Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 Jul 2015 11:22:11 +0000 (UTC)
From:      John Marino <marino@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r391779 - in head/security/wpa_supplicant: . files
Message-ID:  <201507121122.t6CBMBv1036205@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: marino
Date: Sun Jul 12 11:22:10 2015
New Revision: 391779
URL: https://svnweb.freebsd.org/changeset/ports/391779

Log:
  security/wpa_supplicant: Address security issue (2015-5)
  
  There was a vulnerability to the WPS_NFC option which is off by default.
  The port is being bumped anyway since people using that option will want
  the latest version.
  
  PR:		201432
  Submitted by:	Jason Unovitch

Added:
  head/security/wpa_supplicant/files/patch-src_wps_ndef.c   (contents, props changed)
Modified:
  head/security/wpa_supplicant/Makefile

Modified: head/security/wpa_supplicant/Makefile
==============================================================================
--- head/security/wpa_supplicant/Makefile	Sun Jul 12 11:04:22 2015	(r391778)
+++ head/security/wpa_supplicant/Makefile	Sun Jul 12 11:22:10 2015	(r391779)
@@ -2,7 +2,7 @@
 
 PORTNAME=	wpa_supplicant
 PORTVERSION=	2.4
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security net
 MASTER_SITES=	http://w1.fi/releases/
 

Added: head/security/wpa_supplicant/files/patch-src_wps_ndef.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/wpa_supplicant/files/patch-src_wps_ndef.c	Sun Jul 12 11:22:10 2015	(r391779)
@@ -0,0 +1,21 @@
+--- src/wps/ndef.c.orig	2015-03-15 17:30:39 UTC
++++ src/wps/ndef.c
+@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d
+ 		if (size < 6)
+ 			return -1;
+ 		record->payload_length = ntohl(*(u32 *)pos);
++		if (record->payload_length > size - 6)
++			return -1;
+ 		pos += sizeof(u32);
+ 	}
+ 
+@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d
+ 	pos += record->payload_length;
+ 
+ 	record->total_length = pos - data;
+-	if (record->total_length > size)
++	if (record->total_length > size ||
++	    record->total_length < record->payload_length)
+ 		return -1;
+ 	return 0;
+ }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507121122.t6CBMBv1036205>