Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Medium] wpa_supplicant: Fix CVE-2023-52160 #12220

Open
wants to merge 2 commits into
base: fasttrack/3.0
Choose a base branch
from
Open

[Medium] wpa_supplicant: Fix CVE-2023-52160 #12220

wants to merge 2 commits into from
+185 −1

Conversation

v-smalavathu
Copy link
Contributor

@v-smalavathu v-smalavathu commented Feb 4, 2025
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

wpa_supplicant: Fix CVE-2023-52160

Change Log
  • newfile: SPECS/wpa_supplicant/CVE-2023-52160.patch
  • modified: SPECS/wpa_supplicant/wpa_supplicant.spec
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Pipeline build id: xxxx

@v-smalavathu
Address CVE-2023-52160
ea86dd5 
Signed-off-by: Sreenivasulu Malavathula <[email protected]>
@v-smalavathu v-smalavathu requested a review from a team as a code owner February 4, 2025 23:31
@v-smalavathu v-smalavathu changed the title Address CVE-2023-52160 wpa_supplicant: Address CVE-2023-52160 Feb 4, 2025
@v-smalavathu v-smalavathu changed the title wpa_supplicant: Address CVE-2023-52160 [Medium] wpa_supplicant: Address CVE-2023-52160 Feb 4, 2025
@v-smalavathu v-smalavathu changed the title [Medium] wpa_supplicant: Address CVE-2023-52160 [Medium] wpa_supplicant: Fix CVE-2023-52160 Feb 4, 2025
@0xba1a
Copy link
Contributor

0xba1a commented Feb 6, 2025
edited
Loading

Prep Section. Patch got applied successfully.

time="2025-02-05T06:43:02Z" level=debug msg="Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.t1K9NM"
time="2025-02-05T06:43:02Z" level=debug msg="+ umask 022"
time="2025-02-05T06:43:02Z" level=debug msg="+ cd /usr/src/azl/BUILD"
time="2025-02-05T06:43:02Z" level=debug msg="+ /usr/lib/rpm/azl/gen-ld-script.sh wpa_supplicant 2.10-2.azl3 /usr/src/azl 3.0.20250205.0642"
time="2025-02-05T06:43:02Z" level=debug msg="gen-ld-script.sh name(wpa_supplicant) version(2.10-2.azl3) _topdir(/usr/src/azl) osversion(3.0.20250205.0642)"
time="2025-02-05T06:43:02Z" level=debug msg="==== ELF note generator v2.1.2 ===="
time="2025-02-05T06:43:02Z" level=debug msg="outdir is: /usr/src/azl/BUILD/"
time="2025-02-05T06:43:02Z" level=debug msg="Stamp method: LinkerOnly"
time="2025-02-05T06:43:02Z" level=debug
time="2025-02-05T06:43:02Z" level=debug msg="#ifndef _AUTO_MODULE_INFO_H_"
time="2025-02-05T06:43:02Z" level=debug msg="#define _AUTO_MODULE_INFO_H_"
time="2025-02-05T06:43:02Z" level=debug
time="2025-02-05T06:43:02Z" level=debug msg="#define MODULE_VERSION      \"2.10.0.0\""
time="2025-02-05T06:43:02Z" level=debug msg="#define PACKAGE_VERSION     \"2.10-2.azl3\""
time="2025-02-05T06:43:02Z" level=debug msg="#define PACKAGE_NAME        \"wpa_supplicant\""
time="2025-02-05T06:43:02Z" level=debug msg="#define TARGET_OS           \"mariner\""
time="2025-02-05T06:43:02Z" level=debug msg="#define TARGET_OS_VERSION   \"3.0\""
time="2025-02-05T06:43:02Z" level=debug
time="2025-02-05T06:43:02Z" level=debug msg="#endif //_AUTO_MODULE_INFO_H_"
time="2025-02-05T06:43:02Z" level=debug msg="Generated /usr/src/azl/BUILD/auto_module_info.h file..."
time="2025-02-05T06:43:02Z" level=debug
time="2025-02-05T06:43:02Z" level=debug msg="Successfully generated module_info.ld and .note.package files..."
time="2025-02-05T06:43:02Z" level=debug msg="+ cd /usr/src/azl/BUILD"
time="2025-02-05T06:43:02Z" level=debug msg="+ rm -rf wpa_supplicant-2.10"
time="2025-02-05T06:43:02Z" level=debug msg="+ /usr/lib/rpm/rpmuncompress -x /usr/src/azl/SOURCES/wpa_supplicant-2.10.tar.gz"
time="2025-02-05T06:43:02Z" level=debug msg="+ STATUS=0"
time="2025-02-05T06:43:02Z" level=debug msg="+ '[' 0 -ne 0 ']'"
time="2025-02-05T06:43:02Z" level=debug msg="+ cd wpa_supplicant-2.10"
time="2025-02-05T06:43:02Z" level=debug msg="+ /bin/chmod -Rf a+rX,u+w,g-w,o-w ."
time="2025-02-05T06:43:02Z" level=debug msg="+ /usr/lib/rpm/rpmuncompress /usr/src/azl/SOURCES/CVE-2023-52160.patch"
time="2025-02-05T06:43:02Z" level=debug msg="+ /bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f"
time="2025-02-05T06:43:02Z" level=debug msg="+ RPM_EC=0"
time="2025-02-05T06:43:02Z" level=debug msg="++ jobs -p"
time="2025-02-05T06:43:02Z" level=debug msg="+ exit 0"

0xba1a
0xba1a approved these changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@0xba1a 0xba1a left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Visually compared the patch with original patch from https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xba1a 0xba1a 0xba1a approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
fasttrack/3.0 Packaging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@v-smalavathu @0xba1a