From 5a6a093511bfdb13141ada13a0970c28dd8df92c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Dec 03 2014 17:14:28 +0000
Subject: import wpa_supplicant-2.0-13.el7_0


---

diff --git a/SOURCES/0001-Add-os_exec-helper-to-run-external-programs.patch b/SOURCES/0001-Add-os_exec-helper-to-run-external-programs.patch
new file mode 100644
index 0000000..4b774bd
--- /dev/null
+++ b/SOURCES/0001-Add-os_exec-helper-to-run-external-programs.patch
@@ -0,0 +1,143 @@
+From 89de07a9442072f88d49869d8ecd8d42bae050a0 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 16:27:44 +0300
+Subject: [PATCH 1/2] Add os_exec() helper to run external programs
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ src/utils/os.h       |  9 +++++++++
+ src/utils/os_unix.c  | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/utils/os_win32.c |  6 ++++++
+ 3 files changed, 70 insertions(+)
+
+diff --git a/src/utils/os.h b/src/utils/os.h
+index f196209..b9247d8 100644
+--- a/src/utils/os.h
++++ b/src/utils/os.h
+@@ -597,14 +597,23 @@ size_t os_strlcpy(char *dest, const char *src, size_t siz);
+  * Returns: Total length of the target string (length of src) (not including
+  * NUL-termination)
+  *
+  * This function matches in behavior with the strlcpy(3) function in OpenBSD.
+  */
+ size_t os_strlcpy(char *dest, const char *src, size_t siz);
+ 
++/**
++ * os_exec - Execute an external program
++ * @program: Path to the program
++ * @arg: Command line argument string
++ * @wait_completion: Whether to wait until the program execution completes
++ * Returns: 0 on success, -1 on error
++ */
++int os_exec(const char *program, const char *arg, int wait_completion);
++
+ 
+ #ifdef OS_REJECT_C_LIB_FUNCTIONS
+ #define malloc OS_DO_NOT_USE_malloc
+ #define realloc OS_DO_NOT_USE_realloc
+ #define free OS_DO_NOT_USE_free
+ #define memcpy OS_DO_NOT_USE_memcpy
+ #define memmove OS_DO_NOT_USE_memmove
+diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c
+index 7498967..523a4d0 100644
+--- a/src/utils/os_unix.c
++++ b/src/utils/os_unix.c
+@@ -5,14 +5,15 @@
+  * This software may be distributed under the terms of the BSD license.
+  * See README for more details.
+  */
+ 
+ #include "includes.h"
+ 
+ #include <time.h>
++#include <sys/wait.h>
+ 
+ #ifdef ANDROID
+ #include <linux/capability.h>
+ #include <linux/prctl.h>
+ #include <private/android_filesystem_config.h>
+ #endif /* ANDROID */
+ 
+@@ -550,7 +551,61 @@ char * os_strdup(const char *s)
+ 		return NULL;
+ 	os_memcpy(d, s, len);
+ 	d[len] = '\0';
+ 	return d;
+ }
+ 
+ #endif /* WPA_TRACE */
++
++
++int os_exec(const char *program, const char *arg, int wait_completion)
++{
++	pid_t pid;
++	int pid_status;
++
++	pid = fork();
++	if (pid < 0) {
++		perror("fork");
++		return -1;
++	}
++
++	if (pid == 0) {
++		/* run the external command in the child process */
++		const int MAX_ARG = 30;
++		char *_program, *_arg, *pos;
++		char *argv[MAX_ARG + 1];
++		int i;
++
++		_program = os_strdup(program);
++		_arg = os_strdup(arg);
++
++		argv[0] = _program;
++
++		i = 1;
++		pos = _arg;
++		while (i < MAX_ARG && pos && *pos) {
++			while (*pos == ' ')
++				pos++;
++			if (*pos == '\0')
++				break;
