!3 Upgrade to 1.2.4, fix CVE-2021-33516

From: @weijin-deng Reviewed-by: @dwl301,@small_leek Signed-off-by: @small_leek
2021-06-15 06:06:53 +00:00 · 2021-06-15 06:06:53 +00:00 · 306be5f6fa
commit 306be5f6fa
parent b292abe0c3 2b4129153c
4 changed files with 146 additions and 19 deletions
--- a/CVE-2021-33516.patch
+++ b/CVE-2021-33516.patch
@ -0,0 +1,118 @@
 From 697ab5b579debf4b9e0f39143b352877e8af3aad Mon Sep 17 00:00:00 2001
 From: Jens Georg <mail@jensge.org>
 Date: Mon, 10 May 2021 10:34:36 +0200
 Subject: [PATCH] service: Validate host header
 Make sure that the host header matches the ip:port of the context.
 This is in line with UDA (Host header is required and must match the
 location url) and DLNA 7.2.24.1 (All communication has to use ip
 addresses and not names)
 Prevents DNS rebinding attacs against agains UPnP services
 ---
 libgupnp/gupnp-context-private.h |  3 ++
 libgupnp/gupnp-context.c         | 51 ++++++++++++++++++++++++++++++++
 libgupnp/gupnp-service.c         | 13 ++++++++
 3 files changed, 67 insertions(+)
 diff --git a/libgupnp/gupnp-context-private.h b/libgupnp/gupnp-context-private.h
 index 6aa1acd..2657c71 100644
 --- a/libgupnp/gupnp-context-private.h
 +++ b/libgupnp/gupnp-context-private.h
@@ -36,6 +36,9 @@ _gupnp_context_add_server_handler_with_data (GUPnPContext *context,
                                              const char *path,
                                              AclServerHandler *data);
 +G_GNUC_INTERNAL gboolean
 +gupnp_context_validate_host_header (GUPnPContext *context, const char *host);
 +
 G_GNUC_INTERNAL SoupURI *
 gupnp_context_rewrite_uri_to_uri (GUPnPContext *context,
                                   const char   *uri);
 diff --git a/libgupnp/gupnp-context.c b/libgupnp/gupnp-context.c
 index 460179e..1901798 100644
 --- a/libgupnp/gupnp-context.c
 +++ b/libgupnp/gupnp-context.c
@@ -1609,6 +1609,57 @@ gupnp_context_remove_server_handler (GUPnPContext *context, const char *path)
         soup_server_remove_handler (priv->server, path);
 }
 +gboolean
 +gupnp_context_validate_host_header (GUPnPContext *context,
 +                                    const char *host_header)
 +{
 +        gboolean retval = FALSE;
 +        // Be lazy and let GUri do the heavy lifting here, such as stripping the
 +        // [] from v6 addresses, splitting of the port etc.
 +        char *uri_from_host = g_strconcat ("http://", host_header, NULL);
 +
 +        char *host = NULL;
 +        int port = 0;
 +        GError *error = NULL;
 +
 +        g_uri_split_network (uri_from_host,
 +                             G_URI_FLAGS_NONE,
 +                             NULL,
 +                             &host,
 +                             &port,
 +                             &error);
 +
 +        if (error != NULL) {
 +                g_debug ("Failed to parse HOST header from request: %s",
 +                         error->message);
 +                goto out;
 +        }
 +
 +        const char *host_ip = gssdp_client_get_host_ip (GSSDP_CLIENT (context));
 +        gint context_port = gupnp_context_get_port (context);
 +
 +        if (!g_str_equal (host, host_ip)) {
 +                g_debug ("Mismatch between host header and host IP (%s, "
 +                         "expected: %s)",
 +                         host,
 +                         host_ip);
 +        }
 +
 +        if (port != context_port) {
 +                g_debug ("Mismatch between host header and host port (%d, "
 +                         "expected %d)",
 +                         port,
 +                         context_port);
 +        }
 +
 +        retval = g_str_equal (host, host_ip) && port == context_port;
 +
 +out:
 +        g_clear_error (&error);
 +        g_free (uri_from_host);
 +        return retval;
 +}
 +
 /**
