From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 1/1] gnu: libupnp: Fix CVE-2016-6255.
Date: Sun, 9 Oct 2016 15:58:46 -0400 [thread overview]
Message-ID: <20161009195846.GA19259@jasmine> (raw)
In-Reply-To: <8760p5jmzh.fsf@gnu.org>
On Thu, Oct 06, 2016 at 09:28:34PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > +From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
> > +From: Matthew Garrett <mjg59@srcf.ucam.org>
> > +Date: Tue, 23 Feb 2016 13:53:20 -0800
> > +Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
> > + default
> > +
> > +If there's no registered handler for a POST request, the default behaviour
> > +is to write it to the filesystem. Several million deployed devices appear
> > +to have this behaviour, making it possible to (at least) store arbitrary
> > +data on them. Add a configure option that enables this behaviour, and change
> > +the default to just drop POSTs that aren't directly handled.
>
> Fun. :-)
Tons!
> > +diff --git a/configure.ac b/configure.ac
> > +index 9548913..a8731b5 100644
> > +--- a/configure.ac
> > ++++ b/configure.ac
>
> Shouldn’t it require an autoreconf phase?
Right, it would...
> I would suggest shrinking this patch to just:
>
> > +--- a/upnp/src/genlib/net/http/webserver.c
> > ++++ b/upnp/src/genlib/net/http/webserver.c
> > +@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
> > + if (Fp == NULL)
> > + return HTTP_INTERNAL_SERVER_ERROR;
> > + } else {
> > ++#ifdef UPNP_ENABLE_POST_WRITE
> > + Fp = fopen(filename, "wb");
> > + if (Fp == NULL)
> > + return HTTP_UNAUTHORIZED;
> > ++#else
> > ++ return HTTP_NOT_FOUND;
> > ++#endif
>
> … with “#if 0” instead of “#ifdef UPNP_ENABLE_POST_WRITE”.
>
> WDYT?
I agree. Let's disable it unconditionally for now. When upstream cuts a
new release, the conditional feature handling will make it into our
package.
Thanks for the careful review.
> Feel free to commit adjusted as you see fit!
Done as 9e672bcc0b61a007ea29858517b58896dc1b9449
next prev parent reply other threads:[~2016-10-09 19:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-06 6:16 (unknown), Leo Famulari
2016-10-06 6:16 ` [PATCH 1/1] gnu: libupnp: Fix CVE-2016-6255 Leo Famulari
2016-10-06 19:28 ` Ludovic Courtès
2016-10-09 19:58 ` Leo Famulari [this message]
2016-10-06 7:22 ` CVE-2016-6255 Efraim Flashner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161009195846.GA19259@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).