++			argv[i++] = pos;
++			pos = os_strchr(pos, ' ');
++			if (pos)
++				*pos++ = '\0';
++		}
++		argv[i] = NULL;
++
++		execv(program, argv);
++		perror("execv");
++		os_free(_program);
++		os_free(_arg);
++		exit(0);
++		return -1;
++	}
++
++	if (wait_completion) {
++		/* wait for the child process to complete in the parent */
++		waitpid(pid, &pid_status, 0);
++	}
++
++	return 0;
++}
+diff --git a/src/utils/os_win32.c b/src/utils/os_win32.c
+index 55937de..57ee132 100644
+--- a/src/utils/os_win32.c
++++ b/src/utils/os_win32.c
+@@ -254,7 +254,13 @@ int os_memcmp_const(const void *a, const void *b, size_t len)
+ 			*dest = '\0';
+ 		while (*s++)
+ 			; /* determine total src string length */
+ 	}
+ 
+ 	return s - src - 1;
+ }
++
++
++int os_exec(const char *program, const char *arg, int wait_completion)
++{
++	return -1;
++}
+-- 
+1.9.3
+
diff --git a/SOURCES/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch b/SOURCES/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
new file mode 100644
index 0000000..2ff9301
--- /dev/null
+++ b/SOURCES/0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
@@ -0,0 +1,67 @@
+From c5f258de76dbb67fb64beab39a99e5c5711f41fe Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Mon, 6 Oct 2014 17:25:52 +0300
+Subject: [PATCH 2/2] wpa_cli: Use os_exec() for action script execution
+
+Use os_exec() to run the action script operations to avoid undesired
+command line processing for control interface event strings. Previously,
+it could have been possible for some of the event strings to include
+unsanitized data which is not suitable for system() use. (CVE-2014-3686)
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+---
+ wpa_supplicant/wpa_cli.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
+index 18b9b77..fe30b41 100644
+--- a/wpa_supplicant/wpa_cli.c
++++ b/wpa_supplicant/wpa_cli.c
+@@ -3155,36 +3155,27 @@ static int str_match(const char *a, const char *b)
+ 	return os_strncmp(a, b, os_strlen(b)) == 0;
+ }
+ 
+ 
+ static int wpa_cli_exec(const char *program, const char *arg1,
+ 			const char *arg2)
+ {
+-	char *cmd;
++	char *arg;
+ 	size_t len;
+ 	int res;
+-	int ret = 0;
+ 
+-	len = os_strlen(program) + os_strlen(arg1) + os_strlen(arg2) + 3;
+-	cmd = os_malloc(len);
+-	if (cmd == NULL)
++	len = os_strlen(arg1) + os_strlen(arg2) + 2;
++	arg = os_malloc(len);
++	if (arg == NULL)
+ 		return -1;
+-	res = os_snprintf(cmd, len, "%s %s %s", program, arg1, arg2);
+-	if (res < 0 || (size_t) res >= len) {
+-		os_free(cmd);
+-		return -1;
+-	}
+-	cmd[len - 1] = '\0';
+-#ifndef _WIN32_WCE
+-	if (system(cmd) < 0)
+-		ret = -1;
+-#endif /* _WIN32_WCE */
+-	os_free(cmd);
++	os_snprintf(arg, len, "%s %s", arg1, arg2);
++	res = os_exec(program, arg, 1);
++	os_free(arg);
+ 
+-	return ret;
++	return res;
+ }
+ 
+ 
+ static void wpa_cli_action_process(const char *msg)
+ {
+ 	const char *pos;
+ 	char *copy = NULL, *id, *pos2;
+-- 
+1.9.3
+
diff --git a/SPECS/wpa_supplicant.spec b/SPECS/wpa_supplicant.spec
index e2bd4af..b676ec8 100644
--- a/SPECS/wpa_supplicant.spec
+++ b/SPECS/wpa_supplicant.spec
@@ -18,8 +18,10 @@ Source4: %{name}.sysconfig
 Source6: %{name}.logrotate
 
