| Message ID | 87sgtudw3h.fsf@fastmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [bug#35563] WPA Supplicant 2.8 | expand |
| Context | Check | Description |
|---|---|---|
| cbaines/applying patch | fail | Apply failed |
Hello Marius, Marius Bakke <mbakke@fastmail.com> skribis: > Attached is a security update for WPA Supplicant. > > The new version toggles a lot of build-time options to more closely > resemble what Debian and Arch do. Unfortunately the new defaults > appears to require OpenSSL instead of GnuTLS. What happens when you keep CONFIG_TLS=gnutls? > From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001 > From: Marius Bakke <mbakke@fastmail.com> > Date: Tue, 30 Apr 2019 00:05:36 +0200 > Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes]. > > This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, > CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555. > > * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8. > [source](snippet): New field. Disable D-Bus. > [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y. Change CONFIG_TLS to > use OpenSSL rather than GnuTLS. > [inputs]: Remove GNUTLS and LIBGCRYPT. Add OPENSSL-NEXT. > (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y. [...] > + (substitute* "wpa_supplicant/defconfig" > + ;; Disable D-Bus by default. > + (("^CONFIG_CTRL_IFACE_DBUS_" line _) > + (string-append "#" line))) This change is unrelated to the upgrade, right? It would break Connman (which expects to talk to wpa_supplicant over D-Bus), as well as NetworkManager probably, no? Or am I missing something? I’d like to have to make sure wpa_supplicant works well in the 1.0.1 installer. :-) Thanks for looking into it! Ludo’.
Ludovic Courtès <ludo@gnu.org> writes: > Hello Marius, > > Marius Bakke <mbakke@fastmail.com> skribis: > >> Attached is a security update for WPA Supplicant. >> >> The new version toggles a lot of build-time options to more closely >> resemble what Debian and Arch do. Unfortunately the new defaults >> appears to require OpenSSL instead of GnuTLS. > > What happens when you keep CONFIG_TLS=gnutls? The linker fails to find a lot of OpenSSL interfaces. Short excerpt: ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point': /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY' ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group' ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free' Omitting the OpenSSL input makes it fail earlier due to lack of headers. >> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke <mbakke@fastmail.com> >> Date: Tue, 30 Apr 2019 00:05:36 +0200 >> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes]. >> >> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, >> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555. >> >> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8. >> [source](snippet): New field. Disable D-Bus. >> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y. Change CONFIG_TLS to >> use OpenSSL rather than GnuTLS. >> [inputs]: Remove GNUTLS and LIBGCRYPT. Add OPENSSL-NEXT. >> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y. > > [...] > >> + (substitute* "wpa_supplicant/defconfig" >> + ;; Disable D-Bus by default. >> + (("^CONFIG_CTRL_IFACE_DBUS_" line _) >> + (string-append "#" line))) > > This change is unrelated to the upgrade, right? It would break Connman > (which expects to talk to wpa_supplicant over D-Bus), as well as > NetworkManager probably, no? Or am I missing something? The distinguishing feature between "wpa-supplicant-minimal" and "wpa-supplicant" is D-Bus support. Upstream enabled D-Bus by default in version 2.8, so I toggled it back with the snippet above so "wpa-supplicant-minimal" stays the same. However I notice now that the new "wpa-supplicant-minimal" has D-Bus in its closure even though the D-Bus interface is disabled. So I'm not sure if it makes sense to have the separate -minimal variant anymore. The size of both wpa-supplicant variants are 102.4MiB after this patch, down from 157.4 and 143.1 MiB on the Guix master branch. Thoughts?
Hi, Marius Bakke <mbakke@fastmail.com> skribis: > Ludovic Courtès <ludo@gnu.org> writes: > >> Hello Marius, >> >> Marius Bakke <mbakke@fastmail.com> skribis: >> >>> Attached is a security update for WPA Supplicant. >>> >>> The new version toggles a lot of build-time options to more closely >>> resemble what Debian and Arch do. Unfortunately the new defaults >>> appears to require OpenSSL instead of GnuTLS. >> >> What happens when you keep CONFIG_TLS=gnutls? > > The linker fails to find a lot of OpenSSL interfaces. Short excerpt: > > ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point': > /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY' > ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group' > ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free' > > Omitting the OpenSSL input makes it fail earlier due to lack of headers. OK. >> This change is unrelated to the upgrade, right? It would break Connman >> (which expects to talk to wpa_supplicant over D-Bus), as well as >> NetworkManager probably, no? Or am I missing something? > > The distinguishing feature between "wpa-supplicant-minimal" and > "wpa-supplicant" is D-Bus support. > > Upstream enabled D-Bus by default in version 2.8, so I toggled it back > with the snippet above so "wpa-supplicant-minimal" stays the same. > > However I notice now that the new "wpa-supplicant-minimal" has D-Bus in > its closure even though the D-Bus interface is disabled. > > So I'm not sure if it makes sense to have the separate -minimal variant > anymore. The size of both wpa-supplicant variants are 102.4MiB after > this patch, down from 157.4 and 143.1 MiB on the Guix master branch. Well you’re right, maybe it doesn’t make much sense to keep both variants in that case. So I guess you can go ahead and push so we can all test it in the coming days! Thanks, Ludo’.
