Hello community, here is the log from the commit of package libimobiledevice for openSUSE:Factory checked in at 2016-06-02 12:37:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libimobiledevice (Old) and /work/SRC/openSUSE:Factory/.libimobiledevice.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libimobiledevice" Changes: -------- --- /work/SRC/openSUSE:Factory/libimobiledevice/libimobiledevice.changes 2015-08-10 09:14:52.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libimobiledevice.new/libimobiledevice.changes 2016-06-02 12:37:52.000000000 +0200 @@ -1,0 +2,6 @@ +Fri May 27 13:10:37 UTC 2016 - dimstar@opensuse.org + +- Add libimobiledevice-CVE-2016-5104.patch: Make sure sockets only + listen locally (CVE-2016-5104, boo#982014). + +------------------------------------------------------------------- New: ---- libimobiledevice-CVE-2016-5104.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libimobiledevice.spec ++++++ --- /var/tmp/diff_new_pack.K4pmRK/_old 2016-06-02 12:37:53.000000000 +0200 +++ /var/tmp/diff_new_pack.K4pmRK/_new 2016-06-02 12:37:53.000000000 +0200 @@ -26,6 +26,9 @@ Url: http://www.libimobiledevice.org Source: http://www.libimobiledevice.org/downloads/%{name}-%{version}.tar.bz2 Source1: baselibs.conf +Patch0: libimobiledevice-nosslv3.patch +# PATCH-FIX-UPSTREAM libimobiledevice-CVE-2016-5104.patch CVE-2016-5104 boo#982014 dimstar@opensuse.org - Make sure sockets only listen locally +Patch1: libimobiledevice-CVE-2016-5104.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libopenssl-devel @@ -39,7 +42,6 @@ BuildRequires: python-plist BuildRequires: readline-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build -Patch0: libimobiledevice-nosslv3.patch %description libimobiledevice is a software library that talks the protocols to support @@ -106,6 +108,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 autoreconf -fi sed -i -e '/Requires:/d' src/%{name}-1.0.pc.in sed -i -e 's/-L${libdir}//' src/%{name}-1.0.pc.in ++++++ libimobiledevice-CVE-2016-5104.patch ++++++

From df1f5c4d70d0c19ad40072f5246ca457e7f9849e Mon Sep 17 00:00:00 2001 From: Joshua Hill <posixninja@gmail.com> Date: Tue, 29 Dec 2015 22:27:17 +0100 Subject: [PATCH] common: [security fix] Make sure sockets only listen locally

--- common/socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/socket.c b/common/socket.c index b276864..e2968a6 100644 --- a/common/socket.c +++ b/common/socket.c @@ -172,7 +172,7 @@ int socket_create(uint16_t port) memset((void *) &saddr, 0, sizeof(saddr)); saddr.sin_family = AF_INET; - saddr.sin_addr.s_addr = htonl(INADDR_ANY); + saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); saddr.sin_port = htons(port); if (0 > bind(sfd, (struct sockaddr *) &saddr, sizeof(saddr))) { @@ -329,7 +329,7 @@ int socket_accept(int fd, uint16_t port) memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; - addr.sin_addr.s_addr = htonl(INADDR_ANY); + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); addr.sin_port = htons(port); addr_len = sizeof(addr);