gnu: libupnp: Update to 1.6.21.

* gnu/packages/libupnp.scm (libupnp): Update to 1.6.21. [source]: Remove obsolete patches. * gnu/packages/patches/libupnp-CVE-2016-6255.patch, gnu/packages/patches/libupnp-CVE-2016-8863.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
2017-01-23 22:32:20 -05:00 · 2017-01-23 22:32:20 -05:00 · 165259593a
commit 165259593a
parent 2986995b85
4 changed files with 2 additions and 128 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -703,8 +703,6 @@ dist_patch_DATA =						\
  %D%/packages/patches/libtiff-tiffcp-underflow.patch		\
  %D%/packages/patches/libtool-skip-tests2.patch		\
  %D%/packages/patches/libunwind-CVE-2015-3239.patch		\
  %D%/packages/patches/libupnp-CVE-2016-6255.patch		\
  %D%/packages/patches/libupnp-CVE-2016-8863.patch		\
  %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
  %D%/packages/patches/libwebp-CVE-2016-9085.patch		\
  %D%/packages/patches/libwmf-CAN-2004-0941.patch		\
--- a/gnu/packages/libupnp.scm
+++ b/gnu/packages/libupnp.scm
@ -26,17 +26,15 @@
 (define-public libupnp
  (package
    (name "libupnp")
-    (version "1.6.20")
+    (version "1.6.21")
    (source
     (origin
      (method url-fetch)
      (uri (string-append "mirror://sourceforge/pupnp/pupnp/libUPnP%20"
                          version "/" name "-" version ".tar.bz2"))
      (patches (search-patches "libupnp-CVE-2016-6255.patch"
                               "libupnp-CVE-2016-8863.patch"))
      (sha256
       (base32
-        "0qrsdsb1qm85hc4jy04qph895613d148f0x1mmk6z99y3q43fdgf"))))
+        "16x3z6jg1krwyydmbd0z59z5c9x4pniaajmfmnp5pmx18q43qgxg"))))
    (build-system gnu-build-system)
    (arguments
     ;; The tests require a network device capable of multicasting which is
--- a/gnu/packages/patches/libupnp-CVE-2016-6255.patch
+++ b/gnu/packages/patches/libupnp-CVE-2016-6255.patch
@ -1,50 +0,0 @@
 Fix CVE-2016-6255:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
 http://www.openwall.com/lists/oss-security/2016/07/18/13
 Patch adapted from upstream commit:
 https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5
 The upstream change is simplified to unconditionally disable the HTTP
 POST feature.
 From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Tue, 23 Feb 2016 13:53:20 -0800
 Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
 default
 If there's no registered handler for a POST request, the default behaviour
 is to write it to the filesystem. Several million deployed devices appear
 to have this behaviour, making it possible to (at least) store arbitrary
 data on them. Add a configure option that enables this behaviour, and change
 the default to just drop POSTs that aren't directly handled.
 Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
 (cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa)
 ---
 configure.ac                         | 9 +++++++++
 upnp/inc/upnpconfig.h.in             | 9 +++++++++
 upnp/src/genlib/net/http/webserver.c | 4 ++++
 3 files changed, 22 insertions(+)
 diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
 index 26bf0f7..7ae8c1e 100644
 --- a/upnp/src/genlib/net/http/webserver.c
 +++ b/upnp/src/genlib/net/http/webserver.c
@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
 		if (Fp == NULL)
 			return HTTP_INTERNAL_SERVER_ERROR;
 	} else {
 +#if 0
 		Fp = fopen(filename, "wb");
 		if (Fp == NULL)
 			return HTTP_UNAUTHORIZED;
 +#else
 +		return HTTP_NOT_FOUND;
 +#endif
 	}
 	parser->position = POS_ENTITY;
 	do {
--- a/gnu/packages/patches/libupnp-CVE-2016-8863.patch
+++ b/gnu/packages/patches/libupnp-CVE-2016-8863.patch
@ -1,72 +0,0 @@
 Fix CVE-2016-8863:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
 https://sourceforge.net/p/pupnp/bugs/133/
 Patch copied from upstream source repository:
 https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/
 From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
 Date: Thu, 8 Dec 2016 17:11:53 +0100
 Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
 If there is an invalid URL in URLS->buf after a valid one, uri_parse is
 called with out pointing after the allocated memory. As uri_parse writes
 to *out before returning an error the loop in create_url_list must be
 stopped early to prevent an out-of-bound access
 Bug: https://sourceforge.net/p/pupnp/bugs/133/
 Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
 Bug-Debian: https://bugs.debian.org/842093
 Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
 (cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b)
 ---
 upnp/src/gena/gena_device.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)
 diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
 index fb04a29..245c56b 100644
 --- a/upnp/src/gena/gena_device.c
 +++ b/upnp/src/gena/gena_device.c
@@ -1113,7 +1113,7 @@ static int create_url_list(
 	/*! [out] . */
 	URL_list *out)
 {
 -    size_t URLcount = 0;
 +    size_t URLcount = 0, URLcount2 = 0;
     size_t i;
     int return_code = 0;
     uri_type temp;
@@ -1155,16 +1155,23 @@ static int create_url_list(
         }
         memcpy( out->URLs, URLS->buff, URLS->size );
         out->URLs[URLS->size] = 0;
 -        URLcount = 0;
         for( i = 0; i < URLS->size; i++ ) {
             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
                 if( ( ( return_code =
                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
 -                                   &out->parsedURLs[URLcount] ) ) ==
 +                                   &out->parsedURLs[URLcount2] ) ) ==
                       HTTP_SUCCESS )
 -                    && ( out->parsedURLs[URLcount].hostport.text.size !=
 +                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
                          0 ) ) {
 -                    URLcount++;
 +                    URLcount2++;
 +                    if (URLcount2 >= URLcount)
 +                        /*
 +                         * break early here in case there is a bogus URL that
 +                         * was skipped above. This prevents to access
 +                         * out->parsedURLs[URLcount] which is beyond the
 +                         * allocation.
 +                         */
 +                        break;
                 } else {
                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
                         free( out->URLs );
 -- 
 2.11.0