From owner-freebsd-current@freebsd.org Mon Oct 16 11:19:24 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C89DAE36DF9 for ; Mon, 16 Oct 2017 11:19:24 +0000 (UTC) (envelope-from se@freebsd.org) Received: from mailout09.t-online.de (mailout09.t-online.de [194.25.134.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mailout00.t-online.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 85B567790B for ; Mon, 16 Oct 2017 11:19:24 +0000 (UTC) (envelope-from se@freebsd.org) Received: from fwd39.aul.t-online.de (fwd39.aul.t-online.de [172.20.27.138]) by mailout09.t-online.de (Postfix) with SMTP id 90B194243480 for ; Mon, 16 Oct 2017 13:19:16 +0200 (CEST) Received: from Stefans-MBP-2.fritz.box (Xpuij-ZlZhigU0fK9kIgUimCOtRL-pulDnPzKxM7WCk+JEpYfG+04KCdKu60k2HQMa@[87.151.210.245]) by fwd39.t-online.de with (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 encrypted) esmtp id 1e43QS-3AUGh60; Mon, 16 Oct 2017 13:19:16 +0200 Subject: Re: cve-2017-13077 - WPA2 security vulni To: freebsd-current@freebsd.org References: <2230.1508150145@critter.freebsd.dk> From: Stefan Esser Message-ID: <21896d6e-75be-3376-bc32-9d911227de5c@freebsd.org> Date: Mon, 16 Oct 2017 13:19:15 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------FDEAD5A07F7807785CA9C662" Content-Language: de-DE X-ID: Xpuij-ZlZhigU0fK9kIgUimCOtRL-pulDnPzKxM7WCk+JEpYfG+04KCdKu60k2HQMa X-TOI-MSGID: 20c05c16-1fd0-4e0f-ac22-6b4d608e1be7 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 11:19:24 -0000 This is a multi-part message in MIME format. --------------FDEAD5A07F7807785CA9C662 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Am 16.10.17 um 12:38 schrieb blubee blubeeme: > well, that's a cluster if I ever seen one. > > On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp > wrote: > >> -------- >> In message > gmail.com> >> , blubee blubeeme writes: >> >>> Does anyone on FreeBSD know if it's affected by this? >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077 >> >> It is, same as Linux, we use the same wpa_supplicant software The attached patch includes the official patch applied by the WPA developers in https://w1.fi/cgit/hostap/commit/?id=a00e946 but for our version of wpa_supplicant in /usr/src/contrib. Regards, STefan --------------FDEAD5A07F7807785CA9C662 Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0"; name="wpa.c-CVE-2017-13077.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="wpa.c-CVE-2017-13077.patch" Index: contrib/wpa/src/rsn_supp/wpa.c =================================================================== --- contrib/wpa/src/rsn_supp/wpa.c (Revision 324638) +++ contrib/wpa/src/rsn_supp/wpa.c (Arbeitskopie) @@ -1534,6 +1534,14 @@ sm->ptk_set = 1; os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); os_memset(&sm->tptk, 0, sizeof(sm->tptk)); + /* + * This assures the same TPTK in sm->tptk can never be + * copied twice to sm->pkt as the new PTK. In + * combination with the installed flag in the wpa_ptk + * struct, this assures the same PTK is only installed + * once. + */ + sm->renew_snonce = 1; } } --------------FDEAD5A07F7807785CA9C662--