From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([209.51.188.92]:34542)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hNdYF-0006VJ-RC
	for guix-patches@gnu.org; Mon, 06 May 2019 09:21:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hNdYE-0002OP-Nt
	for guix-patches@gnu.org; Mon, 06 May 2019 09:21:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:42351)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1hNdYE-0002OJ-Kw
	for guix-patches@gnu.org; Mon, 06 May 2019 09:21:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hNdYE-0006Av-Fw
	for guix-patches@gnu.org; Mon, 06 May 2019 09:21:02 -0400
Subject: [bug#35563] WPA Supplicant 2.8
Resent-Message-ID: <handler.35563.B35563.155714883023671@debbugs.gnu.org>
From: Marius Bakke <mbakke@fastmail.com>
In-Reply-To: <874l68ngu5.fsf@gnu.org>
References: <87sgtudw3h.fsf@fastmail.com> <874l68ngu5.fsf@gnu.org>
Date: Mon, 06 May 2019 15:20:18 +0200
Message-ID: <87ftpren3h.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 35563@debbugs.gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ludovic Court=C3=A8s <ludo@gnu.org> writes:

> Hello Marius,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> Attached is a security update for WPA Supplicant.
>>
>> The new version toggles a lot of build-time options to more closely
>> resemble what Debian and Arch do.  Unfortunately the new defaults
>> appears to require OpenSSL instead of GnuTLS.
>
> What happens when you keep CONFIG_TLS=3Dgnutls?

The linker fails to find a lot of OpenSSL interfaces.  Short excerpt:

ld: ../src/common/dpp.o: in function `dpp_set_pubkey_point':
/tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplicant/=
../src/common/dpp.c:538: undefined reference to `EVP_PKEY_get1_EC_KEY'
ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplic=
ant/../src/common/dpp.c:545: undefined reference to `EC_KEY_get0_group'
ld: /tmp/guix-build-wpa-supplicant-2.8.drv-0/wpa_supplicant-2.8/wpa_supplic=
ant/../src/common/dpp.c:552: undefined reference to `EC_KEY_free'

Omitting the OpenSSL input makes it fail earlier due to lack of headers.

>> From 194bb2914a0724587f04dd03cb4dd40465887248 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Tue, 30 Apr 2019 00:05:36 +0200
>> Subject: [PATCH] gnu: wpa_supplicant: Update to 2.8 [security fixes].
>>
>> This release fixes CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019=
-9497,
>> CVE-2019-9498, CVE-2019-9499, and CVE-2019-11555.
>>
>> * gnu/packages/admin.scm (wpa-supplicant-minimal): Update to 2.8.
>> [source](snippet): New field.  Disable D-Bus.
>> [arguments]: Remove now-default CONFIG_DEBUG_SYSLOG=3Dy.  Change CONFIG_=
TLS to
>> use OpenSSL rather than GnuTLS.
>> [inputs]: Remove GNUTLS and LIBGCRYPT.  Add OPENSSL-NEXT.
>> (wpa-supplicant)[arguments]: Remove obsolete CONFIG_CTRL_IFACE_DBUS=3Dy.
>
> [...]
>
>> +                  (substitute* "wpa_supplicant/defconfig"
>> +                    ;; Disable D-Bus by default.
>> +                    (("^CONFIG_CTRL_IFACE_DBUS_" line _)
>> +                     (string-append "#" line)))
>
> This change is unrelated to the upgrade, right?  It would break Connman
> (which expects to talk to wpa_supplicant over D-Bus), as well as
> NetworkManager probably, no?  Or am I missing something?

The distinguishing feature between "wpa-supplicant-minimal" and
"wpa-supplicant" is D-Bus support.

Upstream enabled D-Bus by default in version 2.8, so I toggled it back
with the snippet above so "wpa-supplicant-minimal" stays the same.

However I notice now that the new "wpa-supplicant-minimal" has D-Bus in
its closure even though the D-Bus interface is disabled.

So I'm not sure if it makes sense to have the separate -minimal variant
anymore.  The size of both wpa-supplicant variants are 102.4MiB after
this patch, down from 157.4 and 143.1 MiB on the Guix master branch.

Thoughts?

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlzQNJIACgkQoqBt8qM6
VPq+mQf/Y6iBqDkzbx6QgpbsD9lpr+tolACyDldz0COWzBxwGWRsqvu6N849uxMt
+bm35725BVnD/DGtzcDJEg1i9e55rs+JKMTWzL092gXhqz7OJrIT75dHyas+NXqi
W/ZzIZermuPjaFM1OMRcBGfqOO1nf0FaKbUV6P9q48DHAuW2AcZPhdTDYeyKyhR0
9UN5IcnLk/avh/a9Qg966wDTwjsXoTJFRBFGDVe+HscAfgwT5jUCDYwGtuWg4ySB
ZJVUL9atW/+l+1XmyC3uCEqr0ZlQkn/v2j9lWOyWu7itRhjgFYm5ylXdrcd5AEoG
oVPjGGtrKNVTyJadGXr0GXJMSLikUg==
=Vb2C
-----END PGP SIGNATURE-----
--=-=-=--