gnu: libupnp: Fix CVE-2016-8863.
* gnu/packages/patches/libupnp-CVE-2016-8863.patch: New file. * gnu/local.mk (dist_patch_DATA): Use it. * gnu/packages/libupnp.scm (libupnp)[source]: Use it.
This commit is contained in:
parent
850812decf
commit
f8faf537ca
@ -679,6 +679,7 @@ dist_patch_DATA = \
|
|||||||
%D%/packages/patches/libtool-skip-tests2.patch \
|
%D%/packages/patches/libtool-skip-tests2.patch \
|
||||||
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
|
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
|
||||||
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
|
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
|
||||||
|
%D%/packages/patches/libupnp-CVE-2016-8863.patch \
|
||||||
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
|
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
|
||||||
%D%/packages/patches/libwebp-CVE-2016-9085.patch \
|
%D%/packages/patches/libwebp-CVE-2016-9085.patch \
|
||||||
%D%/packages/patches/libwmf-CAN-2004-0941.patch \
|
%D%/packages/patches/libwmf-CAN-2004-0941.patch \
|
||||||
|
@ -32,7 +32,8 @@
|
|||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "mirror://sourceforge/pupnp/pupnp/libUPnP%20"
|
(uri (string-append "mirror://sourceforge/pupnp/pupnp/libUPnP%20"
|
||||||
version "/" name "-" version ".tar.bz2"))
|
version "/" name "-" version ".tar.bz2"))
|
||||||
(patches (search-patches "libupnp-CVE-2016-6255.patch"))
|
(patches (search-patches "libupnp-CVE-2016-6255.patch"
|
||||||
|
"libupnp-CVE-2016-8863.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"0qrsdsb1qm85hc4jy04qph895613d148f0x1mmk6z99y3q43fdgf"))))
|
"0qrsdsb1qm85hc4jy04qph895613d148f0x1mmk6z99y3q43fdgf"))))
|
||||||
|
72
gnu/packages/patches/libupnp-CVE-2016-8863.patch
Normal file
72
gnu/packages/patches/libupnp-CVE-2016-8863.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
Fix CVE-2016-8863:
|
||||||
|
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
|
||||||
|
https://sourceforge.net/p/pupnp/bugs/133/
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/
|
||||||
|
|
||||||
|
From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
|
||||||
|
Date: Thu, 8 Dec 2016 17:11:53 +0100
|
||||||
|
Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
|
||||||
|
|
||||||
|
If there is an invalid URL in URLS->buf after a valid one, uri_parse is
|
||||||
|
called with out pointing after the allocated memory. As uri_parse writes
|
||||||
|
to *out before returning an error the loop in create_url_list must be
|
||||||
|
stopped early to prevent an out-of-bound access
|
||||||
|
|
||||||
|
Bug: https://sourceforge.net/p/pupnp/bugs/133/
|
||||||
|
Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
|
||||||
|
Bug-Debian: https://bugs.debian.org/842093
|
||||||
|
Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
|
||||||
|
(cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b)
|
||||||
|
---
|
||||||
|
upnp/src/gena/gena_device.c | 17 ++++++++++++-----
|
||||||
|
1 file changed, 12 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
|
||||||
|
index fb04a29..245c56b 100644
|
||||||
|
--- a/upnp/src/gena/gena_device.c
|
||||||
|
+++ b/upnp/src/gena/gena_device.c
|
||||||
|
@@ -1113,7 +1113,7 @@ static int create_url_list(
|
||||||
|
/*! [out] . */
|
||||||
|
URL_list *out)
|
||||||
|
{
|
||||||
|
- size_t URLcount = 0;
|
||||||
|
+ size_t URLcount = 0, URLcount2 = 0;
|
||||||
|
size_t i;
|
||||||
|
int return_code = 0;
|
||||||
|
uri_type temp;
|
||||||
|
@@ -1155,16 +1155,23 @@ static int create_url_list(
|
||||||
|
}
|
||||||
|
memcpy( out->URLs, URLS->buff, URLS->size );
|
||||||
|
out->URLs[URLS->size] = 0;
|
||||||
|
- URLcount = 0;
|
||||||
|
for( i = 0; i < URLS->size; i++ ) {
|
||||||
|
if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
|
||||||
|
if( ( ( return_code =
|
||||||
|
parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
|
||||||
|
- &out->parsedURLs[URLcount] ) ) ==
|
||||||
|
+ &out->parsedURLs[URLcount2] ) ) ==
|
||||||
|
HTTP_SUCCESS )
|
||||||
|
- && ( out->parsedURLs[URLcount].hostport.text.size !=
|
||||||
|
+ && ( out->parsedURLs[URLcount2].hostport.text.size !=
|
||||||
|
0 ) ) {
|
||||||
|
- URLcount++;
|
||||||
|
+ URLcount2++;
|
||||||
|
+ if (URLcount2 >= URLcount)
|
||||||
|
+ /*
|
||||||
|
+ * break early here in case there is a bogus URL that
|
||||||
|
+ * was skipped above. This prevents to access
|
||||||
|
+ * out->parsedURLs[URLcount] which is beyond the
|
||||||
|
+ * allocation.
|
||||||
|
+ */
|
||||||
|
+ break;
|
||||||
|
} else {
|
||||||
|
if( return_code == UPNP_E_OUTOF_MEMORY ) {
|
||||||
|
free( out->URLs );
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
Loading…
Reference in New Issue
Block a user