summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-01-23 22:32:20 -0500
committerLeo Famulari <leo@famulari.name>2017-01-23 23:27:04 -0500
commit165259593a21c6586125a5f93c20ee199deefbe3 (patch)
treeec435bf4ce85fb5e681c187fd05343c090231ea7 /gnu/packages/patches
parent2986995b85e76f12741fcdda8dd0e1a636620dec (diff)
downloadguix-165259593a21c6586125a5f93c20ee199deefbe3.tar.gz
gnu: libupnp: Update to 1.6.21.
* gnu/packages/libupnp.scm (libupnp): Update to 1.6.21.
[source]: Remove obsolete patches.
* gnu/packages/patches/libupnp-CVE-2016-6255.patch,
gnu/packages/patches/libupnp-CVE-2016-8863.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/libupnp-CVE-2016-6255.patch50
-rw-r--r--gnu/packages/patches/libupnp-CVE-2016-8863.patch72
2 files changed, 0 insertions, 122 deletions
diff --git a/gnu/packages/patches/libupnp-CVE-2016-6255.patch b/gnu/packages/patches/libupnp-CVE-2016-6255.patch
deleted file mode 100644
index c9a3fa284c..0000000000
--- a/gnu/packages/patches/libupnp-CVE-2016-6255.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Fix CVE-2016-6255:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
-http://www.openwall.com/lists/oss-security/2016/07/18/13
-
-Patch adapted from upstream commit:
-
-https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5
-
-The upstream change is simplified to unconditionally disable the HTTP
-POST feature.
-
-From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Tue, 23 Feb 2016 13:53:20 -0800
-Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
- default
-
-If there's no registered handler for a POST request, the default behaviour
-is to write it to the filesystem. Several million deployed devices appear
-to have this behaviour, making it possible to (at least) store arbitrary
-data on them. Add a configure option that enables this behaviour, and change
-the default to just drop POSTs that aren't directly handled.
-
-Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
-(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa)
----
- configure.ac                         | 9 +++++++++
- upnp/inc/upnpconfig.h.in             | 9 +++++++++
- upnp/src/genlib/net/http/webserver.c | 4 ++++
- 3 files changed, 22 insertions(+)
-
-diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
-index 26bf0f7..7ae8c1e 100644
---- a/upnp/src/genlib/net/http/webserver.c
-+++ b/upnp/src/genlib/net/http/webserver.c
-@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
- 		if (Fp == NULL)
- 			return HTTP_INTERNAL_SERVER_ERROR;
- 	} else {
-+#if 0
- 		Fp = fopen(filename, "wb");
- 		if (Fp == NULL)
- 			return HTTP_UNAUTHORIZED;
-+#else
-+		return HTTP_NOT_FOUND;
-+#endif
- 	}
- 	parser->position = POS_ENTITY;
- 	do {
diff --git a/gnu/packages/patches/libupnp-CVE-2016-8863.patch b/gnu/packages/patches/libupnp-CVE-2016-8863.patch
deleted file mode 100644
index 9978b39487..0000000000
--- a/gnu/packages/patches/libupnp-CVE-2016-8863.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Fix CVE-2016-8863:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
-https://sourceforge.net/p/pupnp/bugs/133/
-
-Patch copied from upstream source repository:
-
-https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/
-
-From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
-Date: Thu, 8 Dec 2016 17:11:53 +0100
-Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
-
-If there is an invalid URL in URLS->buf after a valid one, uri_parse is
-called with out pointing after the allocated memory. As uri_parse writes
-to *out before returning an error the loop in create_url_list must be
-stopped early to prevent an out-of-bound access
-
-Bug: https://sourceforge.net/p/pupnp/bugs/133/
-Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
-Bug-Debian: https://bugs.debian.org/842093
-Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
-(cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b)
----
- upnp/src/gena/gena_device.c | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
-index fb04a29..245c56b 100644
---- a/upnp/src/gena/gena_device.c
-+++ b/upnp/src/gena/gena_device.c
-@@ -1113,7 +1113,7 @@ static int create_url_list(
- 	/*! [out] . */
- 	URL_list *out)
- {
--    size_t URLcount = 0;
-+    size_t URLcount = 0, URLcount2 = 0;
-     size_t i;
-     int return_code = 0;
-     uri_type temp;
-@@ -1155,16 +1155,23 @@ static int create_url_list(
-         }
-         memcpy( out->URLs, URLS->buff, URLS->size );
-         out->URLs[URLS->size] = 0;
--        URLcount = 0;
-         for( i = 0; i < URLS->size; i++ ) {
-             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
-                 if( ( ( return_code =
-                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
--                                   &out->parsedURLs[URLcount] ) ) ==
-+                                   &out->parsedURLs[URLcount2] ) ) ==
-                       HTTP_SUCCESS )
--                    && ( out->parsedURLs[URLcount].hostport.text.size !=
-+                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
-                          0 ) ) {
--                    URLcount++;
-+                    URLcount2++;
-+                    if (URLcount2 >= URLcount)
-+                        /*
-+                         * break early here in case there is a bogus URL that
-+                         * was skipped above. This prevents to access
-+                         * out->parsedURLs[URLcount] which is beyond the
-+                         * allocation.
-+                         */
-+                        break;
-                 } else {
-                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
-                         free( out->URLs );
--- 
-2.11.0
-