Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: wpa

wpa (2:2.8-2ubuntu2) eoan; urgency=medium * SECURITY UPDATE: SAE/EAP-pwd side-channel attack w/Brainpool curves - debian/patches/CVE-2019-13377-1.patch: use const_time_memcmp() for pwd_value >= prime comparison in src/common/sae.c. - debian/patches/CVE-2019-13377-2.patch: use const_time_memcmp() for pwd_value >= prime comparison in src/eap_common/eap_pwd_common.c. - debian/patches/CVE-2019-13377-3.patch: use BN_bn2binpad() or BN_bn2bin_padded() if available in src/crypto/crypto_openssl.c. - debian/patches/CVE-2019-13377-4.patch: run through prf result processing even if it >= prime in src/common/sae.c. - debian/patches/CVE-2019-13377-5.patch: run through prf result processing even if it >= prime in src/eap_common/eap_pwd_common.c. - debian/patches/CVE-2019-13377-6.patch: disable use of groups using Brainpool curves in src/common/sae.c, src/eap_common/eap_pwd_common.c. - CVE-2019-13377 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 13 Aug 2019 13:32:28 -0400 wpa (2:2.8-2ubuntu1) eoan; urgency=low * Merge from Debian unstable. Remaining changes: - debian/patches/wpa_service_ignore-on-isolate.patch: add IgnoreOnIsolate=yes so that when switching "runlevels" in oem-config will not kill off wpa and cause wireless to be unavailable on first boot. - debian/patches/session-ticket.patch: disable the TLS Session Ticket extension to fix auth with 802.1x PEAP on some hardware. * Dropped changes, upstream: - debian/patches/CVE-2019-11555-1.patch: fix reassembly buffer handling in src/eap_server/eap_server_pwd.c. - debian/patches/CVE-2019-11555-2.patch: fix reassembly buffer handling in src/eap_peer/eap_pwd.c. - debian/patches/VU-871675/*.patch: backported upstream patches. * Remove android-headers build-depends -- Julian Andres Klode <juliank@ubuntu.com> Wed, 08 May 2019 11:57:47 +0200

Modifications :
  1. Download patch debian/changelog.

    --- 2:2.8-2/debian/changelog. 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/changelog. 2019-05-08 09:51:40.000000000 +0000 @@ -0,0 +1 @@ +
  2. Download patch debian/control

    --- 2:2.8-2/debian/control 2019-04-28 19:20:19.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/control 2019-05-08 09:51:27.000000000 +0000 @@ -1,5 +1,6 @@ Source: wpa -Maintainer: Debian wpasupplicant Maintainers <wpa@packages.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian wpasupplicant Maintainers <wpa@packages.debian.org> Uploaders: Andrej Shadura <andrewsh@debian.org> Section: net
  3. Download patch debian/patches/series

    --- 2:2.8-2/debian/patches/series 2019-04-28 19:20:19.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/series 2019-08-13 17:32:17.000000000 +0000 @@ -9,3 +9,12 @@ allow-tlsv1.patch fix-ENGINE-support-with-openssl-1.1.patch # regress fixes from 2.8+ 2.8-fixes/0001-Fix-a-regression-in-storing-of-external_auth-SSID-BS.patch +# Ubuntu patches +session-ticket.patch +wpa_service_ignore-on-isolate.patch +CVE-2019-13377-1.patch +CVE-2019-13377-2.patch +CVE-2019-13377-3.patch +CVE-2019-13377-4.patch +CVE-2019-13377-5.patch +CVE-2019-13377-6.patch
  4. Download patch debian/patches/CVE-2019-13377-1.patch

    --- 2:2.8-2/debian/patches/CVE-2019-13377-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/CVE-2019-13377-1.patch 2019-08-13 17:31:58.000000000 +0000 @@ -0,0 +1,31 @@ +From e43f08991f00820c1f711ca254021d5f83b5cd7d Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Thu, 25 Apr 2019 18:52:34 +0300 +Subject: [PATCH 1/6] SAE: Use const_time_memcmp() for pwd_value >= prime + comparison + +This reduces timing and memory access pattern differences for an +operation that could depend on the used password. + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +(cherry picked from commit 8e14b030e558d23f65d761895c07089404e61cf1) +--- + src/common/sae.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/sae.c b/src/common/sae.c +index 5a50294a6..0d56e5505 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -317,7 +317,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, + wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", + pwd_value, sae->tmp->prime_len); + +- if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) ++ if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) + return 0; + + x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); +-- +2.20.1 +
  5. Download patch debian/patches/CVE-2019-13377-2.patch

