPZl16t6VluUud+2UeMpNxF4pI30I4RWelGIUUpBkX1tYGotIaX661QQTL /UJvADpO5qdjBRgkVlwxKkE4sP5c9DgxI+xuXdk32hzMP4nHeZQb5Rp0Rkow45gLckOOPs3mUu ObJja4twqDIwRQhQdYsknFm4eIe5I+3+J/VerqZhuDOSO8wjH+dv6JKf8+SxTvuQryTwCXVF0N F55ZCvEB/K58g9D+Iwzsy/qbwqrjl697aBHMfpXNjVdBtE8YjNalSkiEZ3N3Eb6M5BSmx9qJ3a ghM= Received: from ofwda1n02.rockwellcollins.com (HELO dtulimr01.rockwellcollins.com) ([205.175.227.14]) by da1vs02.rockwellcollins.com with ESMTP; 01 Jun 2021 13:09:17 -0500 X-Received: from eggs.rockwellcollins.com (eggs.rockwellcollins.lab [10.148.117.42]) by dtulimr01.rockwellcollins.com (Postfix) with ESMTP id 46088604E0; Tue, 1 Jun 2021 13:09:16 -0500 (CDT) To: buildroot@buildroot.org Date: Tue, 1 Jun 2021 13:09:14 -0500 Message-Id: <20210601180915.14897-1-sam.voss@collins.com> X-Mailer: git-send-email 2.17.1 Subject: [Buildroot] [PATCH] package/hostapd: add upstream patch to fix CVE-2021-27803 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sam Voss via buildroot Reply-To: Sam Voss Cc: Sam Voss , Sergey Matyukevich , Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following: - CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. Signed-off-by: Sam Voss --- package/hostapd/hostapd.hash | 1 + package/hostapd/hostapd.mk | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/package/hostapd/hostapd.hash b/package/hostapd/hostapd.hash index e2f76c12d9..9ac5f4b392 100644 --- a/package/hostapd/hostapd.hash +++ b/package/hostapd/hostapd.hash @@ -3,4 +3,5 @@ sha256 881d7d6a90b2428479288d64233151448f8990ab4958e0ecaca7eeb3c9db2bd7 hostap sha256 2d9a5b9d616f1b4aa4a22b967cee866e2f69b798b0b46803a7928c8559842bd7 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch sha256 49feb35a5276279b465f6836d6fa2c6b34d94dc979e8b840d1918865c04260de 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch sha256 a8212a2d89a5bab2824d22b6047e7740553df163114fcec94832bfa9c5c5d78a 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch +sha256 7f40cfec5faf5e927ea9028ab9392cd118685bde7229ad24210caf0a8f6e9611 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch sha256 9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761 README diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk index 8eff92eb1e..8820254f89 100644 --- a/package/hostapd/hostapd.mk +++ b/package/hostapd/hostapd.mk @@ -11,7 +11,8 @@ HOSTAPD_CONFIG = $(HOSTAPD_DIR)/$(HOSTAPD_SUBDIR)/.config HOSTAPD_PATCH = \ https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ - https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch + https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ + https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch HOSTAPD_DEPENDENCIES = host-pkgconf HOSTAPD_CFLAGS = $(TARGET_CFLAGS) HOSTAPD_LICENSE = BSD-3-Clause @@ -26,6 +27,9 @@ HOSTAPD_IGNORE_CVES += CVE-2020-12695 # 0002-ASN.1-Validate-DigestAlgorithmIdentifier-parameters.patch HOSTAPD_IGNORE_CVES += CVE-2021-30004 +# 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch +HOSTAPD_IGNORE_CVES += CVE-2021-27803 + HOSTAPD_CPE_ID_VENDOR = w1.fi HOSTAPD_CONFIG_SET =