diff --git a/gnu/local.mk b/gnu/local.mk index 694ce9495f..49fd2337cd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -679,6 +679,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ %D%/packages/patches/libupnp-CVE-2016-6255.patch \ + %D%/packages/patches/libupnp-CVE-2016-8863.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libwebp-CVE-2016-9085.patch \ %D%/packages/patches/libwmf-CAN-2004-0941.patch \ diff --git a/gnu/packages/libupnp.scm b/gnu/packages/libupnp.scm index b9209bf04b..ea4d1bd25e 100644 --- a/gnu/packages/libupnp.scm +++ b/gnu/packages/libupnp.scm @@ -32,7 +32,8 @@ (define-public libupnp (method url-fetch) (uri (string-append "mirror://sourceforge/pupnp/pupnp/libUPnP%20" version "/" name "-" version ".tar.bz2")) - (patches (search-patches "libupnp-CVE-2016-6255.patch")) + (patches (search-patches "libupnp-CVE-2016-6255.patch" + "libupnp-CVE-2016-8863.patch")) (sha256 (base32 "0qrsdsb1qm85hc4jy04qph895613d148f0x1mmk6z99y3q43fdgf")))) diff --git a/gnu/packages/patches/libupnp-CVE-2016-8863.patch b/gnu/packages/patches/libupnp-CVE-2016-8863.patch new file mode 100644 index 0000000000..9978b39487 --- /dev/null +++ b/gnu/packages/patches/libupnp-CVE-2016-8863.patch @@ -0,0 +1,72 @@ +Fix CVE-2016-8863: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863 +https://sourceforge.net/p/pupnp/bugs/133/ + +Patch copied from upstream source repository: + +https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/ + +From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Thu, 8 Dec 2016 17:11:53 +0100 +Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863) + +If there is an invalid URL in URLS->buf after a valid one, uri_parse is +called with out pointing after the allocated memory. As uri_parse writes +to *out before returning an error the loop in create_url_list must be +stopped early to prevent an out-of-bound access + +Bug: https://sourceforge.net/p/pupnp/bugs/133/ +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863 +Bug-Debian: https://bugs.debian.org/842093 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771 +(cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b) +--- + upnp/src/gena/gena_device.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c +index fb04a29..245c56b 100644 +--- a/upnp/src/gena/gena_device.c ++++ b/upnp/src/gena/gena_device.c +@@ -1113,7 +1113,7 @@ static int create_url_list( + /*! [out] . */ + URL_list *out) + { +- size_t URLcount = 0; ++ size_t URLcount = 0, URLcount2 = 0; + size_t i; + int return_code = 0; + uri_type temp; +@@ -1155,16 +1155,23 @@ static int create_url_list( + } + memcpy( out->URLs, URLS->buff, URLS->size ); + out->URLs[URLS->size] = 0; +- URLcount = 0; + for( i = 0; i < URLS->size; i++ ) { + if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { + if( ( ( return_code = + parse_uri( &out->URLs[i + 1], URLS->size - i + 1, +- &out->parsedURLs[URLcount] ) ) == ++ &out->parsedURLs[URLcount2] ) ) == + HTTP_SUCCESS ) +- && ( out->parsedURLs[URLcount].hostport.text.size != ++ && ( out->parsedURLs[URLcount2].hostport.text.size != + 0 ) ) { +- URLcount++; ++ URLcount2++; ++ if (URLcount2 >= URLcount) ++ /* ++ * break early here in case there is a bogus URL that ++ * was skipped above. This prevents to access ++ * out->parsedURLs[URLcount] which is beyond the ++ * allocation. ++ */ ++ break; + } else { + if( return_code == UPNP_E_OUTOF_MEMORY ) { + free( out->URLs ); +-- +2.11.0 +