    --- 2:2.8-2/debian/patches/CVE-2019-13377-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/CVE-2019-13377-2.patch 2019-08-13 17:32:02.000000000 +0000 @@ -0,0 +1,70 @@ +From 20d7bd83c43fb24c4cf84d3045254d3ee1957166 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Thu, 25 Apr 2019 19:07:05 +0300 +Subject: [PATCH 2/6] EAP-pwd: Use const_time_memcmp() for pwd_value >= prime + comparison + +This reduces timing and memory access pattern differences for an +operation that could depend on the used password. + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +(cherry picked from commit 7958223fdcfe82479e6ed71019a84f6d4cbf799c) +--- + src/eap_common/eap_pwd_common.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c +index 884150e6c..6ca2c8bad 100644 +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + u8 qnr_bin[MAX_ECC_PRIME_LEN]; + u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; + u8 x_bin[MAX_ECC_PRIME_LEN]; ++ u8 prime_bin[MAX_ECC_PRIME_LEN]; + struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; + struct crypto_hash *hash; + unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; +@@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + os_memset(x_bin, 0, sizeof(x_bin)); + + prime = crypto_ec_get_prime(grp->group); ++ primebitlen = crypto_ec_prime_len_bits(grp->group); ++ primebytelen = crypto_ec_prime_len(grp->group); ++ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), ++ primebytelen) < 0) ++ return -1; + grp->pwe = crypto_ec_point_init(grp->group); + tmp1 = crypto_bignum_init(); + pm1 = crypto_bignum_init(); +@@ -170,8 +176,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + goto fail; + } + +- primebitlen = crypto_ec_prime_len_bits(grp->group); +- primebytelen = crypto_ec_prime_len(grp->group); + if ((prfbuf = os_malloc(primebytelen)) == NULL) { + wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " + "buffer"); +@@ -237,6 +241,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + if (primebitlen % 8) + buf_shift_right(prfbuf, primebytelen, + 8 - primebitlen % 8); ++ if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0) ++ continue; + + crypto_bignum_deinit(x_candidate, 1); + x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); +@@ -246,9 +252,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + goto fail; + } + +- if (crypto_bignum_cmp(x_candidate, prime) >= 0) +- continue; +- + wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate", + prfbuf, primebytelen); + const_time_select_bin(found, x_bin, prfbuf, primebytelen, +-- +2.20.1 +
  6. Download patch debian/patches/CVE-2019-13377-3.patch

    --- 2:2.8-2/debian/patches/CVE-2019-13377-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/CVE-2019-13377-3.patch 2019-08-13 17:32:06.000000000 +0000 @@ -0,0 +1,66 @@ +From ee34d8cfbd0fbf7ba7429531d4bee1c43b074d8b Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Thu, 25 Apr 2019 19:23:05 +0300 +Subject: [PATCH 3/6] OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if + available + +This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL +functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid +differences in runtime and memory access patterns depending on the +leading bytes of the BIGNUM value. + +OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases +are still using the previous implementation where the BN_num_bytes() +call may result in different memory access pattern. + +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +(cherry picked from commit 1e237903f5b5d3117342daf006c5878cdb45e3d3) +--- + src/crypto/crypto_openssl.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c +index 1b0c1ec96..23ae5462d 100644 +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -1295,7 +1295,13 @@ void crypto_bignum_deinit(struct crypto_bignum *n, int clear) + int crypto_bignum_to_bin(const struct crypto_bignum *a, + u8 *buf, size_t buflen, size_t padlen) + { ++#ifdef OPENSSL_IS_BORINGSSL ++#else /* OPENSSL_IS_BORINGSSL */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#else + int num_bytes, offset; ++#endif ++#endif /* OPENSSL_IS_BORINGSSL */ + + if (TEST_FAIL()) + return -1; +@@ -1303,6 +1309,14 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a, + if (padlen > buflen) + return -1; + ++#ifdef OPENSSL_IS_BORINGSSL ++ if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0) ++ return -1; ++ return padlen; ++#else /* OPENSSL_IS_BORINGSSL */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ return BN_bn2binpad((const BIGNUM *) a, buf, padlen); ++#else + num_bytes = BN_num_bytes((const BIGNUM *) a); + if ((size_t) num_bytes > buflen) + return -1; +@@ -1315,6 +1329,8 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a, + BN_bn2bin((const BIGNUM *) a, buf + offset); + + return num_bytes + offset; ++#endif ++#endif /* OPENSSL_IS_BORINGSSL */ + } + + +-- +2.20.1 +
  7. Download patch debian/patches/wpa_service_ignore-on-isolate.patch

