Merge pull request #120543 from risicle/ris-libupnp-CVE-2020-13848-r2…

…0.09
NixOS · Apr 27, 2021 · 17b101e · 17b101e
2 parents 7dc6998 + 85b5413
commit 17b101e
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/pkgs/development/libraries/pupnp/CVE-2020-13848.patch b/pkgs/development/libraries/pupnp/CVE-2020-13848.patch
@@ -0,0 +1,50 @@
+Description: CVE-2020-13848
+ remote attackers to cause a denial of service (crash) via a crafted
+ SSDP message due to a NULL pointer dereference in the functions
+ FindServiceControlURLPath and FindServiceEventURLPath in
+ genlib/service_table/service_table.c
+
+---
+Origin: https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0
+Author: Abhijith PA <abhijith@debian.org>
+Bug: https://github.com/pupnp/pupnp/issues/177
+Bug-Debian: https://bugs.debian.org/962282
+Last-Update: 2020-06-07
+
+--- a/upnp/src/genlib/service_table/service_table.c
++++ b/upnp/src/genlib/service_table/service_table.c
+@@ -299,12 +299,11 @@
+     uri_type parsed_url;
+     uri_type parsed_url_in;
+
+-    if( ( table )
+-        &&
+-        ( parse_uri( eventURLPath,
+-                     strlen( eventURLPath ),
+-                     &parsed_url_in ) == HTTP_SUCCESS ) ) {
+-
++    if (!table || !eventURLPath) {
++           return NULL;
++    }
++    if (parse_uri(eventURLPath, strlen(eventURLPath), &parsed_url_in) ==
++        HTTP_SUCCESS) {
+         finger = table->serviceList;
+         while( finger ) {
+             if( finger->eventURL )
+@@ -351,11 +350,11 @@
+     uri_type parsed_url;
+     uri_type parsed_url_in;
+
+-    if( ( table )
+-        &&
+-        ( parse_uri
+-          ( controlURLPath, strlen( controlURLPath ),
+-            &parsed_url_in ) == HTTP_SUCCESS ) ) {
++    if (!table || !controlURLPath) {
++           return NULL;
++    }
++    if (parse_uri(controlURLPath, strlen(controlURLPath), &parsed_url_in) ==
++        HTTP_SUCCESS) {
+         finger = table->serviceList;
+         while( finger ) {
+             if( finger->controlURL )
diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix
@@ -12,6 +12,10 @@ stdenv.mkDerivation rec {
   };
   outputs = [ "dev" "out" ];
 
+  patches = [
+    ./CVE-2020-13848.patch
+  ];
+
   nativeBuildInputs = [ autoreconfHook pkg-config ];
 
   hardeningDisable = [ "fortify" ];