GNU bug report logs - #35563
WPA Supplicant 2.8

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 35563 in the body.
You can then email your comments to 35563 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Subject: WPA Supplicant 2.8
Date: Sat, 04 May 2019 18:26:42 +0200

[Message part 1 (text/plain, inline)]

Hello!

Attached is a security update for WPA Supplicant.

The new version toggles a lot of build-time options to more closely
resemble what Debian and Arch do.  Unfortunately the new defaults
appears to require OpenSSL instead of GnuTLS.

Thoughts?

[0001-gnu-wpa_supplicant-Update-to-2.8-security-fixes.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 35563 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 35563 <at> debbugs.gnu.org
Subject: Re: [bug#35563] WPA Supplicant 2.8
Date: Mon, 06 May 2019 10:10:42 +0200

Hello Marius,

Marius Bakke <mbakke <at> fastmail.com> skribis:

> Attached is a security update for WPA Supplicant.
>
> The new version toggles a lot of build-time options to more closely
> resemble what Debian and Arch do.  Unfortunately the new defaults
> appears to require OpenSSL instead of GnuTLS.

What happens when you keep CONFIG_TLS=gnutls?

> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke <at> fastmail.com>
> Date: Tue, 30 Apr 2019 00:05:36 +0200
> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes].
>
> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555.
>
> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8.
> [source](snippet): New field.  Disable D-Bus.
> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y.  Change CONFIG_TLS to
> use OpenSSL rather than GnuTLS.
> [inputs]: Remove GNUTLS and LIBGCRYPT.  Add OPENSSL-NEXT.
> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y.

[...]

> +                  (substitute* "wpa_supplicant/defconfig"
> +                    ;; Disable D-Bus by default.
> +                    (("^CONFIG_CTRL_IFACE_DBUS_" line _)
> +                     (string-append "#" line)))

This change is unrelated to the upgrade, right?  It would break Connman
(which expects to talk to wpa_supplicant over D-Bus), as well as
NetworkManager probably, no?  Or am I missing something?

I’d like to have to make sure wpa_supplicant works well in the 1.0.1
installer.  :-)

Thanks for looking into it!

Ludo’.

Message #11 received at 35563 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 35563 <at> debbugs.gnu.org
Subject: Re: [bug#35563] WPA Supplicant 2.8
Date: Mon, 06 May 2019 15:20:18 +0200

[Message part 1 (text/plain, inline)]

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hello Marius,
>
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> Attached is a security update for WPA Supplicant.
>>
>> The new version toggles a lot of build-time options to more closely
>> resemble what Debian and Arch do.  Unfortunately the new defaults
>> appears to require OpenSSL instead of GnuTLS.
>
> What happens when you keep CONFIG_TLS=gnutls?

The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:

ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
/tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY'
ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group'
ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free'

Omitting the OpenSSL input makes it fail earlier due to lack of headers.

>> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke <at> fastmail.com>
>> Date: Tue, 30 Apr 2019 00:05:36 +0200
>> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes].
>>
>> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
>> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555.
>>
>> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8.
>> [source](snippet): New field.  Disable D-Bus.
>> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y.  Change CONFIG_TLS to
>> use OpenSSL rather than GnuTLS.
>> [inputs]: Remove GNUTLS and LIBGCRYPT.  Add OPENSSL-NEXT.
>> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y.
>
> [...]
>
>> +                  (substitute* "wpa_supplicant/defconfig"
>> +                    ;; Disable D-Bus by default.
>> +                    (("^CONFIG_CTRL_IFACE_DBUS_" line _)
>> +                     (string-append "#" line)))
>
> This change is unrelated to the upgrade, right?  It would break Connman
> (which expects to talk to wpa_supplicant over D-Bus), as well as
> NetworkManager probably, no?  Or am I missing something?

The distinguishing feature between "wpa-supplicant-minimal" and
"wpa-supplicant" is D-Bus support.

Upstream enabled D-Bus by default in version 2.8, so I toggled it back
with the snippet above so "wpa-supplicant-minimal" stays the same.

However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
its closure even though the D-Bus interface is disabled.

So I'm not sure if it makes sense to have the separate -minimal variant
anymore.  The size of both wpa-supplicant variants are 102.4MiB after
this patch, down from 157.4 and 143.1 MiB on the Guix master branch.

Thoughts?