  * gupnp_context_rewrite_uri:
  * @context: a #GUPnPContext
 diff --git a/libgupnp/gupnp-service.c b/libgupnp/gupnp-service.c
 index b061c34..ad9d40d 100644
 --- a/libgupnp/gupnp-service.c
 +++ b/libgupnp/gupnp-service.c
@@ -954,6 +954,19 @@ control_server_handler (SoupServer                      *server,
         context = gupnp_service_info_get_context (GUPNP_SERVICE_INFO (service));
 +        const char *host_header =
 +                soup_message_headers_get_one (msg->request_headers, "Host");
 +
 +        if (!gupnp_context_validate_host_header (context, host_header)) {
 +                g_warning ("Host header mismatch, expected %s:%d, got %s",
 +                           gssdp_client_get_host_ip (GSSDP_CLIENT (context)),
 +                           gupnp_context_get_port (context),
 +                           host_header);
 +
 +                soup_message_set_status (msg, SOUP_STATUS_PRECONDITION_FAILED);
 +                return;
 +        }
 +
         /* Get action name */
         soap_action = soup_message_headers_get_one (msg->request_headers,
                                                     "SOAPAction");
--- a/gupnp-1.0.3.tar.xz
+++ b/gupnp-1.0.3.tar.xz
--- a/gupnp-1.2.4.tar.xz
+++ b/gupnp-1.2.4.tar.xz
--- a/gupnp.spec
+++ b/gupnp.spec
@ -1,13 +1,14 @@
 Name:          gupnp
-Version:       1.0.3
+Version:       1.2.4
-Release:       2
+Release:       1
 Summary:       UPnP devices & control points creation framework
 License:       LGPLv2+
 URL:           http://www.gupnp.org/
-Source0:       http://download.gnome.org/sources/%{name}/1.0/%{name}-%{version}.tar.xz
+Source0:       http://download.gnome.org/sources/%{name}/1.2/%{name}-%{version}.tar.xz
 Patch0:        CVE-2021-33516.patch
-BuildRequires: gssdp-devel >= 0.14.15 gtk-doc gobject-introspection-devel >= 1.36
+BuildRequires: gssdp-devel >= 1.2.3 gtk-doc gobject-introspection-devel >= 1.36
-BuildRequires: libsoup-devel libxml2-devel libuuid-devel vala
+BuildRequires: libsoup-devel libxml2-devel libuuid-devel vala meson
 Requires:      dbus
 %description
@ -34,20 +35,20 @@ Obsoletes:     %{name}-docs < %{version}-%{release}
 This package contains help file and developer documentation for gupnp.
 %prep
-%setup -q
+%autosetup -n %{name}-%{version} -p1
 # Use Python3 rather than Python2
 sed -i '1s|^#! /usr/bin/env python$|#!/usr/bin/python3|' tools/gupnp-binding-tool
 %build
-%configure --disable-static --with-context-manager=network-manager
+%meson \
-%make_build V=1
+  -Dcontext_manager=network-manager \
  -Dgtk_doc=true
 %meson_build
 %install
-%make_install
+%meson_install
 %delete_la
 %check
-make check %{?_smp_mflags} V=1
+%meson_test
 %post -p /sbin/ldconfig
@ -56,21 +57,29 @@ make check %{?_smp_mflags} V=1
 %files
 %license COPYING
 %doc AUTHORS
-%{_libdir}/libgupnp-1.0.so.*
+%{_libdir}/libgupnp-1.2.so.*
-%{_libdir}/girepository-1.0/GUPnP-1.0.typelib
+%{_libdir}/girepository-1.0/GUPnP-1.2.typelib
 %files         devel
-%{_bindir}/gupnp-binding-tool
+%{_bindir}/gupnp-binding-tool-1.2
-%{_libdir}/pkgconfig/gupnp-1.0.pc
+%{_libdir}/pkgconfig/gupnp-1.2.pc
-%{_libdir}/libgupnp-1.0.so
+%{_libdir}/libgupnp-1.2.so
-%{_includedir}/gupnp-1.0
+%{_includedir}/gupnp-1.2
-%{_datadir}/gir-1.0/GUPnP-1.0.gir
+%{_datadir}/gir-1.0/GUPnP-1.2.gir
 %{_datadir}/vala/vapi/gupnp*
 %files         help
 %doc README
 %doc %{_datadir}/gtk-doc/html/gupnp
 %{_mandir}/man1/gupnp-binding-tool-*
 %changelog
 * Mon Jun 7 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 1.2.4-1
 - Upgrade to 1.2.4
 - Update Version, Release, Source0, BuildRequires
 - Delete sed operation which existed in this version
 - Add patch for fix CVE-2021-33516
 - Update stage 'prep', 'build', 'install', 'check', 'files'
 * Fri Oct 25 2019 Alex Chao <zhaolei746@huawei.com> - 1.0.3-2
 - Package init