diff options
Diffstat (limited to 'meta-multimedia/recipes-connectivity/libupnp')
-rw-r--r-- | meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch | 57 | ||||
-rw-r--r-- | meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb | 1 |
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch new file mode 100644 index 000000000..abb4a72a4 --- /dev/null +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | libupnp-1.6.19: Fix CVE-2016-8863 | ||
2 | |||
3 | [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771 | ||
4 | |||
5 | gena_device: Fix out-of-bound access in create_url_list() | ||
6 | |||
7 | If there is an invalid URL in URLS->buf after a valid one, uri_parse is | ||
8 | called with out pointing after the allocated memory. As uri_parse writes | ||
9 | to *out before returning an error the loop in create_url_list must be | ||
10 | stopped early to prevent an out-of-bound access | ||
11 | |||
12 | Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7] | ||
13 | CVE: CVE-2016-8863 | ||
14 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
15 | Signed-off-by: Pascal Bach <pascal.bach@siemens.com> | ||
16 | |||
17 | diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c | ||
18 | index 39edc0b..0fd60ad 100644 | ||
19 | --- a/upnp/src/gena/gena_device.c | ||
20 | +++ b/upnp/src/gena/gena_device.c | ||
21 | @@ -1133,7 +1133,7 @@ static int create_url_list( | ||
22 | /*! [out] . */ | ||
23 | URL_list *out) | ||
24 | { | ||
25 | - size_t URLcount = 0; | ||
26 | + size_t URLcount = 0, URLcount2 = 0; | ||
27 | size_t i; | ||
28 | int return_code = 0; | ||
29 | uri_type temp; | ||
30 | @@ -1175,16 +1175,23 @@ static int create_url_list( | ||
31 | } | ||
32 | memcpy( out->URLs, URLS->buff, URLS->size ); | ||
33 | out->URLs[URLS->size] = 0; | ||
34 | - URLcount = 0; | ||
35 | for( i = 0; i < URLS->size; i++ ) { | ||
36 | if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { | ||
37 | if( ( ( return_code = | ||
38 | parse_uri( &out->URLs[i + 1], URLS->size - i + 1, | ||
39 | - &out->parsedURLs[URLcount] ) ) == | ||
40 | + &out->parsedURLs[URLcount2] ) ) == | ||
41 | HTTP_SUCCESS ) | ||
42 | - && ( out->parsedURLs[URLcount].hostport.text.size != | ||
43 | + && ( out->parsedURLs[URLcount2].hostport.text.size != | ||
44 | 0 ) ) { | ||
45 | - URLcount++; | ||
46 | + URLcount2++; | ||
47 | + if (URLcount2 >= URLcount) | ||
48 | + /* | ||
49 | + * break early here in case there is a bogus URL that | ||
50 | + * was skipped above. This prevents to access | ||
51 | + * out->parsedURLs[URLcount] which is beyond the | ||
52 | + * allocation. | ||
53 | + */ | ||
54 | + break; | ||
55 | } else { | ||
56 | if( return_code == UPNP_E_OUTOF_MEMORY ) { | ||
57 | free( out->URLs ); | ||
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb index 133a8ebd5..71fc70dd1 100644 --- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb | |||
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b3190d5244e08e78e4c8ee78544f4863" | |||
11 | SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \ | 11 | SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \ |
12 | file://avoid-redefining-strnlen-and-strndup.patch \ | 12 | file://avoid-redefining-strnlen-and-strndup.patch \ |
13 | file://sepbuildfix.patch \ | 13 | file://sepbuildfix.patch \ |
14 | file://CVE-2016-8863.patch \ | ||
14 | " | 15 | " |
15 | 16 | ||
16 | SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd" | 17 | SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd" |