Version in base suite: 1.14-3

Base version: iwd_1.14-3
Target version: iwd_1.14-3+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/iwd/iwd_1.14-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/i/iwd/iwd_1.14-3+deb11u1.dsc

 changelog                                                    |    8 ++
 patches/ap-only-accept-ptk-4-4-after-receiving-ptk-2-4.patch |   33 +++++++++++
 patches/series                                               |    1 
 3 files changed, 42 insertions(+)

diff -Nru iwd-1.14/debian/changelog iwd-1.14/debian/changelog
--- iwd-1.14/debian/changelog	2021-05-06 07:06:22.000000000 +0000
+++ iwd-1.14/debian/changelog	2024-02-21 14:43:48.000000000 +0000
@@ -1,3 +1,11 @@
+iwd (1.14-3+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * ap: only accept ptk 4/4 after receiving ptk 2/4 (CVE-2023-52161)
+    (Closes: #1064062)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 21 Feb 2024 15:43:48 +0100
+
 iwd (1.14-3) unstable; urgency=medium
 
   * fix treat failing tests as flaky (not reliably failing):
diff -Nru iwd-1.14/debian/patches/ap-only-accept-ptk-4-4-after-receiving-ptk-2-4.patch iwd-1.14/debian/patches/ap-only-accept-ptk-4-4-after-receiving-ptk-2-4.patch
--- iwd-1.14/debian/patches/ap-only-accept-ptk-4-4-after-receiving-ptk-2-4.patch	1970-01-01 00:00:00.000000000 +0000
+++ iwd-1.14/debian/patches/ap-only-accept-ptk-4-4-after-receiving-ptk-2-4.patch	2024-02-21 14:43:48.000000000 +0000
@@ -0,0 +1,33 @@
+From: Mathy Vanhoef <vanhoefm@gmail.com>
+Date: Mon, 29 Jan 2024 17:11:49 +0100
+Subject: ap: only accept ptk 4/4 after receiving ptk 2/4
+Origin: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit?id=6415420f1c92012f64063c131480ffcef58e60ca
+Bug-Debian: https://bugs.debian.org/1064062
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-52161
+
+When operating as an AP, drop message 4 of the 4-way handshake if the AP
+has not yet received message 2. Otherwise an attacker can skip message 2
+and immediately send message 4 to bypass authentication (the AP would be
+using an all-zero ptk to verify the authenticity of message 4).
+---
+ src/eapol.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/eapol.c b/src/eapol.c
+index bad4bbb7ed37..3ce14d5c07a3 100644
+--- a/src/eapol.c
++++ b/src/eapol.c
+@@ -2092,6 +2092,10 @@ static void eapol_handle_ptk_4_of_4(struct eapol_sm *sm,
+ 	if (L_BE64_TO_CPU(ek->key_replay_counter) != sm->replay_counter)
+ 		return;
+ 
++	/* Ensure we received Message 2 and thus have a PTK to verify MIC */
++	if (!sm->handshake->have_snonce)
++		return;
++
+ 	kck = handshake_state_get_kck(sm->handshake);
+ 
+ 	if (!eapol_verify_mic(sm->handshake->akm_suite, kck, ek,
+-- 
+2.43.0
+
diff -Nru iwd-1.14/debian/patches/series iwd-1.14/debian/patches/series
--- iwd-1.14/debian/patches/series	2020-09-05 15:45:10.000000000 +0000
+++ iwd-1.14/debian/patches/series	2024-02-21 14:43:48.000000000 +0000
@@ -1 +1,2 @@
 0001-Switch-wheel-to-netdev-group-in-dbus-policy.patch
+ap-only-accept-ptk-4-4-after-receiving-ptk-2-4.patch