[3.4] wpa_supplicant: security vulnerabilities (CVE-2016-4476, CVE-2016-4477)
CVE-2016-4476 : denial of service via crafted WPA/WPA2 passphrase parameter
wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters
in passphrase parameters,
which allows remote attackers to cause a denial of service (daemon
outage) via a crafted WPS operation.
References:
http://w1.fi/security/2016-1/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4476
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-4476
CVE-2016-4477: local configuration update allows privilege escalation
wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r characters
in passphrase parameters, which allows local users to trigger arbitrary
library loading and consequently gain privileges,
or cause a denial of service (daemon outage), via a crafted (1) SET, (2)
SET_CRED, or (3) SET_NETWORK command.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4477
http://w1.fi/security/2016-1/
(from redmine: issue id 5638, created on 2016-05-28, closed on 2016-06-23)
- Relations:
- parent #5637 (closed)
- Changesets:
- Revision 2806116f by Natanael Copa on 2016-05-30T17:21:32Z:
main/wpa_supplicant: security fix for CVE-2016-4476, CVE-2016-4477
fixes #5638