From mboxrd@z Thu Jan  1 00:00:00 1970
From: Efraim Flashner <efraim@flashner.co.il>
Subject: Re: CVE-2016-6255
Date: Thu, 6 Oct 2016 10:22:17 +0300
Message-ID: <20161006072216.GB32620@macbook42.flashner.co.il>
References: <cover.1475734564.git.leo@famulari.name>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="i7F3eY7HS/tUJxUd"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36262)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1bs30i-0008JG-Tv
	for guix-devel@gnu.org; Thu, 06 Oct 2016 03:22:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1bs30e-0002G9-DW
	for guix-devel@gnu.org; Thu, 06 Oct 2016 03:22:31 -0400
Received: from flashner.co.il ([178.62.234.194]:56433)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1bs30e-0002Da-6Z
	for guix-devel@gnu.org; Thu, 06 Oct 2016 03:22:28 -0400
Content-Disposition: inline
In-Reply-To: <cover.1475734564.git.leo@famulari.name>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org


--i7F3eY7HS/tUJxUd
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 06, 2016 at 02:16:26AM -0400, Leo Famulari wrote:
> Subject: [PATCH 0/1] libupnp remote filesystem access CVE-2016-6255
>=20
> You can use libupnp on a remote server to read and write the filesystem
> with the privileges of the libupnp process:
>=20
> http://seclists.org/oss-sec/2016/q3/102
>=20
> This patch cherry-picks the upstream commit:
>=20
> https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d6=
98654dda5
>=20
> Leo Famulari (1):
>   gnu: libupnp: Fix CVE-2016-6255.
>=20
>  gnu/local.mk                                     |  1 +
>  gnu/packages/libupnp.scm                         |  2 +
>  gnu/packages/patches/libupnp-CVE-2016-6255.patch | 86 ++++++++++++++++++=
++++++
>  3 files changed, 89 insertions(+)
>  create mode 100644 gnu/packages/patches/libupnp-CVE-2016-6255.patch
>=20
> --=20
> 2.10.1
>=20

Looks good to me

--=20
Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--i7F3eY7HS/tUJxUd
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX9fudAAoJEPTB05F+rO6TLH8P/AgV+hvOa0BHGiolvTUeq8KN
Tez010ORtSsCTb2VUEfSirQO28gpS6FuZlHgWqQY2lVYaa1OANme1Z9itQlHKo4H
yUm/pf9cOqtGbbcEuXGKmSx1DhxO08jUbPih3qisUAJXpcDR06aM4wyZm9HGeuRt
BzEEGIlZBiabeLoyjMEKDEyMd1khzBa5ASerPjQM+nE45kgtDnI/6VdIACbvs7CP
xvr+exZHdf9z4DhDbj0qAI8yeQ+Ml5CPEfvV8IJE87ER13bGk3yassp22f1kG/nz
QABZT6iQ/pvDq56pH2YcFrT/1UR8W72F2FXKAHe53C1u5cqpKWZZhou83+1upmNJ
dZky3aHJPlOosDLjM56V3MY0NOp/ZXWuQZsL7hftG74aAXkVIWfgNC+sgBc4oLKE
QOJuWEu21tEGz71Jl+Y8UXJB4xvI1IDUsrK6x1PBXXRc17Mk8dx0gsheR/VLvNtr
ZkCDeef6bOyn6Q8DQp9ArkCgGkwE0I7lproq7UvA/jHobzTYJfW3FYvWBmbMQqEj
gsZZsyr4ZrTzKrgos9wxjeXN2pbKb4KtDSx4w7wMai5+kJCY6vtJkfLAgt8ixppK
jhr+mvL5m1pG9JkWhGcEQX+vQNtL0NQqC/YATjr6Ejio9nvYVqaYIKTmDnNiAI3K
Tp5CIptjoiqeGCcwnZFc
=I2WS
-----END PGP SIGNATURE-----

--i7F3eY7HS/tUJxUd--