Hi, attached is a patch for a 0-day NMU that fixes the described issue. Cheers Nico
-- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gupnp-0.12.6/debian/changelog gupnp-0.12.6/debian/changelog
--- gupnp-0.12.6/debian/changelog
+++ gupnp-0.12.6/debian/changelog
@@ -1,3 +1,11 @@
+gupnp (0.12.6-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix remote denial of service that can be triggered via an action
+ without any content (CVE-2009-2174; Closes: #534594).
+
+ -- Nico Golde <n...@debian.org> Wed, 01 Jul 2009 13:10:13 +0200
+
gupnp (0.12.6-3) unstable; urgency=low
* Bump libglib2.0 build dependency (Closes: #517393)
only in patch2:
unchanged:
--- gupnp-0.12.6.orig/libgupnp/gupnp-service.c
+++ gupnp-0.12.6/libgupnp/gupnp-service.c
@@ -676,6 +676,7 @@
const char *soap_action, *action_name;
char *end;
GUPnPServiceAction *action;
+ goffset length;
service = GUPNP_SERVICE (user_data);
@@ -685,6 +686,12 @@
return;
}
+ length = soup_message_headers_get_content_length (msg->request_headers);
+ if (length == 0) {
+ soup_message_set_status (msg, SOUP_STATUS_BAD_REQUEST);
+ return;
+ }
+
context = gupnp_service_info_get_context (GUPNP_SERVICE_INFO (service));
/* Get action name */
@@ -706,6 +713,10 @@
/* Parse action_node */
doc = xmlRecoverMemory (msg->request_body->data,
msg->request_body->length);
+ if (doc == NULL) {
+ soup_message_set_status (msg, SOUP_STATUS_BAD_REQUEST);
+ return;
+ }
action_node = xml_util_get_element ((xmlNode *) doc,
"Envelope",
"Body",
pgptS5nZhguc7.pgp
Description: PGP signature
