diff options
Diffstat (limited to 'net-libs/libupnp/files/CVE-2016-6255.patch')
| -rw-r--r-- | net-libs/libupnp/files/CVE-2016-6255.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/net-libs/libupnp/files/CVE-2016-6255.patch b/net-libs/libupnp/files/CVE-2016-6255.patch new file mode 100644 index 00000000000..1448ab30812 --- /dev/null +++ b/net-libs/libupnp/files/CVE-2016-6255.patch @@ -0,0 +1,65 @@ +From be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <mjg59@srcf.ucam.org> +Date: Tue, 23 Feb 2016 13:53:20 -0800 +Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by + default + +If there's no registered handler for a POST request, the default behaviour +is to write it to the filesystem. Several million deployed devices appear +to have this behaviour, making it possible to (at least) store arbitrary +data on them. Add a configure option that enables this behaviour, and change +the default to just drop POSTs that aren't directly handled. +--- + configure.ac | 4 ++++ + upnp/inc/upnpconfig.h.in | 5 +++++ + upnp/src/genlib/net/http/webserver.c | 4 ++++ + 3 files changed, 13 insertions(+) + +diff --git a/configure.ac b/configure.ac +index dd88734..ea2bc09 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -482,6 +482,10 @@ if test "x$enable_scriptsupport" = xyes ; then + AC_DEFINE(IXML_HAVE_SCRIPTSUPPORT, 1, [see upnpconfig.h]) + fi + ++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests]) ++if test "x$enable_postwrite" = xyes ; then ++ AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h]) ++fi + + RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code]) + +diff --git a/upnp/inc/upnpconfig.h.in b/upnp/inc/upnpconfig.h.in +index 46ddc6e..5df8c5a 100644 +--- a/upnp/inc/upnpconfig.h.in ++++ b/upnp/inc/upnpconfig.h.in +@@ -135,5 +135,10 @@ + * (i.e. configure --enable-open_ssl) */ + #undef UPNP_ENABLE_OPEN_SSL + ++/** Defined to 1 if the library has been compiled to support filesystem writes on POST ++ * (i.e. configure --enable-postwrite) */ ++#undef UPNP_ENABLE_POST_WRITE ++ ++ + #endif /* UPNP_CONFIG_H */ + +diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c +index 8991c16..8b2ecf2 100644 +--- a/upnp/src/genlib/net/http/webserver.c ++++ b/upnp/src/genlib/net/http/webserver.c +@@ -1369,9 +1369,13 @@ static int http_RecvPostMessage( + if (Fp == NULL) + return HTTP_INTERNAL_SERVER_ERROR; + } else { ++#ifdef UPNP_ENABLE_POST_WRITE + Fp = fopen(filename, "wb"); + if (Fp == NULL) + return HTTP_UNAUTHORIZED; ++#else ++ return HTTP_NOT_FOUND; ++#endif + } + parser->position = POS_ENTITY; + do { |