    --- 2:2.8-2/debian/patches/wpa_service_ignore-on-isolate.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/wpa_service_ignore-on-isolate.patch 2019-05-08 09:51:27.000000000 +0000 @@ -0,0 +1,16 @@ +Updated: 2017-11-10 + +--- + wpa_supplicant/systemd/wpa_supplicant.service.in | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -3,6 +3,7 @@ Description=WPA supplicant + Before=network.target + After=dbus.service + Wants=network.target ++IgnoreOnIsolate=true + + [Service] + Type=dbus
  8. Download patch debian/patches/CVE-2019-13377-4.patch

    --- 2:2.8-2/debian/patches/CVE-2019-13377-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/CVE-2019-13377-4.patch 2019-08-13 17:32:09.000000000 +0000 @@ -0,0 +1,59 @@ +From a25b48118d75f3c2d7cb1b2c3b4cffb13091a34c Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Mon, 24 Jun 2019 23:01:06 +0300 +Subject: [PATCH 4/6] SAE: Run through prf result processing even if it >= + prime + +This reduces differences in timing and memory access within the +hunting-and-pecking loop for ECC groups that have a prime that is not +close to a power of two (e.g., Brainpool curves). + +Signed-off-by: Jouni Malinen <j@w1.fi> +(cherry picked from commit 147bf7b88a9c231322b5b574263071ca6dbb0503) +--- + src/common/sae.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/common/sae.c b/src/common/sae.c +index 0d56e5505..759e48e22 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -304,6 +304,8 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, + struct crypto_bignum *y_sqr, *x_cand; + int res; + size_t bits; ++ int cmp_prime; ++ unsigned int in_range; + + wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); + +@@ -317,8 +319,13 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, + wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", + pwd_value, sae->tmp->prime_len); + +- if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) +- return 0; ++ cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len); ++ /* Create a const_time mask for selection based on prf result ++ * being smaller than prime. */ ++ in_range = const_time_fill_msb((unsigned int) cmp_prime); ++ /* The algorithm description would skip the next steps if ++ * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to ++ * minimize externally observable differences in behavior. */ + + x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); + if (!x_cand) +@@ -330,7 +337,9 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, + + res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr); + crypto_bignum_deinit(y_sqr, 1); +- return res; ++ if (res < 0) ++ return res; ++ return const_time_select_int(in_range, res, 0); + } + + +-- +2.20.1 +
  9. Download patch debian/patches/CVE-2019-13377-5.patch

    --- 2:2.8-2/debian/patches/CVE-2019-13377-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/CVE-2019-13377-5.patch 2019-08-13 17:32:13.000000000 +0000 @@ -0,0 +1,57 @@ +From 00a6cc73da61b03c146b6c341d0d1e572bcef432 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Mon, 24 Jun 2019 23:02:51 +0300 +Subject: [PATCH 5/6] EAP-pwd: Run through prf result processing even if it >= + prime + +This reduces differences in timing and memory access within the +hunting-and-pecking loop for ECC groups that have a prime that is not +close to a power of two (e.g., Brainpool curves). + +Signed-off-by: Jouni Malinen <j@w1.fi> +(cherry picked from commit cd803299ca485eb857e37c88f973fccfbb8600e5) +--- + src/eap_common/eap_pwd_common.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c +index 6ca2c8bad..fec251472 100644 +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -155,6 +155,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + struct crypto_bignum *x_candidate = NULL; + const struct crypto_bignum *prime; + u8 mask, found_ctr = 0, is_odd = 0; ++ int cmp_prime; ++ unsigned int in_range; + + if (grp->pwe) + return -1; +@@ -241,8 +243,13 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + if (primebitlen % 8) + buf_shift_right(prfbuf, primebytelen, + 8 - primebitlen % 8); +- if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0) +- continue; ++ cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen); ++ /* Create a const_time mask for selection based on prf result ++ * being smaller than prime. */ ++ in_range = const_time_fill_msb((unsigned int) cmp_prime); ++ /* The algorithm description would skip the next steps if ++ * cmp_prime >= 0, but go through them regardless to minimize ++ * externally observable differences in behavior. */ + + crypto_bignum_deinit(x_candidate, 1); + x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); +@@ -306,7 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + goto fail; + mask = const_time_eq(res, check); + found_ctr = const_time_select_u8(found, found_ctr, ctr); +- found |= mask; ++ found |= mask & in_range; + } + if (found == 0) { + wpa_printf(MSG_INFO, +-- +2.20.1 +
  10. Download patch debian/patches/session-ticket.patch

