From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] package/hostapd: add upstream patch to fix CVE-2021-27803
Date: Tue, 1 Jun 2021 22:00:43 +0200 [thread overview]
Message-ID: <20210601200043.GA168928@scaer> (raw)
In-Reply-To: <20210601180915.14897-1-sam.voss@collins.com>
Sam, All,
On 2021-06-01 13:09 -0500, Sam Voss via buildroot spake thusly:
> Fixes the following:
>
> - CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in
> wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
> discovery requests. It could result in denial of service or other impact
> (potentially execution of arbitrary code), for an attacker within radio
> range.
Usually, when there is a patch to hostpad to fix a CVE, we probably need
the same patch against wpa_supplicant, since they both shared the same
source tree...
See for example:
0c65499c3f package/wpa_supplicant: fix build with CVE-2021-30004 changes
75496165dc package/hostapd: fix build with CVE-2021-30004 changes
a8fbe67b9b package/wpa_supplicant: add upstream patch to fix CVE-2021-30004
d65586f45a package/hostapd: add upstream patch to fix CVE-2021-30004
2f6a6b8e50 package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
3d3348fd03 package/hostapd: ignore CVE-2021-30004 when using openssl
650d907c13 package/wpa_supplicant: fix CVE-2019-16275
749fbab0bb package/hostapd: fix CVE-2019-16275
Could you look at providing a patch to wpa_supplicant for
CVE-2021-27803, please?
Regards,
Yann E. MORIN.
> Signed-off-by: Sam Voss <sam.voss@collins.com>
> ---
> package/hostapd/hostapd.hash | 1 +
> package/hostapd/hostapd.mk | 6 +++++-
> 2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/package/hostapd/hostapd.hash b/package/hostapd/hostapd.hash
> index e2f76c12d9..9ac5f4b392 100644
> --- a/package/hostapd/hostapd.hash
> +++ b/package/hostapd/hostapd.hash
> @@ -3,4 +3,5 @@ sha256 881d7d6a90b2428479288d64233151448f8990ab4958e0ecaca7eeb3c9db2bd7 hostap
> sha256 2d9a5b9d616f1b4aa4a22b967cee866e2f69b798b0b46803a7928c8559842bd7 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
> sha256 49feb35a5276279b465f6836d6fa2c6b34d94dc979e8b840d1918865c04260de 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
> sha256 a8212a2d89a5bab2824d22b6047e7740553df163114fcec94832bfa9c5c5d78a 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
> +sha256 7f40cfec5faf5e927ea9028ab9392cd118685bde7229ad24210caf0a8f6e9611 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
> sha256 9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761 README
> diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
> index 8eff92eb1e..8820254f89 100644
> --- a/package/hostapd/hostapd.mk
> +++ b/package/hostapd/hostapd.mk
> @@ -11,7 +11,8 @@ HOSTAPD_CONFIG = $(HOSTAPD_DIR)/$(HOSTAPD_SUBDIR)/.config
> HOSTAPD_PATCH = \
> https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
> https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
> - https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
> + https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
> + https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
> HOSTAPD_DEPENDENCIES = host-pkgconf
> HOSTAPD_CFLAGS = $(TARGET_CFLAGS)
> HOSTAPD_LICENSE = BSD-3-Clause
> @@ -26,6 +27,9 @@ HOSTAPD_IGNORE_CVES += CVE-2020-12695
> # 0002-ASN.1-Validate-DigestAlgorithmIdentifier-parameters.patch
> HOSTAPD_IGNORE_CVES += CVE-2021-30004
>
> +# 0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
> +HOSTAPD_IGNORE_CVES += CVE-2021-27803
> +
> HOSTAPD_CPE_ID_VENDOR = w1.fi
> HOSTAPD_CONFIG_SET =
>
> --
> 2.17.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2021-06-01 20:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-01 18:09 [Buildroot] [PATCH] package/hostapd: add upstream patch to fix CVE-2021-27803 Sam Voss
2021-06-01 19:43 ` Arnout Vandecappelle
2021-06-01 20:00 ` Yann E. MORIN [this message]
2021-06-01 21:06 ` Arnout Vandecappelle
2021-06-06 7:09 ` Peter Korsgaard
2021-06-10 20:14 ` [Buildroot] [External] " Voss, Samuel M Collins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210601200043.GA168928@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox