1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • bookworm-pu: package wpa/2:2.10-12+deb12u3

    From Bastien Roucaries@21:1/5 to Debian Bug Tracking System on Fri Apr 11 21:27:32 2025
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart23179722.EfDdHjke4D
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="utf-8"

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: wpa@packages.debian.org
    Control: affects -1 + src:wpa
    User: release.debian.org@packages.debian.org
    Usertags: pu


    [ Reason ]
    CVE-2022-37660

    [ Impact ]
    security problem low

    [ Tests ]
    no but patch is straight forward


    [ Risks ]
    Low

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    Fix CVE-2022-37660: the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to
    subvert
    the PKEX association


    [ Other info ]
    No

    --nextPart23179722.EfDdHjke4D
    Content-Disposition: attachment; filename="wpa.debdiff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="UTF-8"; name="wpa.debdiff"

    diff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog
    --- wpa-2.10/debian/changelog 2024-08-05 21:07:00.000000000 +0200
    +++ wpa-2.10/debian/changelog 2025-04-11 16:29:46.000000000 +0200
    @@ -1,3 +1,20 @@
    +wpa (2:2.10-12+deb12u3) bookworm; urgency=medium
    +
    + * Non-maintainer upload by the LTS Security Team.
    + * debian/patches/CVE-2022-37660.patch: Add hostapd_dpp_pkex_clear_code()
    + and wpas_dpp_pkex_clear_code(), and clear code reusage in
    + ./src/ap/dpp_hostapd.c and ./wpa_supplicant/dpp_supplicant.c
    + * Fix CVE-2022-37660: the PKEX code remains active even after
    + a successful PKEX association. An attacker that successfully
    + bootstrapped public keys with another entity using PKEX in
    + the past, will be able to subvert a future bootstrapping by
    + passively observing public keys, re-using the encrypting
    + element Qi and subtracting it from the captured message
    + M (X = M - Qi). This will result in the public ephemeral
    + key X; the only element required to subvert the PKEX association
    +
    + -- Bastien Roucariès <rouca