New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.09] libupnp: add patch for CVE-2020-13848 #120543
[20.09] libupnp: add patch for CVE-2020-13848 #120543
Conversation
patch sourced from debian's 1.6.19+git20160116-1.2+deb9u1
Result of 6 packages marked as broken and skipped:
2 packages failed to build:5 packages skipped due to time constraints:
18 packages built successfully:
2 suggestions:
Note that build failures may predate this PR, and could be nondeterministic or hardware dependent. Result of 4 packages marked as broken and skipped:
1 package failed to build:4 packages skipped due to time constraints:
25 packages built successfully:
2 suggestions:
Note that build failures may predate this PR, and could be nondeterministic or hardware dependent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the upstream patch not cleanly apply? Maybe we can ignore the changelog file?
No, upstream had handily done a bunch of reformatting in this file inbetween 1.12 and this fix. |
Motivation for this change
This is not a fix for CVE-2021-29462 as handled for
master
in #120060.This is a fix for its predecessor https://nvd.nist.gov/vuln/detail/CVE-2020-13848 which allows a network attacker to cause a crash via a null pointer dereference. Patch sourced from debian's
1.6.19+git20160116-1.2+deb9u1
(no, not available via any web link that I can find).I haven't attempted to address CVE-2021-29462 because:
amule
andgmrender-resurrect
as it appears to introduce API changes.miniserver
functionality).Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)