projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dac4596)
package/hostapd: add upstream 2020-1 security patches
authorPeter Korsgaard <peter@korsgaard.com>
Mon, 24 Aug 2020 10:46:15 +0000 (12:46 +0200)
committerThomas Petazzoni <thomas.petazzoni@bootlin.com>
Mon, 24 Aug 2020 20:38:51 +0000 (22:38 +0200)
Fixes the following security vulnerabilities:

CVE-2020-12695: The Open Connectivity Foundation UPnP specification before
2020-04-17 does not forbid the acceptance of a subscription request with a
delivery URL on a different network segment than the fully qualified
event-subscription URL, aka the CallStranger issue.

For details, see the advisory:
https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
package/hostapd/hostapd.hash patch | blob | history
package/hostapd/hostapd.mk patch | blob | history

diff --git a/package/hostapd/hostapd.hash b/package/hostapd/hostapd.hash
index bf5016acc32181b1fc6129b181df44b5c2c1af1a..e2f76c12d9e52750fb86deb69c3d919f3caed696 100644 (file)
--- a/package/hostapd/hostapd.hash
+++ b/package/hostapd/hostapd.hash
@@ -1,3 +1,6 @@
 # Locally calculated
 sha256  881d7d6a90b2428479288d64233151448f8990ab4958e0ecaca7eeb3c9db2bd7  hostapd-2.9.tar.gz
+sha256  2d9a5b9d616f1b4aa4a22b967cee866e2f69b798b0b46803a7928c8559842bd7  0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
+sha256  49feb35a5276279b465f6836d6fa2c6b34d94dc979e8b840d1918865c04260de  0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
+sha256  a8212a2d89a5bab2824d22b6047e7740553df163114fcec94832bfa9c5c5d78a  0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
 sha256  9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761  README
diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
index b94a0e457808a3e856799f2fc215a133e64b227a..676e36d8ba744dde9bf13c9fda63cd53accbaa6c 100644 (file)
--- a/package/hostapd/hostapd.mk
+++ b/package/hostapd/hostapd.mk
@@ -8,6 +8,10 @@ HOSTAPD_VERSION = 2.9
 HOSTAPD_SITE = http://w1.fi/releases
 HOSTAPD_SUBDIR = hostapd
 HOSTAPD_CONFIG = $(HOSTAPD_DIR)/$(HOSTAPD_SUBDIR)/.config
+HOSTAPD_PATCH = \
+       https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
+       https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
+       https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
 HOSTAPD_DEPENDENCIES = host-pkgconf
 HOSTAPD_CFLAGS = $(TARGET_CFLAGS)
 HOSTAPD_LICENSE = BSD-3-Clause
@@ -16,6 +20,9 @@ HOSTAPD_LICENSE_FILES = README
 # 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 HOSTAPD_IGNORE_CVES += CVE-2019-16275
 
+# 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
+HOSTAPD_IGNORE_CVES += CVE-2020-12695
+
 HOSTAPD_CONFIG_SET =
 
 HOSTAPD_CONFIG_ENABLE = \