mirror of
git://slackware.nl/current.git
synced 2025-01-13 08:01:53 +01:00
58eb3d5294
l/libgsf-1.14.48-x86_64-1.txz: Upgraded.
l/netpbm-10.97.00-x86_64-1.txz: Upgraded.
n/wpa_supplicant-2.9-x86_64-8.txz: Rebuilt.
This update fixes the following security issues:
AP mode PMF disconnection protection bypass.
UPnP SUBSCRIBE misbehavior in hostapd WPS AP.
P2P group information processing vulnerability.
P2P provision discovery processing vulnerability.
ASN.1: Validate DigestAlgorithmIdentifier parameters.
Flush pending control interface message for an interface to be removed.
These issues could result in a denial-of-service, privilege escalation,
arbitrary code execution, or other unexpected behavior.
Thanks to nobodino for pointing out the patches.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0535
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16275
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30004
(* Security fix *)
xap/seamonkey-2.53.10.2-x86_64-1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.seamonkey-project.org/releases/seamonkey2.53.10.2
(* Security fix *)
50 lines
1.7 KiB
Diff
50 lines
1.7 KiB
Diff
From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <jouni@codeaurora.org>
|
|
Date: Tue, 8 Dec 2020 23:52:50 +0200
|
|
Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
|
|
|
|
p2p_add_device() may remove the oldest entry if there is no room in the
|
|
peer table for a new peer. This would result in any pointer to that
|
|
removed entry becoming stale. A corner case with an invalid PD Request
|
|
frame could result in such a case ending up using (read+write) freed
|
|
memory. This could only by triggered when the peer table has reached its
|
|
maximum size and the PD Request frame is received from the P2P Device
|
|
Address of the oldest remaining entry and the frame has incorrect P2P
|
|
Device Address in the payload.
|
|
|
|
Fix this by fetching the dev pointer again after having called
|
|
p2p_add_device() so that the stale pointer cannot be used.
|
|
|
|
Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
|
|
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
|
---
|
|
src/p2p/p2p_pd.c | 12 +++++-------
|
|
1 file changed, 5 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
|
|
index 3994ec03f86b..05fd593494ef 100644
|
|
--- a/src/p2p/p2p_pd.c
|
|
+++ b/src/p2p/p2p_pd.c
|
|
@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
|
|
goto out;
|
|
}
|
|
|
|
+ dev = p2p_get_device(p2p, sa);
|
|
if (!dev) {
|
|
- dev = p2p_get_device(p2p, sa);
|
|
- if (!dev) {
|
|
- p2p_dbg(p2p,
|
|
- "Provision Discovery device not found "
|
|
- MACSTR, MAC2STR(sa));
|
|
- goto out;
|
|
- }
|
|
+ p2p_dbg(p2p,
|
|
+ "Provision Discovery device not found "
|
|
+ MACSTR, MAC2STR(sa));
|
|
+ goto out;
|
|
}
|
|
} else if (msg.wfd_subelems) {
|
|
wpabuf_free(dev->info.wfd_subelems);
|
|
--
|
|
2.25.1
|
|
|