GNU bug report logs - #35563
WPA Supplicant 2.8

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Sat, 4 May 2019 16:27:02 UTC

Severity: normal

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 35563 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 35563 <at> debbugs.gnu.org
Subject: Re: [bug#35563] WPA Supplicant 2.8
Date: Mon, 06 May 2019 15:20:18 +0200

[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:

> Hello Marius,
>
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> Attached is a security update for WPA Supplicant.
>>
>> The new version toggles a lot of build-time options to more closely
>> resemble what Debian and Arch do.  Unfortunately the new defaults
>> appears to require OpenSSL instead of GnuTLS.
>
> What happens when you keep CONFIG_TLS=gnutls?

The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:

ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
/tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY'
ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group'
ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free'

Omitting the OpenSSL input makes it fail earlier due to lack of headers.

>> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke <at> fastmail.com>
>> Date: Tue, 30 Apr 2019 00:05:36 +0200
>> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes].
>>
>> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
>> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555.
>>
>> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8.
>> [source](snippet): New field.  Disable D-Bus.
>> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=y.  Change CONFIG_TLS to
>> use OpenSSL rather than GnuTLS.
>> [inputs]: Remove GNUTLS and LIBGCRYPT.  Add OPENSSL-NEXT.
>> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=y.
>
> [...]
>
>> +                  (substitute* "wpa_supplicant/defconfig"
>> +                    ;; Disable D-Bus by default.
>> +                    (("^CONFIG_CTRL_IFACE_DBUS_" line _)
>> +                     (string-append "#" line)))
>
> This change is unrelated to the upgrade, right?  It would break Connman
> (which expects to talk to wpa_supplicant over D-Bus), as well as
> NetworkManager probably, no?  Or am I missing something?

The distinguishing feature between "wpa-supplicant-minimal" and
"wpa-supplicant" is D-Bus support.

Upstream enabled D-Bus by default in version 2.8, so I toggled it back
with the snippet above so "wpa-supplicant-minimal" stays the same.

However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
its closure even though the D-Bus interface is disabled.

So I'm not sure if it makes sense to have the separate -minimal variant
anymore.  The size of both wpa-supplicant variants are 102.4MiB after
this patch, down from 157.4 and 143.1 MiB on the Guix master branch.

Thoughts?

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 74 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.