23/155: gnu: libupnp: Fix CVE-2016-8863.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

23/155: gnu: libupnp: Fix CVE-2016-8863.

From:	John Darrington
Subject:	23/155: gnu: libupnp: Fix CVE-2016-8863.
Date:	Wed, 21 Dec 2016 20:48:31 +0000 (UTC)

jmd pushed a commit to branch wip-installer
in repository guix.

commit 3d5ea8cb297a5759a2f3ae082792420f5cabb5c8
Author: Leo Famulari <address@hidden>
Date:   Fri Dec 16 15:23:47 2016 -0500

    gnu: libupnp: Fix CVE-2016-8863.
    
    * gnu/packages/patches/libupnp-CVE-2016-8863.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Use it.
    * gnu/packages/libupnp.scm (libupnp)[source]: Use it.
---
 gnu/local.mk                                     |    1 +
 gnu/packages/libupnp.scm                         |    3 +-
 gnu/packages/patches/libupnp-CVE-2016-8863.patch |   72 ++++++++++++++++++++++
 3 files changed, 75 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 7e910a5..e0ff3f3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -694,6 +694,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/libtool-skip-tests2.patch               \
   %D%/packages/patches/libunwind-CVE-2015-3239.patch           \
   %D%/packages/patches/libupnp-CVE-2016-6255.patch             \
+  %D%/packages/patches/libupnp-CVE-2016-8863.patch             \
   %D%/packages/patches/libvpx-CVE-2016-2818.patch              \
   %D%/packages/patches/libwebp-CVE-2016-9085.patch             \
   %D%/packages/patches/libwmf-CAN-2004-0941.patch              \
diff --git a/gnu/packages/libupnp.scm b/gnu/packages/libupnp.scm
index b9209bf..ea4d1bd 100644
--- a/gnu/packages/libupnp.scm
+++ b/gnu/packages/libupnp.scm
@@ -32,7 +32,8 @@
       (method url-fetch)
       (uri (string-append "mirror://sourceforge/pupnp/pupnp/libUPnP%20"
                           version "/" name "-" version ".tar.bz2"))
-      (patches (search-patches "libupnp-CVE-2016-6255.patch"))
+      (patches (search-patches "libupnp-CVE-2016-6255.patch"
+                               "libupnp-CVE-2016-8863.patch"))
       (sha256
        (base32
         "0qrsdsb1qm85hc4jy04qph895613d148f0x1mmk6z99y3q43fdgf"))))
diff --git a/gnu/packages/patches/libupnp-CVE-2016-8863.patch 
b/gnu/packages/patches/libupnp-CVE-2016-8863.patch
new file mode 100644
index 0000000..9978b39
--- /dev/null
+++ b/gnu/packages/patches/libupnp-CVE-2016-8863.patch
@@ -0,0 +1,72 @@
+Fix CVE-2016-8863:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+https://sourceforge.net/p/pupnp/bugs/133/
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/
+
+From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <address@hidden>
+Date: Thu, 8 Dec 2016 17:11:53 +0100
+Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
+
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+
+Bug: https://sourceforge.net/p/pupnp/bugs/133/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+Bug-Debian: https://bugs.debian.org/842093
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+(cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b)
+---
+ upnp/src/gena/gena_device.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
+index fb04a29..245c56b 100644
+--- a/upnp/src/gena/gena_device.c
++++ b/upnp/src/gena/gena_device.c
+@@ -1113,7 +1113,7 @@ static int create_url_list(
+       /*! [out] . */
+       URL_list *out)
+ {
+-    size_t URLcount = 0;
++    size_t URLcount = 0, URLcount2 = 0;
+     size_t i;
+     int return_code = 0;
+     uri_type temp;
+@@ -1155,16 +1155,23 @@ static int create_url_list(
+         }
+         memcpy( out->URLs, URLS->buff, URLS->size );
+         out->URLs[URLS->size] = 0;
+-        URLcount = 0;
+         for( i = 0; i < URLS->size; i++ ) {
+             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+                 if( ( ( return_code =
+                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+-                                   &out->parsedURLs[URLcount] ) ) ==
++                                   &out->parsedURLs[URLcount2] ) ) ==
+                       HTTP_SUCCESS )
+-                    && ( out->parsedURLs[URLcount].hostport.text.size !=
++                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
+                          0 ) ) {
+-                    URLcount++;
++                    URLcount2++;
++                    if (URLcount2 >= URLcount)
++                        /*
++                         * break early here in case there is a bogus URL that
++                         * was skipped above. This prevents to access
++                         * out->parsedURLs[URLcount] which is beyond the
++                         * allocation.
++                         */
++                        break;
+                 } else {
+                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
+                         free( out->URLs );
+-- 
+2.11.0
+

[Prev in Thread]

Current Thread

[Next in Thread]

19/155: refresh: Make dependency on (guix import crates) weak., (continued)
- 19/155: refresh: Make dependency on (guix import crates) weak., John Darrington, 2016/12/21
- 16/155: gnu: grub: Add dependency on efibootmgr., John Darrington, 2016/12/21
- 20/155: download: Protect against dangling symlinks in $SSL_CERT_DIR., John Darrington, 2016/12/21
- 11/155: installer: Change "interfaces" from a variable to a procedure., John Darrington, 2016/12/21
- 21/155: profiles: Build profiles in a UTF-8 locale., John Darrington, 2016/12/21
- 09/155: installer: Use a record instead of a list to contain tasks., John Darrington, 2016/12/21
- 13/155: installer: Use call-with-temporary-output-file., John Darrington, 2016/12/21
- 29/155: gnu: Add fatfsck-static., John Darrington, 2016/12/21
- 24/155: build: assert-no-store-file-names: Ignore ChangeLog., John Darrington, 2016/12/21
- 18/155: install: Add dosfstools., John Darrington, 2016/12/21
- 23/155: gnu: libupnp: Fix CVE-2016-8863., John Darrington <=
- 25/155: gnu: acme-client: Provide path to certificates., John Darrington, 2016/12/21
- 34/155: import cran: Do not use "or later" licenses by default., John Darrington, 2016/12/21
- 36/155: import cran: Handle BSD licenses with LICENSE file., John Darrington, 2016/12/21
- 15/155: doc: "Nar" now means "normalized archive"., John Darrington, 2016/12/21
- 14/155: Revert "gnu: kmod: Update to 23.", John Darrington, 2016/12/21
- 22/155: gnu: Add Greek Aspell dictionary, John Darrington, 2016/12/21
- 12/155: installer: Add gurses modules., John Darrington, 2016/12/21
- 35/155: import cran: Translate MIT to the Expat license., John Darrington, 2016/12/21
- 27/155: gnu: Add emacs-bui., John Darrington, 2016/12/21
- 47/155: gnu: sane-backends: Disable backend generation., John Darrington, 2016/12/21

Prev by Date: 18/155: install: Add dosfstools.
Next by Date: 25/155: gnu: acme-client: Provide path to certificates.
Previous by thread: 18/155: install: Add dosfstools.
Next by thread: 25/155: gnu: acme-client: Provide path to certificates.
Index(es):
- Date
- Thread