From bbcef2e4b547efc7c2967d6aaf01b1225fe47a7ec5d80e44c1dcadea0a1b645e Mon Sep 17 00:00:00 2001 From: Martin Szulecki Date: Fri, 27 May 2016 13:42:44 +0000 Subject: [PATCH] Accepting request 398366 from home:dimstar:Factory - Add libimobiledevice-CVE-2016-5104.patch: Make sure sockets only listen locally (CVE-2016-5104, boo#982014). OBS-URL: https://build.opensuse.org/request/show/398366 OBS-URL: https://build.opensuse.org/package/show/hardware/libimobiledevice?expand=0&rev=8 --- libimobiledevice-CVE-2016-5104.patch | 32 ++++++++++++++++++++++++++++ libimobiledevice.changes | 6 ++++++ libimobiledevice.spec | 5 ++++- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 libimobiledevice-CVE-2016-5104.patch diff --git a/libimobiledevice-CVE-2016-5104.patch b/libimobiledevice-CVE-2016-5104.patch new file mode 100644 index 0000000..1d188ee --- /dev/null +++ b/libimobiledevice-CVE-2016-5104.patch @@ -0,0 +1,32 @@ +From df1f5c4d70d0c19ad40072f5246ca457e7f9849e Mon Sep 17 00:00:00 2001 +From: Joshua Hill +Date: Tue, 29 Dec 2015 22:27:17 +0100 +Subject: [PATCH] common: [security fix] Make sure sockets only listen locally + +--- + common/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/socket.c b/common/socket.c +index b276864..e2968a6 100644 +--- a/common/socket.c ++++ b/common/socket.c +@@ -172,7 +172,7 @@ int socket_create(uint16_t port) + + memset((void *) &saddr, 0, sizeof(saddr)); + saddr.sin_family = AF_INET; +- saddr.sin_addr.s_addr = htonl(INADDR_ANY); ++ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + saddr.sin_port = htons(port); + + if (0 > bind(sfd, (struct sockaddr *) &saddr, sizeof(saddr))) { +@@ -329,7 +329,7 @@ int socket_accept(int fd, uint16_t port) + + memset(&addr, 0, sizeof(addr)); + addr.sin_family = AF_INET; +- addr.sin_addr.s_addr = htonl(INADDR_ANY); ++ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + addr.sin_port = htons(port); + + addr_len = sizeof(addr); + diff --git a/libimobiledevice.changes b/libimobiledevice.changes index 955f444..93b059f 100644 --- a/libimobiledevice.changes +++ b/libimobiledevice.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri May 27 13:10:37 UTC 2016 - dimstar@opensuse.org + +- Add libimobiledevice-CVE-2016-5104.patch: Make sure sockets only + listen locally (CVE-2016-5104, boo#982014). + ------------------------------------------------------------------- Wed Jul 29 06:06:53 UTC 2015 - i@marguerite.su diff --git a/libimobiledevice.spec b/libimobiledevice.spec index 7eb22d1..1e5fed5 100644 --- a/libimobiledevice.spec +++ b/libimobiledevice.spec @@ -26,6 +26,9 @@ Group: System/Libraries Url: http://www.libimobiledevice.org Source: http://www.libimobiledevice.org/downloads/%{name}-%{version}.tar.bz2 Source1: baselibs.conf +Patch0: libimobiledevice-nosslv3.patch +# PATCH-FIX-UPSTREAM libimobiledevice-CVE-2016-5104.patch CVE-2016-5104 boo#982014 dimstar@opensuse.org - Make sure sockets only listen locally +Patch1: libimobiledevice-CVE-2016-5104.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libopenssl-devel @@ -39,7 +42,6 @@ BuildRequires: python-devel BuildRequires: python-plist BuildRequires: readline-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build -Patch0: libimobiledevice-nosslv3.patch %description libimobiledevice is a software library that talks the protocols to support @@ -106,6 +108,7 @@ Contains Python bindings for developing applications that use %{name}. %prep %setup -q %patch0 -p1 +%patch1 -p1 autoreconf -fi sed -i -e '/Requires:/d' src/%{name}-1.0.pc.in sed -i -e 's/-L${libdir}//' src/%{name}-1.0.pc.in