From 2f51c9978dda4c6e8debca43e4235ecc86914032 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 25 Dec 2017 17:37:52 +0000 Subject: gentoo resync : 25.12.2017 --- ...CRED-commands-with-newline-characters-in-.patch | 62 ---------------------- 1 file changed, 62 deletions(-) delete mode 100644 net-wireless/wpa_supplicant/files/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch (limited to 'net-wireless/wpa_supplicant/files/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch') diff --git a/net-wireless/wpa_supplicant/files/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch b/net-wireless/wpa_supplicant/files/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch deleted file mode 100644 index 2dd38fee318b..000000000000 --- a/net-wireless/wpa_supplicant/files/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch +++ /dev/null @@ -1,62 +0,0 @@ -From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Tue, 5 Apr 2016 23:33:10 +0300 -Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the - string values - -Most of the cred block parameters are written as strings without -filtering and if there is an embedded newline character in the value, -unexpected configuration file data might be written. - -This fixes an issue where wpa_supplicant could have updated the -configuration file cred parameter with arbitrary data from the control -interface or D-Bus interface. While those interfaces are supposed to be -accessible only for trusted users/applications, it may be possible that -an untrusted user has access to a management software component that -does not validate the credential value before passing it to -wpa_supplicant. - -This could allow such an untrusted user to inject almost arbitrary data -into the configuration file. Such configuration file could result in -wpa_supplicant trying to load a library (e.g., opensc_engine_path, -pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user -controlled location when starting again. This would allow code from that -library to be executed under the wpa_supplicant process privileges. - -Signed-off-by: Jouni Malinen ---- - wpa_supplicant/config.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c -index eb97cd5..69152ef 100644 ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, - - if (os_strcmp(var, "password") == 0 && - os_strncmp(value, "ext:", 4) == 0) { -+ if (has_newline(value)) -+ return -1; - str_clear_free(cred->password); - cred->password = os_strdup(value); - cred->ext_password = 1; -@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, - } - - val = wpa_config_parse_string(value, &len); -- if (val == NULL) { -+ if (val == NULL || -+ (os_strcmp(var, "excluded_ssid") != 0 && -+ os_strcmp(var, "roaming_consortium") != 0 && -+ os_strcmp(var, "required_roaming_consortium") != 0 && -+ has_newline(val))) { - wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string " - "value '%s'.", line, var, value); -+ os_free(val); - return -1; - } - --- -1.9.1 - -- cgit v1.2.3