libupnp: Fix CVE-2020-13848

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13848 Upstream-Status: Accepted [https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0] CVE: CVE-2020-13848 Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Andrej Kozemcak <andrej.kozemcak@siemens.com> 2021-04-23 09:58:11 +0200
committer: Armin Kuster <akuster808@gmail.com> 2021-04-23 19:13:09 -0700
commit: c1a50683225b0bf10f8d7a18280acefa7469ecc2 (patch)
tree: 2a68fed2c96d89d69235a618658c0131f9d6d8ce
parent: d126440422d9585ea400c04b29b0f3e0a07c05c8 (diff)
download: meta-openembedded-c1a50683225b0bf10f8d7a18280acefa7469ecc2.tar.gz
2 files changed, 77 insertions, 1 deletions
diff --git a/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch b/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch
new file mode 100644
index 0000000000..695a2c94f0
--- /dev/null
+++ b/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch
@@ -0,0 +1,75 @@
+From c805c1de1141cb22f74c0d94dd5664bda37398e0 Mon Sep 17 00:00:00 2001
+From: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
+Date: Thu, 4 Jun 2020 12:03:03 -0300
+Subject: [PATCH] Fixes #177: NULL pointer dereference in
+ FindServiceControlURLPath
+Also fixes its dual bug in FindServiceEventURLPath.
+Reference:
+https://nvd.nist.gov/vuln/detail/CVE-2020-13848
+         
+Upstream-Status: Accepted [https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0]
+CVE: CVE-2020-13848
+Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
+---
+ ChangeLog                                     |  6 ++++++
+ upnp/src/genlib/service_table/service_table.c | 16 ++++++++++------
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 4a956fc..265d268 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -2,6 +2,12 @@
+ Version 1.8.4
+ *******************************************************************************
+2020-06-04 Patrik Lantz pjlantz(at)github
+
+       Fixes #177
+
+       NULL pointer dereference in FindServiceControlURLPath
+
+ 2017-11-17 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
+        GitHub #57 - 1.8.3 broke ABI without changing SONAME
+diff --git a/upnp/src/genlib/service_table/service_table.c b/upnp/src/genlib/service_table/service_table.c
+index 98c2c0f..f3ee4e5 100644
+--- a/upnp/src/genlib/service_table/service_table.c
+++ b/upnp/src/genlib/service_table/service_table.c
+@@ -300,12 +300,11 @@ FindServiceEventURLPath( service_table * table,
+     uri_type parsed_url;
+     uri_type parsed_url_in;
+-    if( ( table )
+-        &&
+-        ( parse_uri( eventURLPath,
+-                     strlen( eventURLPath ),
+-                     &parsed_url_in ) == HTTP_SUCCESS ) ) {
+-
+    if (!table || !eventURLPath) {
+      return NULL;
+    }
+    if (parse_uri(eventURLPath, strlen(eventURLPath), &parsed_url_in) ==
+        HTTP_SUCCESS) {
+         finger = table->serviceList;
+         while( finger ) {
+             if( finger->eventURL )
+@@ -352,11 +351,11 @@ FindServiceControlURLPath( service_table * table,
+     uri_type parsed_url;
+     uri_type parsed_url_in;
+-    if( ( table )
+-        &&
+-        ( parse_uri
+-          ( controlURLPath, strlen( controlURLPath ),
+-            &parsed_url_in ) == HTTP_SUCCESS ) ) {
+    if (!table || !controlURLPath) {
+      return NULL;
+    }
+    if (parse_uri(controlURLPath, strlen(controlURLPath), &parsed_url_in) ==
+        HTTP_SUCCESS) {
+         finger = table->serviceList;
+         while( finger ) {
+             if( finger->controlURL )
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb
index 339c07cd96..828e351be6 100644
--- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb
@@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=394a0f17b97f33426275571e15920434"
 PV = "1.8.4+git${SRCPV}"
 # release-1.8.4
 SRCREV = "d5a01fc9895daae98a0c5a8c7d3afce46add529d"
-SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https"
+SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https \
+           file://CVE-2020-13848.patch"
 S="${WORKDIR}/git"
author	Andrej Kozemcak <andrej.kozemcak@siemens.com>	2021-04-23 09:58:11 +0200
committer	Armin Kuster <akuster808@gmail.com>	2021-04-23 19:13:09 -0700
commit	c1a50683225b0bf10f8d7a18280acefa7469ecc2 (patch)
tree	2a68fed2c96d89d69235a618658c0131f9d6d8ce
parent	d126440422d9585ea400c04b29b0f3e0a07c05c8 (diff)
download	meta-openembedded-c1a50683225b0bf10f8d7a18280acefa7469ecc2.tar.gz