Ludovic Courtès <ludo@gnu.org> writes: > Hi, > > Marius Bakke <mbakke@fastmail.com> skribis: > >> Ludovic Courtès <ludo@gnu.org> writes: >> >>> Hello Marius, >>> >>> Marius Bakke <mbakke@fastmail.com> skribis: >>> >>>> Attached is a security update for WPA Supplicant. >>>> >>>> The new version toggles a lot of build-time options to more closely >>>> resemble what Debian and Arch do. Unfortunately the new defaults >>>> appears to require OpenSSL instead of GnuTLS. >>> >>> What happens when you keep CONFIG_TLS=gnutls? >> >> The linker fails to find a lot of OpenSSL interfaces. Short excerpt: >> >> ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point': >> /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY' >> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group' >> ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free' >> >> Omitting the OpenSSL input makes it fail earlier due to lack of headers. > > OK. > >>> This change is unrelated to the upgrade, right? It would break Connman >>> (which expects to talk to wpa_supplicant over D-Bus), as well as >>> NetworkManager probably, no? Or am I missing something? >> >> The distinguishing feature between "wpa-supplicant-minimal" and >> "wpa-supplicant" is D-Bus support. >> >> Upstream enabled D-Bus by default in version 2.8, so I toggled it back >> with the snippet above so "wpa-supplicant-minimal" stays the same. >> >> However I notice now that the new "wpa-supplicant-minimal" has D-Bus in >> its closure even though the D-Bus interface is disabled. >> >> So I'm not sure if it makes sense to have the separate -minimal variant >> anymore. The size of both wpa-supplicant variants are 102.4MiB after >> this patch, down from 157.4 and 143.1 MiB on the Guix master branch. > > Well you’re right, maybe it doesn’t make much sense to keep both > variants in that case. Errh nevermind, the "wpa-supplicant-minimal" package does *not* have D-Bus in its closure. The updated sizes are 87.8 and 102.1 MiB. > So I guess you can go ahead and push so we can all test it in the coming > days! I have tested this on a few different setups and it appears to work fine. Pushed as aeb1ed1abcc953694bcd742ae5e3ba5a13506373!
Hi! Marius Bakke <mbakke@fastmail.com> skribis: > Errh nevermind, the "wpa-supplicant-minimal" package does *not* have > D-Bus in its closure. The updated sizes are 87.8 and 102.1 MiB. Alright. :-) >> So I guess you can go ahead and push so we can all test it in the coming >> days! > > I have tested this on a few different setups and it appears to work > fine. Pushed as aeb1ed1abcc953694bcd742ae5e3ba5a13506373! Thanks! Ludo’.
From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001 From: Marius Bakke <mbakke@fastmail.com> Date: Tue, 30 Apr 2019 00:05:36 +0200 Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes]. This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555. * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8. [source](snippet): New field. Disable D-Bus. [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y. Change CONFIG_TLS to use OpenSSL rather than GnuTLS. [inputs]: Remove GNUTLS and LIBGCRYPT. Add OPENSSL-NEXT. (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y. --- gnu/packages/admin.scm | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 275ce8bb2f..e0fc1c54c9 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1198,16 +1198,23 @@ commands and their arguments.") (define-public wpa-supplicant-minimal (package (name "wpa-supplicant-minimal") - (version "2.7") + (version "2.8") (source (origin (method url-fetch) (uri (string-append "https://w1.fi/releases/wpa_supplicant-" - version - ".tar.gz")) + version ".tar.gz")) (sha256 (base32 - "0x1hqyahq44jyla8jl6791nnwrgicrhidadikrnqxsm2nw36pskn")))) + "15ixzm347n8w6gdvi3j3yks3i15qmp6by9ayvswm34d929m372d6")) + (modules '((guix build utils))) + (snippet + '(begin + (substitute* "wpa_supplicant/defconfig" + ;; Disable D-Bus by default. + (("^CONFIG_CTRL_IFACE_DBUS_" line _) + (string-append "#" line))) + #t)))) (build-system gnu-build-system) (arguments '(#:phases @@ -1218,10 +1225,7 @@ commands and their arguments.") (copy-file "defconfig" ".config") (let ((port (open-file ".config" "al"))) (display " - CONFIG_DEBUG_SYSLOG=y - - # Choose GnuTLS (the default is OpenSSL.) - CONFIG_TLS=gnutls + CONFIG_TLS=openssl CONFIG_DRIVER_NL80211=y CFLAGS += $(shell pkg-config libnl-3.0 --cflags) @@ -1255,8 +1259,7 @@ commands and their arguments.") (inputs `(("readline" ,readline) ("libnl" ,libnl) - ("gnutls" ,gnutls) - ("libgcrypt" ,libgcrypt))) ;needed by crypto_gnutls.c + ("openssl" ,openssl-next))) (native-inputs `(("pkg-config" ,pkg-config))) (home-page "https://w1.fi/wpa_supplicant/") @@ -1289,7 +1292,6 @@ command.") (lambda _ (let ((port (open-file ".config" "al"))) (display " - CONFIG_CTRL_IFACE_DBUS=y CONFIG_CTRL_IFACE_DBUS_NEW=y CONFIG_CTRL_IFACE_DBUS_INTRO=y\n" port) (close-port port)) -- 2.21.0