[signature.asc (application/pgp-signature, inline)]

Message #14 received at 35563 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 35563 <at> debbugs.gnu.org
Subject: Re: [bug#35563] WPA Supplicant 2.8
Date: Tue, 07 May 2019 17:21:06 +0200

Hi,

Marius Bakke <mbakke <at> fastmail.com> skribis:

> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Hello Marius,
>>
>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>
>>> Attached is a security update for WPA Supplicant.
>>>
>>> The new version toggles a lot of build-time options to more closely
>>> resemble what Debian and Arch do.  Unfortunately the new defaults
>>> appears to require OpenSSL instead of GnuTLS.
>>
>> What happens when you keep CONFIG_TLS=gnutls?
>
> The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:
>
> ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
> /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY'
> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group'
> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free'
>
> Omitting the OpenSSL input makes it fail earlier due to lack of headers.

OK.

>> This change is unrelated to the upgrade, right?  It would break Connman
>> (which expects to talk to wpa_supplicant over D-Bus), as well as
>> NetworkManager probably, no?  Or am I missing something?
>
> The distinguishing feature between "wpa-supplicant-minimal" and
> "wpa-supplicant" is D-Bus support.
>
> Upstream enabled D-Bus by default in version 2.8, so I toggled it back
> with the snippet above so "wpa-supplicant-minimal" stays the same.
>
> However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
> its closure even though the D-Bus interface is disabled.
>
> So I'm not sure if it makes sense to have the separate -minimal variant
> anymore.  The size of both wpa-supplicant variants are 102.4MiB after
> this patch, down from 157.4 and 143.1 MiB on the Guix master branch.

Well you’re right, maybe it doesn’t make much sense to keep both
variants in that case.

So I guess you can go ahead and push so we can all test it in the coming
days!

Thanks,
Ludo’.

Message #19 received at 35563-done <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 35563-done <at> debbugs.gnu.org
Subject: Re: [bug#35563] WPA Supplicant 2.8
Date: Thu, 09 May 2019 17:35:45 +0200

[Message part 1 (text/plain, inline)]

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi,
>
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> Ludovic Courtès <ludo <at> gnu.org> writes:
>>
>>> Hello Marius,
>>>
>>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>>
>>>> Attached is a security update for WPA Supplicant.
>>>>
>>>> The new version toggles a lot of build-time options to more closely
>>>> resemble what Debian and Arch do.  Unfortunately the new defaults
>>>> appears to require OpenSSL instead of GnuTLS.
>>>
>>> What happens when you keep CONFIG_TLS=gnutls?
>>
>> The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:
>>
>> ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
>> /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY'
>> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group'
>> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free'
>>
>> Omitting the OpenSSL input makes it fail earlier due to lack of headers.
>
> OK.
>
>>> This change is unrelated to the upgrade, right?  It would break Connman
>>> (which expects to talk to wpa_supplicant over D-Bus), as well as
>>> NetworkManager probably, no?  Or am I missing something?
>>
>> The distinguishing feature between "wpa-supplicant-minimal" and
>> "wpa-supplicant" is D-Bus support.
>>
>> Upstream enabled D-Bus by default in version 2.8, so I toggled it back
>> with the snippet above so "wpa-supplicant-minimal" stays the same.
>>
>> However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
>> its closure even though the D-Bus interface is disabled.
>>
>> So I'm not sure if it makes sense to have the separate -minimal variant
>> anymore.  The size of both wpa-supplicant variants are 102.4MiB after
>> this patch, down from 157.4 and 143.1 MiB on the Guix master branch.
>
> Well you’re right, maybe it doesn’t make much sense to keep both
> variants in that case.

Errh nevermind, the "wpa-supplicant-minimal" package does *not* have
D-Bus in its closure.  The updated sizes are 87.8 and 102.1 MiB.

> So I guess you can go ahead and push so we can all test it in the coming
> days!

I have tested this on a few different setups and it appears to work
fine.  Pushed as aeb1ed1abcc953694bcd742ae5e3ba5a13506373!

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 35563-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 35563-done <at> debbugs.gnu.org
Subject: Re: [bug#35563] WPA Supplicant 2.8
Date: Fri, 10 May 2019 09:52:15 +0200

Hi!

Marius Bakke <mbakke <at> fastmail.com> skribis:

> Errh nevermind, the "wpa-supplicant-minimal" package does *not* have
> D-Bus in its closure.  The updated sizes are 87.8 and 102.1 MiB.

Alright.  :-)

>> So I guess you can go ahead and push so we can all test it in the coming
>> days!
>
> I have tested this on a few different setups and it appears to work
> fine.  Pushed as aeb1ed1abcc953694bcd742ae5e3ba5a13506373!

Thanks!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.