gnu: libupnp: Fix CVE-2016-6255.

* gnu/packages/patches/libupnp-CVE-2016-6255.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/libupnp.scm (libupnp): Use it.
This commit is contained in:
Leo Famulari 2016-10-06 01:48:57 -04:00
parent a76abae19f
commit 9e672bcc0b
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
3 changed files with 53 additions and 0 deletions

View file

@ -663,6 +663,7 @@ dist_patch_DATA = \
%D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libwmf-CAN-2004-0941.patch \
%D%/packages/patches/libwmf-CVE-2006-3376.patch \

View file

@ -17,6 +17,7 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu packages libupnp)
#:use-module (gnu packages)
#:use-module (guix licenses)
#:use-module (guix packages)
#:use-module (guix download)
@ -31,6 +32,7 @@ (define-public libupnp
(method url-fetch)
(uri (string-append "mirror://sourceforge/pupnp/pupnp/libUPnP%20"
version "/" name "-" version ".tar.bz2"))
(patches (search-patches "libupnp-CVE-2016-6255.patch"))
(sha256
(base32
"0qrsdsb1qm85hc4jy04qph895613d148f0x1mmk6z99y3q43fdgf"))))

View file

@ -0,0 +1,50 @@
Fix CVE-2016-6255:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
http://www.openwall.com/lists/oss-security/2016/07/18/13
Patch adapted from upstream commit:
https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5
The upstream change is simplified to unconditionally disable the HTTP
POST feature.
From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Tue, 23 Feb 2016 13:53:20 -0800
Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
default
If there's no registered handler for a POST request, the default behaviour
is to write it to the filesystem. Several million deployed devices appear
to have this behaviour, making it possible to (at least) store arbitrary
data on them. Add a configure option that enables this behaviour, and change
the default to just drop POSTs that aren't directly handled.
Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa)
---
configure.ac | 9 +++++++++
upnp/inc/upnpconfig.h.in | 9 +++++++++
upnp/src/genlib/net/http/webserver.c | 4 ++++
3 files changed, 22 insertions(+)
diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
index 26bf0f7..7ae8c1e 100644
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
if (Fp == NULL)
return HTTP_INTERNAL_SERVER_ERROR;
} else {
+#if 0
Fp = fopen(filename, "wb");
if (Fp == NULL)
return HTTP_UNAUTHORIZED;
+#else
+ return HTTP_NOT_FOUND;
+#endif
}
parser->position = POS_ENTITY;
do {