diff options
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/libupnp.scm | 6 | ||||
-rw-r--r-- | gnu/packages/patches/libupnp-CVE-2016-6255.patch | 50 | ||||
-rw-r--r-- | gnu/packages/patches/libupnp-CVE-2016-8863.patch | 72 |
3 files changed, 2 insertions, 126 deletions
diff --git a/gnu/packages/libupnp.scm b/gnu/packages/libupnp.scm index ea4d1bd25e..330ae6deb6 100644 --- a/gnu/packages/libupnp.scm +++ b/gnu/packages/libupnp.scm @@ -26,17 +26,15 @@ (define-public libupnp (package (name "libupnp") - (version "1.6.20") + (version "1.6.21") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/pupnp/pupnp/libUPnP%20" version "/" name "-" version ".tar.bz2")) - (patches (search-patches "libupnp-CVE-2016-6255.patch" - "libupnp-CVE-2016-8863.patch")) (sha256 (base32 - "0qrsdsb1qm85hc4jy04qph895613d148f0x1mmk6z99y3q43fdgf")))) + "16x3z6jg1krwyydmbd0z59z5c9x4pniaajmfmnp5pmx18q43qgxg")))) (build-system gnu-build-system) (arguments ;; The tests require a network device capable of multicasting which is diff --git a/gnu/packages/patches/libupnp-CVE-2016-6255.patch b/gnu/packages/patches/libupnp-CVE-2016-6255.patch deleted file mode 100644 index c9a3fa284c..0000000000 --- a/gnu/packages/patches/libupnp-CVE-2016-6255.patch +++ /dev/null @@ -1,50 +0,0 @@ -Fix CVE-2016-6255: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255 -http://www.openwall.com/lists/oss-security/2016/07/18/13 - -Patch adapted from upstream commit: - -https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5 - -The upstream change is simplified to unconditionally disable the HTTP -POST feature. - -From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett <mjg59@srcf.ucam.org> -Date: Tue, 23 Feb 2016 13:53:20 -0800 -Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by - default - -If there's no registered handler for a POST request, the default behaviour -is to write it to the filesystem. Several million deployed devices appear -to have this behaviour, making it possible to (at least) store arbitrary -data on them. Add a configure option that enables this behaviour, and change -the default to just drop POSTs that aren't directly handled. - -Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net> -(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa) ---- - configure.ac | 9 +++++++++ - upnp/inc/upnpconfig.h.in | 9 +++++++++ - upnp/src/genlib/net/http/webserver.c | 4 ++++ - 3 files changed, 22 insertions(+) - -diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c -index 26bf0f7..7ae8c1e 100644 ---- a/upnp/src/genlib/net/http/webserver.c -+++ b/upnp/src/genlib/net/http/webserver.c -@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage( - if (Fp == NULL) - return HTTP_INTERNAL_SERVER_ERROR; - } else { -+#if 0 - Fp = fopen(filename, "wb"); - if (Fp == NULL) - return HTTP_UNAUTHORIZED; -+#else -+ return HTTP_NOT_FOUND; -+#endif - } - parser->position = POS_ENTITY; - do { diff --git a/gnu/packages/patches/libupnp-CVE-2016-8863.patch b/gnu/packages/patches/libupnp-CVE-2016-8863.patch deleted file mode 100644 index 9978b39487..0000000000 --- a/gnu/packages/patches/libupnp-CVE-2016-8863.patch +++ /dev/null @@ -1,72 +0,0 @@ -Fix CVE-2016-8863: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863 -https://sourceforge.net/p/pupnp/bugs/133/ - -Patch copied from upstream source repository: - -https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/ - -From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org> -Date: Thu, 8 Dec 2016 17:11:53 +0100 -Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863) - -If there is an invalid URL in URLS->buf after a valid one, uri_parse is -called with out pointing after the allocated memory. As uri_parse writes -to *out before returning an error the loop in create_url_list must be -stopped early to prevent an out-of-bound access - -Bug: https://sourceforge.net/p/pupnp/bugs/133/ -Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863 -Bug-Debian: https://bugs.debian.org/842093 -Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771 -(cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b) ---- - upnp/src/gena/gena_device.c | 17 ++++++++++++----- - 1 file changed, 12 insertions(+), 5 deletions(-) - -diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c -index fb04a29..245c56b 100644 ---- a/upnp/src/gena/gena_device.c -+++ b/upnp/src/gena/gena_device.c -@@ -1113,7 +1113,7 @@ static int create_url_list( - /*! [out] . */ - URL_list *out) - { -- size_t URLcount = 0; -+ size_t URLcount = 0, URLcount2 = 0; - size_t i; - int return_code = 0; - uri_type temp; -@@ -1155,16 +1155,23 @@ static int create_url_list( - } - memcpy( out->URLs, URLS->buff, URLS->size ); - out->URLs[URLS->size] = 0; -- URLcount = 0; - for( i = 0; i < URLS->size; i++ ) { - if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { - if( ( ( return_code = - parse_uri( &out->URLs[i + 1], URLS->size - i + 1, -- &out->parsedURLs[URLcount] ) ) == -+ &out->parsedURLs[URLcount2] ) ) == - HTTP_SUCCESS ) -- && ( out->parsedURLs[URLcount].hostport.text.size != -+ && ( out->parsedURLs[URLcount2].hostport.text.size != - 0 ) ) { -- URLcount++; -+ URLcount2++; -+ if (URLcount2 >= URLcount) -+ /* -+ * break early here in case there is a bogus URL that -+ * was skipped above. This prevents to access -+ * out->parsedURLs[URLcount] which is beyond the -+ * allocation. -+ */ -+ break; - } else { - if( return_code == UPNP_E_OUTOF_MEMORY ) { - free( out->URLs ); --- -2.11.0 - |