gnu: libupnp: Update to 1.6.21.

* gnu/packages/libupnp.scm (libupnp): Update to 1.6.21.
[source]: Remove obsolete patches.
* gnu/packages/patches/libupnp-CVE-2016-6255.patch,
gnu/packages/patches/libupnp-CVE-2016-8863.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
Leo Famulari 2017-01-23 22:32:20 -05:00
parent 2986995b85
commit 165259593a
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
4 changed files with 2 additions and 128 deletions

View File

@ -703,8 +703,6 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-tiffcp-underflow.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
%D%/packages/patches/libupnp-CVE-2016-8863.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libwebp-CVE-2016-9085.patch \
%D%/packages/patches/libwmf-CAN-2004-0941.patch \

View File

@ -26,17 +26,15 @@
(define-public libupnp
(package
(name "libupnp")
(version "1.6.20")
(version "1.6.21")
(source
(origin
(method url-fetch)
(uri (string-append "mirror://sourceforge/pupnp/pupnp/libUPnP%20"
version "/" name "-" version ".tar.bz2"))
(patches (search-patches "libupnp-CVE-2016-6255.patch"
"libupnp-CVE-2016-8863.patch"))
(sha256
(base32
"0qrsdsb1qm85hc4jy04qph895613d148f0x1mmk6z99y3q43fdgf"))))
"16x3z6jg1krwyydmbd0z59z5c9x4pniaajmfmnp5pmx18q43qgxg"))))
(build-system gnu-build-system)
(arguments
;; The tests require a network device capable of multicasting which is

View File

@ -1,50 +0,0 @@
Fix CVE-2016-6255:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
http://www.openwall.com/lists/oss-security/2016/07/18/13
Patch adapted from upstream commit:
https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5
The upstream change is simplified to unconditionally disable the HTTP
POST feature.
From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Tue, 23 Feb 2016 13:53:20 -0800
Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
default
If there's no registered handler for a POST request, the default behaviour
is to write it to the filesystem. Several million deployed devices appear
to have this behaviour, making it possible to (at least) store arbitrary
data on them. Add a configure option that enables this behaviour, and change
the default to just drop POSTs that aren't directly handled.
Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa)
---
configure.ac | 9 +++++++++
upnp/inc/upnpconfig.h.in | 9 +++++++++
upnp/src/genlib/net/http/webserver.c | 4 ++++
3 files changed, 22 insertions(+)
diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
index 26bf0f7..7ae8c1e 100644
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
if (Fp == NULL)
return HTTP_INTERNAL_SERVER_ERROR;
} else {
+#if 0
Fp = fopen(filename, "wb");
if (Fp == NULL)
return HTTP_UNAUTHORIZED;
+#else
+ return HTTP_NOT_FOUND;
+#endif
}
parser->position = POS_ENTITY;
do {

View File

@ -1,72 +0,0 @@
Fix CVE-2016-8863:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
https://sourceforge.net/p/pupnp/bugs/133/
Patch copied from upstream source repository:
https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/
From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
Date: Thu, 8 Dec 2016 17:11:53 +0100
Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
If there is an invalid URL in URLS->buf after a valid one, uri_parse is
called with out pointing after the allocated memory. As uri_parse writes
to *out before returning an error the loop in create_url_list must be
stopped early to prevent an out-of-bound access
Bug: https://sourceforge.net/p/pupnp/bugs/133/
Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
Bug-Debian: https://bugs.debian.org/842093
Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
(cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b)
---
upnp/src/gena/gena_device.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
index fb04a29..245c56b 100644
--- a/upnp/src/gena/gena_device.c
+++ b/upnp/src/gena/gena_device.c
@@ -1113,7 +1113,7 @@ static int create_url_list(
/*! [out] . */
URL_list *out)
{
- size_t URLcount = 0;
+ size_t URLcount = 0, URLcount2 = 0;
size_t i;
int return_code = 0;
uri_type temp;
@@ -1155,16 +1155,23 @@ static int create_url_list(
}
memcpy( out->URLs, URLS->buff, URLS->size );
out->URLs[URLS->size] = 0;
- URLcount = 0;
for( i = 0; i < URLS->size; i++ ) {
if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
if( ( ( return_code =
parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
- &out->parsedURLs[URLcount] ) ) ==
+ &out->parsedURLs[URLcount2] ) ) ==
HTTP_SUCCESS )
- && ( out->parsedURLs[URLcount].hostport.text.size !=
+ && ( out->parsedURLs[URLcount2].hostport.text.size !=
0 ) ) {
- URLcount++;
+ URLcount2++;
+ if (URLcount2 >= URLcount)
+ /*
+ * break early here in case there is a bogus URL that
+ * was skipped above. This prevents to access
+ * out->parsedURLs[URLcount] which is beyond the
+ * allocation.
+ */
+ break;
} else {
if( return_code == UPNP_E_OUTOF_MEMORY ) {
free( out->URLs );
--
2.11.0