From 3eaa9d63a73604961c5f697c3fce6fd4ad8d478ff4847266bb09d88945c51376 Mon Sep 17 00:00:00 2001 From: Martin Szulecki Date: Fri, 27 May 2016 13:39:16 +0000 Subject: [PATCH] Accepting request 398367 from home:dimstar:Factory - Add libusbmuxd-CVE-2016-5104.patch: Make sure sockets only listen locally (CVE-2016-5104, boo#982014). OBS-URL: https://build.opensuse.org/request/show/398367 OBS-URL: https://build.opensuse.org/package/show/hardware/libusbmuxd?expand=0&rev=11 --- libusbmuxd-CVE-2016-5104.patch | 32 ++++++++++++++++++++++++++++++++ libusbmuxd.changes | 6 ++++++ libusbmuxd.spec | 3 +++ 3 files changed, 41 insertions(+) create mode 100644 libusbmuxd-CVE-2016-5104.patch diff --git a/libusbmuxd-CVE-2016-5104.patch b/libusbmuxd-CVE-2016-5104.patch new file mode 100644 index 0000000..9465297 --- /dev/null +++ b/libusbmuxd-CVE-2016-5104.patch @@ -0,0 +1,32 @@ +From 4397b3376dc4e4cb1c991d0aed61ce6482614196 Mon Sep 17 00:00:00 2001 +From: Joshua Hill +Date: Tue, 29 Dec 2015 23:09:37 +0100 +Subject: [PATCH] common: [security fix] Make sure sockets only listen locally + +--- + common/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/socket.c b/common/socket.c +index 27b93ba..4cdefd6 100644 +--- a/common/socket.c ++++ b/common/socket.c +@@ -203,7 +203,7 @@ int socket_create(uint16_t port) + + memset((void *) &saddr, 0, sizeof(saddr)); + saddr.sin_family = AF_INET; +- saddr.sin_addr.s_addr = htonl(INADDR_ANY); ++ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + saddr.sin_port = htons(port); + + if (0 > bind(sfd, (struct sockaddr *) &saddr, sizeof(saddr))) { +@@ -368,7 +368,7 @@ int socket_accept(int fd, uint16_t port) + + memset(&addr, 0, sizeof(addr)); + addr.sin_family = AF_INET; +- addr.sin_addr.s_addr = htonl(INADDR_ANY); ++ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + addr.sin_port = htons(port); + + addr_len = sizeof(addr); + diff --git a/libusbmuxd.changes b/libusbmuxd.changes index 6c4a287..25c6a43 100644 --- a/libusbmuxd.changes +++ b/libusbmuxd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri May 27 13:11:35 UTC 2016 - dimstar@opensuse.org + +- Add libusbmuxd-CVE-2016-5104.patch: Make sure sockets only + listen locally (CVE-2016-5104, boo#982014). + ------------------------------------------------------------------- Mon Feb 22 19:12:48 UTC 2016 - mgorse@suse.com diff --git a/libusbmuxd.spec b/libusbmuxd.spec index cb385e7..30c485b 100644 --- a/libusbmuxd.spec +++ b/libusbmuxd.spec @@ -25,6 +25,8 @@ Group: System/Libraries Url: http://cgit.sukimashita.com/libusbmuxd.git Source: http://www.libimobiledevice.org/downloads/%{name}-%{version}.tar.bz2 Source99: baselibs.conf +# PATCH-FIX-UPSTREAM libusbmuxd-CVE-2016-5104.patch CVE-2016-5104 boo#982014 dimstar@opensuse.org - Make sure sockets only listen locally +Patch0: libusbmuxd-CVE-2016-5104.patch BuildRequires: gcc-c++ BuildRequires: libplist-devel >= 1.11 BuildRequires: libusb-1_0-devel >= 1.0.3 @@ -92,6 +94,7 @@ notification and backup services running on the device). %prep %setup -q +%patch0 -p1 %build %configure