[Buildroot] [PATCH 1/2] libupnp: add upstream security fix for CVE-2016-6255

Thomas Petazzoni thomas.petazzoni at free-electrons.com
Mon Dec 19 21:30:22 UTC 2016


Hello,

On Mon, 19 Dec 2016 14:13:23 +0100, Peter Korsgaard wrote:
> If there's no registered handler for a POST request, the default behaviour
> is to write it to the filesystem. Several million deployed devices appear
> to have this behaviour, making it possible to (at least) store arbitrary
> data on them. Add a configure option that enables this behaviour, and change
> the default to just drop POSTs that aren't directly handled.
> 
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
>  ...-unhandled-POSTs-to-write-to-the-filesyst.patch | 73 ++++++++++++++++++++++
>  package/libupnp/libupnp.mk                         |  2 +
>  2 files changed, 75 insertions(+)
>  create mode 100644 package/libupnp/0001-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch

I've applied both to master, thanks!

I have to say that these security issues are terrible. The first one
because the feature by itself is really silly and one may wonder why
someone would implement such a feature in the first place. The second
one because when you see what the URL parsing code looks like, no
wonder why there are some security bugs in it...

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com


More information about the buildroot mailing list