Hi, attached is a patch for a 0-day NMU that fixes the described issue. Cheers Nico
-- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gupnp-0.12.6/debian/changelog gupnp-0.12.6/debian/changelog --- gupnp-0.12.6/debian/changelog +++ gupnp-0.12.6/debian/changelog @@ -1,3 +1,11 @@ +gupnp (0.12.6-3.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix remote denial of service that can be triggered via an action + without any content (CVE-2009-2174; Closes: #534594). + + -- Nico Golde <n...@debian.org> Wed, 01 Jul 2009 13:10:13 +0200 + gupnp (0.12.6-3) unstable; urgency=low * Bump libglib2.0 build dependency (Closes: #517393) only in patch2: unchanged: --- gupnp-0.12.6.orig/libgupnp/gupnp-service.c +++ gupnp-0.12.6/libgupnp/gupnp-service.c @@ -676,6 +676,7 @@ const char *soap_action, *action_name; char *end; GUPnPServiceAction *action; + goffset length; service = GUPNP_SERVICE (user_data); @@ -685,6 +686,12 @@ return; } + length = soup_message_headers_get_content_length (msg->request_headers); + if (length == 0) { + soup_message_set_status (msg, SOUP_STATUS_BAD_REQUEST); + return; + } + context = gupnp_service_info_get_context (GUPNP_SERVICE_INFO (service)); /* Get action name */ @@ -706,6 +713,10 @@ /* Parse action_node */ doc = xmlRecoverMemory (msg->request_body->data, msg->request_body->length); + if (doc == NULL) { + soup_message_set_status (msg, SOUP_STATUS_BAD_REQUEST); + return; + } action_node = xml_util_get_element ((xmlNode *) doc, "Envelope", "Body",
pgptS5nZhguc7.pgp
Description: PGP signature