Broken dbus GetAll message to wpa supplicant interface properties

Bug #1899262 reported by Michael Nazzareno Trimarchi on 2020-10-10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wpa (Ubuntu)
Michael Nazzareno Trimarchi

Bug Description

* Impact
One of the distro patch is incorrect and create issues when trying to query dbus properties

* Test Case

$ sudo dbus-send --system --print-reply --dest=fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1/Interfaces/1 org.freedesktop.DBus.Properties.GetAll string:fi.w1.wpa_supplicant1.Interface

shouldn't error out

(the /1 reflect the interface number and could be a different value, check with d-feet if needed)

* Regression potential

The fixes is in the dbus interface, check that communication with desktop clients (indicator, applet, settings) still works correctly, returning expected informations on the signal, etc


dbus-send is able to read the properties of interface using GetAll. Those information include interface name, status, encryption method, etc.
The regression was introduced when someone try to have the Station attribute supported

CVE References

The attachment "Fix dbus GetAll Interface on interface attribute" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch

The attach is a debdiff. If it's not fine let me know

Changed in wpa (Ubuntu):
assignee: nobody → Michael Nazzareno Trimarchi (michael-t16qijz8x59bnuup5)
Dimitri John Ledkov (xnox) wrote :

For releasing this as an SRU, needs to be followed.

Specifically we will need SRU template completed as outlined in

Most importnatly what would be the detailed [Test Case] to reproduce the issue? (Such that we can verify the issue exists, and gets fixed by the proposed update). And what is regression potential of such an update.

tags: added: rls-bb-incoming rls-ff-incoming rls-gg-incoming rls-hh-incoming

wpa_supplicant exponse properties of the interface that you can read using dbus command such as. Now if the property is empy you should just expose as empty and not fail as it is in the code.

sudo dbus-send --system --print-reply --dest=fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1/Interfaces/1 org.freedesktop.DBus.Properties.GetAll string:fi.w1.wpa_supplicant1.Interface

This kind of interface is used by other network services aka connman. I have tested on ubuntu-core and ubuntu 18.04

Sebastien Bacher (seb128) wrote :

Thanks for the report and adding some details, it's still unclear what the testcase and issue is though. If the problem that due to the patch it errors out in cases where it should return an empty list? Or that it's giving access to more information that it should?

Could you also give a testcase including steps that could be used for testing by others who are not especially familiar with the issue? something along the lines of

- <set up connection>
- <check interface numbers with dbus monitor or something>
- <command line to call and expected result>

Download full text (3.9 KiB)

dbus getAll let you to download information of any interface. Each interface has a reference number inside the wpa_supplicant. In my laptop my wifi is interface 1. In order to ready wifi interface information I can use dbus as shown in this example:

sudo dbus-send --system --print-reply --dest=fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1/Interfaces/1 org.freedesktop.DBus.Properties.GetAll string:fi.w1.wpa_supplicant1.Interface

The result of the command give you the an answer like:

sudo dbus-send --system --print-reply --dest=fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1/Interfaces/1 org.freedesktop.DBus.Properties.GetAll string:fi.w1.wpa_supplicant1.Interface
[sudo] password for michael:
method return time=1603398113.528196 sender=:1.4 -> destination=:1.267 serial=476 reply_serial=2
   array [
      dict entry(
         string "Capabilities"
         variant array [
               dict entry(
                  string "Pairwise"
                  variant array [
                        string "ccmp"
                        string "tkip"
               dict entry(
                  string "Group"
                  variant array [
                        string "ccmp"
                        string "tkip"
                        string "wep104"
                        string "wep40"
               dict entry(
                  string "GroupMgmt"
                  variant array [
                        string "aes-128-cmac"
               dict entry(
                  string "KeyMgmt"
                  variant array [
                        string "none"
                        string "ieee8021x"
                        string "wpa-eap"
                        string "wpa-ft-eap"
                        string "wpa-eap-sha256"
                        string "wpa-psk"
                        string "wpa-ft-psk"
                        string "wpa-psk-sha256"
                        string "wps"

If one of the value can not reported the entire request just plain fail. This is not happen on the same version without any addition patch. In the debian package was added a patch to report the Stations attribue that is a part of this answer and the fact that this is only valid on ap mode does not let reply at all of this message. Now in connman for example this getAll is used to get out the interface information as you can find in this snipped code:

int supplicant_dbus_property_get_all(const char *path, const char *interface,
                                supplicant_dbus_property_function function,
                                void *user_data, gpointer caller)
        struct property_call_data *property_call = NULL;
        DBusMessage *message;
        DBusPendingCall *call;

        if (!connection)
                return -EINVAL;

        if (!path || !interface)
                return -EINVAL;

        property_call = g_try_new0(struct property_call_data, 1);
        if (!property_call)


Sebastien Bacher (seb128) wrote :

> This is not happen on the same version without any addition patch. In the debian package was
> added a patch to report the Stations attribue that is a part of this answer and the fact that
> this is only valid on ap mode does not let reply at all of this message.

If it's not happening without patch do you know which change is creating the issue? Is that patch in Debian and/or upstream as well?

Could you give the exact reference of the 'patch to report the Stations attribue'?

