Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/bsd/wpa/dist/wpa_supplicant http://w1.fi/security/2...

details:   https://anonhg.NetBSD.org/src/rev/20b8954cd3db
branches:  trunk
changeset: 345039:20b8954cd3db
user:      christos <christos%NetBSD.org@localhost>
date:      Tue May 03 18:22:28 2016 +0000

description:
http://w1.fi/security/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
Many of the global configuration parameters are written as strings
without filtering and if there is an embedded newline character in the
value, unexpected configuration file data might be written.

This fixes an issue where wpa_supplicant could have updated the
configuration file global parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the value of a parameter before passing it to
wpa_supplicant.

This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.

diffstat:

 external/bsd/wpa/dist/wpa_supplicant/config.c |  6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diffs (16 lines):

diff -r 629d72c036d4 -r 20b8954cd3db external/bsd/wpa/dist/wpa_supplicant/config.c
--- a/external/bsd/wpa/dist/wpa_supplicant/config.c     Tue May 03 18:21:54 2016 +0000
+++ b/external/bsd/wpa/dist/wpa_supplicant/config.c     Tue May 03 18:22:28 2016 +0000
@@ -3649,6 +3649,12 @@
                return -1;
        }
 
+       if (has_newline(pos)) {
+               wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
+                          line, data->name);
+               return -1;
+       }
+
        tmp = os_strdup(pos);
        if (tmp == NULL)
                return -1;
Home | Main Index | Thread Index | Old Index