[bug#35563] WPA Supplicant 2.8

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#35563] WPA Supplicant 2.8

From:	Marius Bakke
Subject:	[bug#35563] WPA Supplicant 2.8
Date:	Mon, 06 May 2019 15:20:18 +0200
User-agent:	Notmuch/0.28.3 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu)

Ludovic Courtès <address@hidden> writes:

> Hello Marius,
>
> Marius Bakke <address@hidden> skribis:
>
>> Attached is a security update for WPA Supplicant.
>>
>> The new version toggles a lot of build-time options to more closely
>> resemble what Debian and Arch do.  Unfortunately the new defaults
>> appears to require OpenSSL instead of GnuTLS.
>
> What happens when you keep CONFIG_TLS=gnutls?

The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:

ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
/tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538:
 undefined reference to `EVP_PKEY_get1_EC_KEY'
ld: 
/tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545:
 undefined reference to `EC_KEY_get0_group'
ld: 
/tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552:
 undefined reference to `EC_KEY_free'

Omitting the OpenSSL input makes it fail earlier due to lack of headers.

>> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <address@hidden>
>> Date: Tue, 30 Apr 2019 00:05:36 +0200
>> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes].
>>
>> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, 
>> CVE-2019-9497,
>> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555.
>>
>> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8.
>> [source](snippet): New field.  Disable D-Bus.
>> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y.  Change CONFIG_TLS to
>> use OpenSSL rather than GnuTLS.
>> [inputs]: Remove GNUTLS and LIBGCRYPT.  Add OPENSSL-NEXT.
>> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y.
>
> [...]
>
>> +                  (substitute* "wpa_supplicant/defconfig"
>> +                    ;; Disable D-Bus by default.
>> +                    (("^CONFIG_CTRL_IFACE_DBUS_" line _)
>> +                     (string-append "#" line)))
>
> This change is unrelated to the upgrade, right?  It would break Connman
> (which expects to talk to wpa_supplicant over D-Bus), as well as
> NetworkManager probably, no?  Or am I missing something?

The distinguishing feature between "wpa-supplicant-minimal" and
"wpa-supplicant" is D-Bus support.

Upstream enabled D-Bus by default in version 2.8, so I toggled it back
with the snippet above so "wpa-supplicant-minimal" stays the same.

However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
its closure even though the D-Bus interface is disabled.

So I'm not sure if it makes sense to have the separate -minimal variant
anymore.  The size of both wpa-supplicant variants are 102.4MiB after
this patch, down from 157.4 and 143.1 MiB on the Guix master branch.

Thoughts?

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#35563] WPA Supplicant 2.8, Marius Bakke, 2019/05/04
- [bug#35563] WPA Supplicant 2.8, Ludovic Courtès, 2019/05/06
  - [bug#35563] WPA Supplicant 2.8, Marius Bakke <=
    - [bug#35563] WPA Supplicant 2.8, Ludovic Courtès, 2019/05/07
    - bug#35563: WPA Supplicant 2.8, Marius Bakke, 2019/05/09
    - [bug#35563] WPA Supplicant 2.8, Ludovic Courtès, 2019/05/10

Prev by Date: [bug#35518] [PATCH] fix guile-pfds bug
Next by Date: bug#35366: [PATCH 1/2] gnu: mate-power-manager: Use correct license.
Previous by thread: [bug#35563] WPA Supplicant 2.8
Next by thread: [bug#35563] WPA Supplicant 2.8
Index(es):
- Date
- Thread