[20.09] libupnp: add patch for CVE-2020-13848

[risicle]

Motivation for this change

This is not a fix for CVE-2021-29462 as handled for master in #120060.

This is a fix for its predecessor https://nvd.nist.gov/vuln/detail/CVE-2020-13848 which allows a network attacker to cause a crash via a null pointer dereference. Patch sourced from debian's 1.6.19+git20160116-1.2+deb9u1 (no, not available via any web link that I can find).

I haven't attempted to address CVE-2021-29462 because:

• Bumping to the fixed 1.14.6 breaks reverse dependencies amule and gmrender-resurrect as it appears to introduce API changes.
• Though backporting the patch may be fairly easy, the fix doesn't come with a test and it doesn't appear tremendously easy to test the code in question (it's hard to find downstream packages that actually use its miniserver functionality).
• Being vulnerable to CVE-2021-29462 "merely" means that a upnp server run by pupnp doesn't have a proactive mitigation against being used as the target of a dns rebinding attack on other systems on the network. Arguably for such an attack to be possible there would need to be weaknesses present in other components used on the network.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[r-rmcgibbo]

Result of nixpkgs-review pr 120543 at 85b5413f run on aarch64-linux 1

6 packages marked as broken and skipped:

• libsForQt512.elisa
• obs-linuxbrowser
• obs-ndi
• retroshare
• retroshare06
• ring-daemon

2 packages failed to build:

• liblinphone
• linphone

5 packages skipped due to time constraints:

• amuleGui
• megaglest
• minitube
• strawberry
• vlc (vlc_qt5)

18 packages built successfully:

• amule
• amuleDaemon
• gmrender-resurrect
• libsForQt5.elisa (kdeApplications.elisa ,libsForQt515.elisa)
• libsForQt5.phonon-backend-vlc (libsForQt515.phonon-backend-vlc)
• libsForQt512.phonon-backend-vlc
• libsForQt514.elisa
• libsForQt514.phonon-backend-vlc
• libupnp
• libvlc
• mediastreamer
• mediastreamer-openh264
• msilbc
• pympress
• python27Packages.python-vlc
• python37Packages.python-vlc
• python38Packages.python-vlc
• tribler

2 suggestions:

• warning: maintainers-missing

  Package does not have a maintainer. Consider adding yourself?

  Near pkgs/development/libraries/pupnp/default.nix:23:3:

     |
  23 |   meta = {
     |   ^
  

• warning: missing-patch-comment

  Please add a comment on the line above, explaining the purpose of this patch.
  Near pkgs/development/libraries/pupnp/default.nix:16:5:

     |
  16 |     ./CVE-2020-13848.patch
     |     ^
  

Note that build failures may predate this PR, and could be nondeterministic or hardware dependent.
Please exercise your independent judgement.

---

Result of nixpkgs-review pr 120543 at 85b5413f run on x86_64-linux 1

4 packages marked as broken and skipped:

• libsForQt512.elisa
• retroshare
• retroshare06
• ring-daemon

1 package failed to build:

• obs-ndi

4 packages skipped due to time constraints:

• megaglest
• minitube
• strawberry
• vlc (vlc_qt5)

25 packages built successfully:

• amule
• amuleDaemon
• amuleGui
• gmrender-resurrect
• libsForQt5.elisa (kdeApplications.elisa ,libsForQt515.elisa)
• liblinphone
• libsForQt5.phonon-backend-vlc (libsForQt515.phonon-backend-vlc)
• libsForQt512.phonon-backend-vlc
• libsForQt514.elisa
• libsForQt514.phonon-backend-vlc
• libupnp
• libvlc
• linphone
• mediastreamer
• mediastreamer-openh264
• msilbc
• obs-linuxbrowser
• obs-studio
• obs-v4l2sink
• obs-wlrobs
• pympress
• python27Packages.python-vlc
• python37Packages.python-vlc
• python38Packages.python-vlc
• tribler

2 suggestions:

• warning: maintainers-missing

  Package does not have a maintainer. Consider adding yourself?

  Near pkgs/development/libraries/pupnp/default.nix:23:3:

     |
  23 |   meta = {
     |   ^
  

• warning: missing-patch-comment

  Please add a comment on the line above, explaining the purpose of this patch.
  Near pkgs/development/libraries/pupnp/default.nix:16:5:

     |
  16 |     ./CVE-2020-13848.patch
     |     ^
  

Note that build failures may predate this PR, and could be nondeterministic or hardware dependent.
Please exercise your independent judgement.

[SuperSandro2000]

Does the upstream patch not cleanly apply? Maybe we can ignore the changelog file?

[risicle]

No, upstream had handily done a bunch of reformatting in this file inbetween 1.12 and this fix.