diff --git a/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch b/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch new file mode 100644 index 0000000000..695a2c94f0 --- /dev/null +++ b/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch
@@ -0,0 +1,75 @@
		1	From c805c1de1141cb22f74c0d94dd5664bda37398e0 Mon Sep 17 00:00:00 2001
		2	From: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
		3	Date: Thu, 4 Jun 2020 12:03:03 -0300
		4	Subject: [PATCH] Fixes #177: NULL pointer dereference in
		5	FindServiceControlURLPath
		6
		7	Also fixes its dual bug in FindServiceEventURLPath.
		8
		9	Reference:
		10	https://nvd.nist.gov/vuln/detail/CVE-2020-13848
		11
		12	Upstream-Status: Accepted [https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0]
		13	CVE: CVE-2020-13848
		14	Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
		15
		16	---
		17	ChangeLog \| 6 ++++++
		18	upnp/src/genlib/service_table/service_table.c \| 16 ++++++++++------
		19	2 files changed, 16 insertions(+), 6 deletions(-)
		20	diff --git a/ChangeLog b/ChangeLog
		21	index 4a956fc..265d268 100644
		22	--- a/ChangeLog
		23	+++ b/ChangeLog
		24	@@ -2,6 +2,12 @@
		25	Version 1.8.4
		26	*******************************************************************************
		27
		28	+2020-06-04 Patrik Lantz pjlantz(at)github
		29	+
		30	+ Fixes #177
		31	+
		32	+ NULL pointer dereference in FindServiceControlURLPath
		33	+
		34	2017-11-17 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
		35
		36	GitHub #57 - 1.8.3 broke ABI without changing SONAME
		37	diff --git a/upnp/src/genlib/service_table/service_table.c b/upnp/src/genlib/service_table/service_table.c
		38	index 98c2c0f..f3ee4e5 100644
		39	--- a/upnp/src/genlib/service_table/service_table.c
		40	+++ b/upnp/src/genlib/service_table/service_table.c
		41	@@ -300,12 +300,11 @@ FindServiceEventURLPath( service_table * table,
		42	uri_type parsed_url;
		43	uri_type parsed_url_in;
		44
		45	- if( ( table )
		46	- &&
		47	- ( parse_uri( eventURLPath,
		48	- strlen( eventURLPath ),
		49	- &parsed_url_in ) == HTTP_SUCCESS ) ) {
		50	-
		51	+ if (!table \|\| !eventURLPath) {
		52	+ return NULL;
		53	+ }
		54	+ if (parse_uri(eventURLPath, strlen(eventURLPath), &parsed_url_in) ==
		55	+ HTTP_SUCCESS) {
		56	finger = table->serviceList;
		57	while( finger ) {
		58	if( finger->eventURL )
		59	@@ -352,11 +351,11 @@ FindServiceControlURLPath( service_table * table,
		60	uri_type parsed_url;
		61	uri_type parsed_url_in;
		62
		63	- if( ( table )
		64	- &&
		65	- ( parse_uri
		66	- ( controlURLPath, strlen( controlURLPath ),
		67	- &parsed_url_in ) == HTTP_SUCCESS ) ) {
		68	+ if (!table \|\| !controlURLPath) {
		69	+ return NULL;
		70	+ }
		71	+ if (parse_uri(controlURLPath, strlen(controlURLPath), &parsed_url_in) ==
		72	+ HTTP_SUCCESS) {
		73	finger = table->serviceList;
		74	while( finger ) {
		75	if( finger->controlURL )


diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb index 339c07cd96..828e351be6 100644 --- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb
@@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=394a0f17b97f33426275571e15920434"
12	PV = "1.8.4+git${SRCPV}"	12	PV = "1.8.4+git${SRCPV}"
13	# release-1.8.4	13	# release-1.8.4
14	SRCREV = "d5a01fc9895daae98a0c5a8c7d3afce46add529d"	14	SRCREV = "d5a01fc9895daae98a0c5a8c7d3afce46add529d"
15	SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https"	15	SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https \
		16	file://CVE-2020-13848.patch"
16		17
17	S="${WORKDIR}/git"	18	S="${WORKDIR}/git"
18		19