From owner-svn-ports-all@freebsd.org Sun Jul 12 11:22:12 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33A5E998815; Sun, 12 Jul 2015 11:22:12 +0000 (UTC) (envelope-from marino@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A1891A34; Sun, 12 Jul 2015 11:22:12 +0000 (UTC) (envelope-from marino@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6CBMBt0036207; Sun, 12 Jul 2015 11:22:11 GMT (envelope-from marino@FreeBSD.org) Received: (from marino@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6CBMBv1036205; Sun, 12 Jul 2015 11:22:11 GMT (envelope-from marino@FreeBSD.org) Message-Id: <201507121122.t6CBMBv1036205@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: marino set sender to marino@FreeBSD.org using -f From: John Marino Date: Sun, 12 Jul 2015 11:22:11 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r391779 - in head/security/wpa_supplicant: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2015 11:22:12 -0000 Author: marino Date: Sun Jul 12 11:22:10 2015 New Revision: 391779 URL: https://svnweb.freebsd.org/changeset/ports/391779 Log: security/wpa_supplicant: Address security issue (2015-5) There was a vulnerability to the WPS_NFC option which is off by default. The port is being bumped anyway since people using that option will want the latest version. PR: 201432 Submitted by: Jason Unovitch Added: head/security/wpa_supplicant/files/patch-src_wps_ndef.c (contents, props changed) Modified: head/security/wpa_supplicant/Makefile Modified: head/security/wpa_supplicant/Makefile ============================================================================== --- head/security/wpa_supplicant/Makefile Sun Jul 12 11:04:22 2015 (r391778) +++ head/security/wpa_supplicant/Makefile Sun Jul 12 11:22:10 2015 (r391779) @@ -2,7 +2,7 @@ PORTNAME= wpa_supplicant PORTVERSION= 2.4 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security net MASTER_SITES= http://w1.fi/releases/ Added: head/security/wpa_supplicant/files/patch-src_wps_ndef.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/wpa_supplicant/files/patch-src_wps_ndef.c Sun Jul 12 11:22:10 2015 (r391779) @@ -0,0 +1,21 @@ +--- src/wps/ndef.c.orig 2015-03-15 17:30:39 UTC ++++ src/wps/ndef.c +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d + if (size < 6) + return -1; + record->payload_length = ntohl(*(u32 *)pos); ++ if (record->payload_length > size - 6) ++ return -1; + pos += sizeof(u32); + } + +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d + pos += record->payload_length; + + record->total_length = pos - data; +- if (record->total_length > size) ++ if (record->total_length > size || ++ record->total_length < record->payload_length) + return -1; + return 0; + }