Sebastien Bacher (seb128) wrote :

Trying here

$ sudo dbus-send --system --print-reply --dest=fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1/Interfaces/1 org.freedesktop.DBus.Properties.GetAll string:fi.w1.wpa_supplicant1.Interface

Error org.freedesktop.DBus.Error.UnknownMethod: Method "GetAll" with signature "s" on interface "org.freedesktop.DBus.Properties" doesn't exist

As I said Interfaces/1 or /2 or /3 depends on how they are enumerated. That is just an example

Using d-feet to find your interface. Today is /4 on my laptop (and must be a wifi)

Sebastien Bacher (seb128) wrote :

Thanks, I tried d-feet earlier but it gives an accesserror, it works using sudo though. The call on the interface seems successful here though so I can't confirm the bug

Are you using ubuntu 18.04? or are you using Focal Fossa?

debdiff show the difference between the 18.04 ubuntu. In the 20.04 wpa supplicant was bump to newer version so station attribute was added in the right way

Sebastien Bacher (seb128) wrote :

I'm using focal, the bug as tagged as incoming for series up to hirsute, is it supposed to be mostly an issue for bionic? Maybe that station attribute patch should be backported to bionic as a first step?

Could you give a more direct reference to that patch? Grepping for 'station' in debian/patches only returns
CVE-2019-16275.patch:connected station dropping its association.

It's still unclear to me what a real user facing scenario impact of the issue would be. Would installing connman instead of network-manager and trying to do some action

Dear Sebastian, the problem that the station patch was backported already but wrongly. I have just fixed in this package

This is coming from change log

wpa (2:2.6-15ubuntu1) bionic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - debian/patches/wpa_service_ignore-on-isolate.patch: add
      IgnoreOnIsolate=yes so that when switching "runlevels" in oem-config
      will not kill off wpa and cause wireless to be unavailable on first
    - debian/patches/session-ticket.patch: disable the TLS Session Ticket
      extension to fix auth with 802.1x PEAP on some hardware.
    - debian/patches/android_hal_fw_path_change.patch: add a DBus method
      for requesting a firmware change when working with the Android HAL;
      this is used to set a device in P2P or AP mode; conditional to
      CONFIG_ANDROID_HAL being enabled.
    - debian/config/wpasupplicant/linux: enable CONFIG_ANDROID_HAL.
    - debian/control: Build-Depends on android-headers to get the required
      wifi headers for the HAL support.
    - debian/patches/dbus-available-sta.patch: Make the list of connected
      stations available on DBus for hotspot mode; along with some of the
      station properties, such as rx/tx packets, bytes, capabilities, etc.

Up you have the patch that break the package. I just made it working properly patch the package

  * Updated debian/patches/dbus-available-sta.patch for new getter API

Changed in wpa (Ubuntu):
importance: Undecided → High
status: New → In Progress
Sebastien Bacher (seb128) wrote :

Thanks, it finally makes sense now and I can confirm the patch works, it would have helped if the description stated the issue was in bionic and fixed in newer version...

Anyway, the patch was fixed in the upload
where it's noted that it was changed to not error out when not in AP mode.

The patch is similar to the one attached earlier on the bug

description: updated
Sebastien Bacher (seb128) wrote :

Closing since it's fixed in the current version, a bionic SRU has been uploaded now so that serie is going to be added as a target to the bug when it gets reviewed and accepted

Changed in wpa (Ubuntu):
status: In Progress → Fix Released

Hello Michael, or anyone else affected,

Accepted wpa into bionic-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in wpa (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic

All autopkgtests for the newly accepted wpa (2:2.6-15ubuntu2.6) for bionic have finished running.
The following regressions have been reported in tests triggered by the package: (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].


Thank you!

Mathew Hodson (mhodson) on 2020-11-23
Changed in wpa (Ubuntu Bionic):
importance: Undecided → High
Sebastien Bacher (seb128) wrote :

The autopkgtest failure was flakyness, it successed after a retry

tags: removed: rls-bb-incoming rls-ff-incoming rls-gg-incoming rls-hh-incoming
Sebastien Bacher (seb128) wrote :

@Michael, would you be able to verify that the update package resolve the issue for you?

@Sebastien I will test it today. Sorry for the delay

Angelo Compagnucci (angeloc) wrote :

@Sebastien: tested on Ubuntu 18.04

$ sudo dbus-send --system --print-reply --dest=fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1/Interfaces/1 org.freedesktop.DBus.Properties.GetAll string:fi.w1.wpa_supplicant1.Interface
method return time=1607598173.146833 sender=:1.4 -> destination=:1.82 serial=61 reply_serial=2
   array [
      dict entry(
         string "Capabilities"
         variant array [
               dict entry(
                  string "Pairwise"

It works

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wpa - 2:2.6-15ubuntu2.6

wpa (2:2.6-15ubuntu2.6) bionic; urgency=medium

  * debian/patches/fix-dbus-getall-request.patch:
    - update to a fixed version of the patch to not error out when not
      in AP mode, thanks Michael Nazzareno Trimarchi (lp: #1899262)

 -- Sebastien Bacher <email address hidden> Wed, 11 Nov 2020 10:50:58 +0100

Changed in wpa (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for wpa has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers