From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 1/1] gnu: libupnp: Fix CVE-2016-6255.
Date: Thu, 06 Oct 2016 21:28:34 +0200 [thread overview]
Message-ID: <8760p5jmzh.fsf@gnu.org> (raw)
In-Reply-To: <fa917307ad0877575e221960b71b2c09c8b35ab9.1475734564.git.leo@famulari.name> (Leo Famulari's message of "Thu, 6 Oct 2016 02:16:27 -0400")
Leo Famulari <leo@famulari.name> skribis:
> * gnu/packages/patches/libupnp-CVE-2016-6255.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/libupnp.scm (libupnp): Use it.
[...]
> +From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
> +From: Matthew Garrett <mjg59@srcf.ucam.org>
> +Date: Tue, 23 Feb 2016 13:53:20 -0800
> +Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
> + default
> +
> +If there's no registered handler for a POST request, the default behaviour
> +is to write it to the filesystem. Several million deployed devices appear
> +to have this behaviour, making it possible to (at least) store arbitrary
> +data on them. Add a configure option that enables this behaviour, and change
> +the default to just drop POSTs that aren't directly handled.
Fun. :-)
> +diff --git a/configure.ac b/configure.ac
> +index 9548913..a8731b5 100644
> +--- a/configure.ac
> ++++ b/configure.ac
Shouldn’t it require an autoreconf phase?
I would suggest shrinking this patch to just:
> +--- a/upnp/src/genlib/net/http/webserver.c
> ++++ b/upnp/src/genlib/net/http/webserver.c
> +@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
> + if (Fp == NULL)
> + return HTTP_INTERNAL_SERVER_ERROR;
> + } else {
> ++#ifdef UPNP_ENABLE_POST_WRITE
> + Fp = fopen(filename, "wb");
> + if (Fp == NULL)
> + return HTTP_UNAUTHORIZED;
> ++#else
> ++ return HTTP_NOT_FOUND;
> ++#endif
… with “#if 0” instead of “#ifdef UPNP_ENABLE_POST_WRITE”.
WDYT?
Feel free to commit adjusted as you see fit!
Thanks,
Ludo’.
next prev parent reply other threads:[~2016-10-06 19:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-06 6:16 (unknown), Leo Famulari
2016-10-06 6:16 ` [PATCH 1/1] gnu: libupnp: Fix CVE-2016-6255 Leo Famulari
2016-10-06 19:28 ` Ludovic Courtès [this message]
2016-10-09 19:58 ` Leo Famulari
2016-10-06 7:22 ` CVE-2016-6255 Efraim Flashner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8760p5jmzh.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).