 %define build_gui 1
+%define build_libeap 1
 %if 0%{?rhel} >= 1
 %define build_gui 0
+%define build_libeap 0
 %endif
 
 # distro specific customization and not suitable for upstream,
@@ -44,6 +46,15 @@ Patch8: rh837402-less-aggressive-roaming.patch
 Patch9: rh948453-man-page.patch
 # Don't evict current AP from PMKSA cache when it's large
 Patch10: rh1032758-fix-pmksa-cache-entry-clearing.patch
+# CVE-2014-3686
+Patch11: 0001-Add-os_exec-helper-to-run-external-programs.patch
+Patch12: 0002-wpa_cli-Use-os_exec-for-action-script-execution.patch
+
+%if %{build_libeap}
+# Dirty hack for WiMAX
+# http://linuxwimax.org/Download?action=AttachFile&do=get&target=wpa-1.5-README.txt
+Patch100: wpa_supplicant-2.0-generate-libeap-peer.patch
+%endif
 
 URL: http://w1.fi/wpa_supplicant/
 
@@ -79,6 +90,25 @@ Graphical User Interface for wpa_supplicant written using QT
 
 %endif
 
+%if %{build_libeap}
+%package -n libeap
+Summary: EAP peer library
+Group: System Environment/Libraries
+
+%description -n libeap
+This package contains the runtime EAP peer library. Don't use this
+unless you know what you're doing.
+
+%package -n libeap-devel
+Summary: Header files for EAP peer library
+Group: Development/Libraries
+Requires: libeap = %{epoch}:%{version}-%{release}
+
+%description -n libeap-devel
+This package contains header files for using the EAP peer library.
+Don't use this unless you know what you're doing.
+%endif
+
 %prep
 %setup -q -n %{name}-%{version}%{rcver}
 %patch0 -p1 -b .assoc-timeout
@@ -91,6 +121,8 @@ Graphical User Interface for wpa_supplicant written using QT
 %patch8 -p1 -b .rh837402-less-aggressive-roaming
 %patch9 -p1 -b .man-page
 %patch10 -p1 -b .pmksa-clear-fix
+%patch11 -p1 -b .CVE-2014-3686-1
+%patch12 -p1 -b .CVE-2014-3686-2
 
 %build
 pushd wpa_supplicant
@@ -150,6 +182,25 @@ rm -f  %{name}/doc/.cvsignore
 rm -rf %{name}/doc/docbook
 chmod -R 0644 %{name}/examples/*.py
 
+%if %{build_libeap}
+# HAAACK
+patch -p1 -b --suffix .wimax < %{PATCH100}
+pushd wpa_supplicant
+  make clean
+
+  CFLAGS="${CFLAGS:-%optflags} -fPIC -DPIC" ; export CFLAGS ;
+  CXXFLAGS="${CXXFLAGS:-%optflags} -fPIC -DPIC" ; export CXXFLAGS ;
+  LDFLAGS="${LDFLAGS:-%optflags} -Wl,-z,now" ; export LDFLAGS ;
+  # yes, BINDIR=_sbindir
+  BINDIR="%{_sbindir}" ; export BINDIR ;
+  LIBDIR="%{_libdir}" ; export LIBDIR ;
+
+  make V=1 -C ../src/eap_peer
+  make DESTDIR=%{buildroot} LIB=%{_lib} -C ../src/eap_peer install
+  sed -i -e 's|libdir=/usr/lib|libdir=%{_libdir}|g' %{buildroot}/%{_libdir}/pkgconfig/*.pc
+popd
+%endif
+
 %post
 if [ $1 -eq 1 ] ; then 
     # Initial installation 
@@ -204,9 +255,23 @@ fi
 %{_bindir}/wpa_gui
 %endif
 
+%if %{build_libeap}
+%files -n libeap
+%{_libdir}/libeap.so.0*
+
+%files -n libeap-devel
+%{_includedir}/eap_peer
+%{_libdir}/libeap.so
+%{_libdir}/pkgconfig/*.pc
+
+%post -n libeap -p /sbin/ldconfig
+
+%postun -n libeap -p /sbin/ldconfig
+%endif
+
 %changelog
-* Mon Jul 14 2014 Thomas Haller <thaller@redhat.com - 1:2.0-13
-- cleanup spec file and remove obsolete libeap parts (rh #1085240)
+* Wed Oct 22 2014 Dan Williams <dcbw@redhat.com> - 1:2.0-13
+- Use os_exec() for action script execution (CVE-2014-3686)
 
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1:2.0-12
 - Mass rebuild 2014-01-24