[AUTO-CHERRYPICK] Patch wpa_supplicant for CVE-2025-24912 [Low] - branch main (#13359)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 3550cc4631fb · 2025-04-10T17:03:15.000-04:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/wpa_supplicant/CVE-2025-24912.patch b/SPECS/wpa_supplicant/CVE-2025-24912.patch
@@ -0,0 +1,53 @@
+From 07e931dcdbdefe3e26217bea411e020a55c2ab86 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Wed, 26 Mar 2025 15:50:07 +0000
+Subject: [PATCH] Fix CVE CVE-2025-24912 in wpa_supplicant
+
+Upstream Reference: https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44
+---
+ src/radius/radius_client.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index ee9e46d..8f93325 100644
+--- a/src/radius/radius_client.c
++++ b/src/radius/radius_client.c
+@@ -922,13 +922,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		       roundtrip / 100, roundtrip % 100);
+ 	rconf->round_trip_time = roundtrip;
+ 
+-	/* Remove ACKed RADIUS packet from retransmit list */
+-	if (prev_req)
+-		prev_req->next = req->next;
+-	else
+-		radius->msgs = req->next;
+-	radius->num_msgs--;
+-
+ 	for (i = 0; i < num_handlers; i++) {
+ 		RadiusRxResult res;
+ 		res = handlers[i].handler(msg, req->msg, req->shared_secret,
+@@ -939,6 +932,13 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 			radius_msg_free(msg);
+ 			/* fall through */
+ 		case RADIUS_RX_QUEUED:
++			/* Remove ACKed RADIUS packet from retransmit list */
++			if (prev_req)
++				prev_req->next = req->next;
++			else
++				radius->msgs = req->next;
++			radius->num_msgs--;
++
+ 			radius_client_msg_free(req);
+ 			return;
+ 		case RADIUS_RX_INVALID_AUTHENTICATOR:
+@@ -960,7 +960,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		       msg_type, hdr->code, hdr->identifier,
+ 		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
+ 		       "");
+-	radius_client_msg_free(req);
+ 
+  fail:
+ 	radius_msg_free(msg);
+-- 
+2.45.2
+
diff --git a/SPECS/wpa_supplicant/wpa_supplicant.spec b/SPECS/wpa_supplicant/wpa_supplicant.spec
@@ -1,14 +1,15 @@
 Summary:        WPA client
 Name:           wpa_supplicant
 Version:        2.10
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/Communications
 URL:            https://w1.fi
 Source0:        https://w1.fi/releases/%{name}-%{version}.tar.gz
 Patch0:         CVE-2023-52160.patch
+Patch1:         CVE-2025-24912.patch
 BuildRequires:  libnl3-devel
 BuildRequires:  openssl-devel
 Requires:       libnl3
@@ -96,6 +97,9 @@ EOF
 %{_sysconfdir}/wpa_supplicant/wpa_supplicant-wlan0.conf
 
 %changelog
+* Wed Mar 26 2025 Kanishk-Bansal <kanbansal@microsoft.com> - 2.10-3
+- Patch CVE-2025-24912
+
 * Thu Mar 07 2024 Vince Perri <viperri@microsoft.com> - 2.10-2
 - Add patch to address CVE-2023-52160
 