    --- 2:2.8-2/debian/patches/session-ticket.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/session-ticket.patch 2019-05-08 09:51:27.000000000 +0000 @@ -0,0 +1,19 @@ +From: Jeremy Nickurak <jeremy@nickurak.ca> +Subject: Disable the session ticket TLS extension. +Bug-ubuntu: https://bugs.launchpad.net/ubuntu/+source/wpasupplicant/+bug/969343 +Bug: http://w1.fi/bugz/show_bug.cgi?id=447 + +--- + src/crypto/tls_openssl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1354,6 +1354,7 @@ struct tls_connection * tls_connection_i + #ifdef SSL_OP_NO_COMPRESSION + options |= SSL_OP_NO_COMPRESSION; + #endif /* SSL_OP_NO_COMPRESSION */ ++ options |= SSL_OP_NO_TICKET; + SSL_set_options(conn->ssl, options); + + conn->ssl_in = BIO_new(BIO_s_mem());
  11. Download patch debian/patches/CVE-2019-13377-6.patch

    --- 2:2.8-2/debian/patches/CVE-2019-13377-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:2.8-2ubuntu2/debian/patches/CVE-2019-13377-6.patch 2019-08-13 17:32:17.000000000 +0000 @@ -0,0 +1,51 @@ +From 558518ed63202e5358116ab7e0afd5e85490f2ef Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 27 Jul 2019 23:19:17 +0300 +Subject: [PATCH 6/6] dragonfly: Disable use of groups using Brainpool curves + +Disable groups that use Brainpool curves for now since they leak more +timing information due to the prime not being close to a power of two. +This removes use of groups 28, 29, and 30 from SAE and EAP-pwd. + +Signed-off-by: Jouni Malinen <j@w1.fi> +(cherry picked from commit 876c5eaa6dae1a87a17603fc489a44c29eedc2e3) +--- + src/common/sae.c | 6 ++++-- + src/eap_common/eap_pwd_common.c | 3 +-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/common/sae.c b/src/common/sae.c +index 759e48e22..2dbc251a4 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -28,9 +28,11 @@ static int sae_suitable_group(int group) + * purposes: FFC groups whose prime is >= 3072 bits and ECC groups + * defined over a prime field whose prime is >= 256 bits. Furthermore, + * ECC groups defined over a characteristic 2 finite field and ECC +- * groups with a co-factor greater than 1 are not suitable. */ ++ * groups with a co-factor greater than 1 are not suitable. Disable ++ * groups that use Brainpool curves as well for now since they leak more ++ * timing information due to the prime not being close to a power of ++ * two. */ + return group == 19 || group == 20 || group == 21 || +- group == 28 || group == 29 || group == 30 || + group == 15 || group == 16 || group == 17 || group == 18; + #endif /* CONFIG_TESTING_OPTIONS */ + } +diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c +index fec251472..4a5eb2599 100644 +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -89,8 +89,7 @@ static int eap_pwd_suitable_group(u16 num) + { + /* Do not allow ECC groups with prime under 256 bits based on guidance + * for the similar design in SAE. */ +- return num == 19 || num == 20 || num == 21 || +- num == 28 || num == 29 || num == 30; ++ return num == 19 || num == 20 || num == 21; + } + + +-- +2.20.1 +
  1. wpa