net-libs/libupnp: Bump to 1.6.20, fix #546616

3 files changed, 114 insertions, 0 deletions

diff --git a/net-libs/libupnp/Manifest b/net-libs/libupnp/Manifest
index a63cd0ce67c..e5a9f40ce47 100644
--- a/net-libs/libupnp/Manifest
+++ b/net-libs/libupnp/Manifest
@@ -1,2 +1,3 @@
 DIST libupnp-1.6.18.tar.bz2 1201056 SHA256 b21bc676365622d3ace1b25292dab8d4d23f6e6a80ddc8f029b765d39797e934 SHA512 2ce9b637a7edf544ae272aea137f735b03761a7925da0578e0073cf6429389f7f2af6cb05f666a02faa839caba3e1798ad31657afd287626b88905a5c45f3cb4 WHIRLPOOL b575b517fb668c5e3af78dc1bc95c1a202404beb42966400b3b1313a1fe0e6cb8437ce392af6ad6de4ccc90715c8df7cc34bf3d0b3b828af4e14f1cc8a5e0eda
 DIST libupnp-1.6.19.tar.bz2 1213439 SHA256 b3142b39601243b50532eec90f4a27dba85eb86f58d4b849ac94edeb29d9b22a SHA512 97af62a7483cc19cfe80157cbc3383c1b4b7c9c39b848f4ed063784b74df0b9b0527f7b467e01451e0a44dbf9e8a9eab510619146a6ee1e3dce46f3e4af6e661 WHIRLPOOL fe3ed0115c76872b45eb3f16909e23c61b004f028b745be17346b94dffd7c90108420cf71f50f73aa4ef241403b65b9d1c72926af3044ffacdae11f9649dad68
+DIST libupnp-1.6.20.tar.bz2 1243637 SHA256 ee3537081e3ea56f66ada10387486823989210bc98002f098305551c966e3a63 SHA512 754a3f587963078fc60e8a58f6b04536dac03d053c8cd14d4fd7e505a3417484fa03b72dd09ef92150f00263f270aa19646b7aab1b8707111aff53c43f8a120a WHIRLPOOL df2702b30a9e895371ba0647bfdd017fd17b4478feb691efaf754618fa032cb8ba72317030960676584da44dfc144f8b9bd07218799b40c2afa7fdee28e8b164
diff --git a/net-libs/libupnp/files/CVE-2016-6255.patch b/net-libs/libupnp/files/CVE-2016-6255.patch
new file mode 100644
index 00000000000..1448ab30812
--- /dev/null
+++ b/net-libs/libupnp/files/CVE-2016-6255.patch
@@ -0,0 +1,65 @@
+From be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+---
+ configure.ac                         | 4 ++++
+ upnp/inc/upnpconfig.h.in             | 5 +++++
+ upnp/src/genlib/net/http/webserver.c | 4 ++++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index dd88734..ea2bc09 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -482,6 +482,10 @@ if test "x$enable_scriptsupport" = xyes ; then
+         AC_DEFINE(IXML_HAVE_SCRIPTSUPPORT, 1, [see upnpconfig.h])
+ fi
+ 
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++        AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+ 
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+ 
+diff --git a/upnp/inc/upnpconfig.h.in b/upnp/inc/upnpconfig.h.in
+index 46ddc6e..5df8c5a 100644
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -135,5 +135,10 @@
+  *  (i.e. configure --enable-open_ssl) */
+ #undef UPNP_ENABLE_OPEN_SSL
+ 
++/** Defined to 1 if the library has been compiled to support filesystem writes on POST
++ *  (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
++
+ #endif /* UPNP_CONFIG_H */
+ 
+diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
+index 8991c16..8b2ecf2 100644
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1369,9 +1369,13 @@ static int http_RecvPostMessage(
+ 		if (Fp == NULL)
+ 			return HTTP_INTERNAL_SERVER_ERROR;
+ 	} else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ 		Fp = fopen(filename, "wb");
+ 		if (Fp == NULL)
+ 			return HTTP_UNAUTHORIZED;
++#else
++		return HTTP_NOT_FOUND;
++#endif
+ 	}
+ 	parser->position = POS_ENTITY;
+ 	do {
diff --git a/net-libs/libupnp/libupnp-1.6.20.ebuild b/net-libs/libupnp/libupnp-1.6.20.ebuild
new file mode 100644
index 00000000000..83c50e86c2f
--- /dev/null
+++ b/net-libs/libupnp/libupnp-1.6.20.ebuild
@@ -0,0 +1,48 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit eutils flag-o-matic autotools
+
+DESCRIPTION="An Portable Open Source UPnP Development Kit"
+HOMEPAGE="http://pupnp.sourceforge.net/"
+SRC_URI="mirror://sourceforge/pupnp/${P}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux"
+IUSE="debug doc ipv6 static-libs"
+
+DOCS="NEWS README ChangeLog"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.6.19-docs-install.patch
+	"${FILESDIR}"/CVE-2016-6255.patch
+)
+
+src_prepare() {
+	default
+
+	# fix tests
+	chmod +x ixml/test/test_document.sh || die
+
+	eautoreconf
+}
+
+src_configure() {
+	use x86-fbsd &&	append-flags -O1
+	# w/o docdir to avoid sandbox violations
+	econf \
+		$(use_enable debug) \
+		$(use_enable ipv6) \
+		$(use_enable static-libs static) \
+		$(use_with doc documentation "${EPREFIX}/usr/share/doc/${PF}")
+}
+
+src_install () {
+	default
+	dobin upnp/sample/.libs/tv_{combo,ctrlpt,device}
+	use static-libs || prune_libtool_files
+}