Received: by mail.netbsd.org (Postfix, from userid 605) id EF63285ED4; Tue, 3 May 2016 18:21:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 1FB2485EAD for ; Tue, 3 May 2016 18:21:55 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id b7aYzniYPoxi for ; Tue, 3 May 2016 18:21:54 +0000 (UTC) Received: from cvs.NetBSD.org (unknown [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 858F484CED for ; Tue, 3 May 2016 18:21:54 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 83D39FBBA; Tue, 3 May 2016 18:21:54 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Tue, 3 May 2016 14:21:54 -0400 From: "Christos Zoulas" Subject: CVS commit: src/external/bsd/wpa/dist/wpa_supplicant To: source-changes@NetBSD.org X-Mailer: log_accum Message-Id: <20160503182154.83D39FBBA@cvs.NetBSD.org> Sender: source-changes-owner@NetBSD.org List-Id: source-changes.NetBSD.org Precedence: bulk Reply-To: source-changes-d@NetBSD.org Mail-Reply-To: "Christos Zoulas" Mail-Followup-To: source-changes-d@NetBSD.org Module Name: src Committed By: christos Date: Tue May 3 18:21:54 UTC 2016 Modified Files: src/external/bsd/wpa/dist/wpa_supplicant: config.c Log Message: http://w1.fi/security/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch Most of the cred block parameters are written as strings without filtering and if there is an embedded newline character in the value, unexpected configuration file data might be written. This fixes an issue where wpa_supplicant could have updated the configuration file cred parameter with arbitrary data from the control interface or D-Bus interface. While those interfaces are supposed to be accessible only for trusted users/applications, it may be possible that an untrusted user has access to a management software component that does not validate the credential value before passing it to wpa_supplicant. This could allow such an untrusted user to inject almost arbitrary data into the configuration file. Such configuration file could result in wpa_supplicant trying to load a library (e.g., opensc_engine_path, pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user controlled location when starting again. This would allow code from that library to be executed under the wpa_supplicant process privileges. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/external/bsd/wpa/dist/wpa_supplicant/config.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.