Via OSS-sec:

We understand the existence of the CVE-2016-2447 ID in
http://source.android.com/security/bulletin/2016-05-01.html and that
the reports credit Imre Rad; however, there are different exploitation
scenarios that affect different versions from the perspective of
hostapd/wpa_supplicant, and thus it is probably simplest for most
people to have separate hostapd/wpa_supplicant CVE IDs.

> WPA/WPA2 passphrase parameter ... to include control characters

> The WPS trigger for this requires local user action to authorize the WPS
> operation in which a new configuration would be received. The attacker
> would also need to be in radio range of the device or have access to the
> IP network to act as a WPS External Registrar. Such an attack could
> result in denial of service by not allowing hostapd or wpa_supplicant to
> start after they have been stopped.
>
> wpa_supplicant v0.6.7-v2.5 with CONFIG_WPS build option enabled
> hostapd v0.6.7-v2.5 with CONFIG_WPS build option enabled

Use CVE-2016-4476.


rh#1332422

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1332422
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4476
http://seclists.org/oss-sec/2016/q2/189
http://w1.fi/security/2016-1/