Re: Wheezy update of libupnp?

To: Nick Leverton <nick@leverton.org>
Cc: Chris Lamb <lamby@debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Wheezy update of libupnp?
From: Balint Reczey <balint@balintreczey.hu>
Date: Tue, 2 Aug 2016 20:23:26 +0200
Message-id: <[🔎] 1e5172fe-3394-c0c1-a3df-7804efa9b122@balintreczey.hu>
Reply-to: balint@balintreczey.hu
In-reply-to: <CAK0OdpwvhikJmsfdpzremKEaJwwYX=bBTWRL1Uv8TVdAZ0YK8g@mail.gmail.com>
References: <1468911258.226272.670283441.0760F51A@webmail.messagingengine.com> <20160719133513.GC32083@leverton.org> <CAK0OdpwvhikJmsfdpzremKEaJwwYX=bBTWRL1Uv8TVdAZ0YK8g@mail.gmail.com>

On 07/26/2016 10:51 PM, Bálint Réczey wrote:
> Hi Nick,
> 
> 2016-07-19 15:35 GMT+02:00 Nick Leverton <nick@leverton.org>:
>> On Tue, Jul 19, 2016 at 08:54:18AM +0200, Chris Lamb wrote:
>>> Hello dear maintainer(s),
>>>
>>> the Debian LTS team would like to fix the security issues which are
>>> currently open in the Wheezy version of libupnp:
>>> https://security-tracker.debian.org/tracker/TEMP-0000000-867096
>>>
>>> Would you like to take care of this yourself?
>>
>> Hi,
>>
>> Thanks very much for the headsup on this.  I've a bit to do for Squeeze
>> at the moment and would really appreciate any help your team can provide
>> on LTS.  If I do get enough time though I'll check in on your task
>> tracker as suggested.
> 
> I will prepare a fix for Wheezy tomorrow.

It took some more time but I also reported the problem upstream in their
public bug tracker:
https://sourceforge.net/p/pupnp/bugs/132/

Please see the attached patch which I will upload in a few days if
upstream does not react.

The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/

Cheers,
Balint

diff -Nru libupnp-1.6.17/debian/changelog libupnp-1.6.17/debian/changelog
--- libupnp-1.6.17/debian/changelog	2013-02-01 21:56:14.000000000 +0100
+++ libupnp-1.6.17/debian/changelog	2016-07-27 19:05:24.000000000 +0200
@@ -1,3 +1,12 @@
+libupnp (1:1.6.17-1.2+deb7u1) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team
+  * Don't allow unhandled POSTs to write to the filesystem by
+    default (Closes: #831857) (CVE-2016-6255)
+    Thanks to Matthew Garrett for the patch.
+
+ -- Balint Reczey <balint@balintreczey.hu>  Wed, 27 Jul 2016 19:01:31 +0200
+
 libupnp (1:1.6.17-1.2) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch
--- libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch	2016-07-27 19:01:19.000000000 +0200
@@ -0,0 +1,59 @@
+From be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+---
+ configure.ac                         | 4 ++++
+ upnp/inc/upnpconfig.h.in             | 5 +++++
+ upnp/src/genlib/net/http/webserver.c | 4 ++++
+ 3 files changed, 13 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -452,6 +452,10 @@
+         AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
+ fi
+ 
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++        AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+ 
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+ 
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -131,5 +131,10 @@
+  * header (i.e. configure --enable-unspecified_server) */
+ #undef UPNP_ENABLE_UNSPECIFIED_SERVER
+ 
++/** Defined to 1 if the library has been compiled to support filesystem writes on POST
++ *  (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
++
+ #endif /* UPNP_CONFIG_H */
+ 
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1354,9 +1354,13 @@
+ 		if (Fp == NULL)
+ 			return HTTP_INTERNAL_SERVER_ERROR;
+ 	} else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ 		Fp = fopen(filename, "wb");
+ 		if (Fp == NULL)
+ 			return HTTP_UNAUTHORIZED;
++#else
++		return HTTP_NOT_FOUND;
++#endif
+ 	}
+ 	parser->position = POS_ENTITY;
+ 	do {
diff -Nru libupnp-1.6.17/debian/patches/series libupnp-1.6.17/debian/patches/series
--- libupnp-1.6.17/debian/patches/series	2013-02-01 18:36:23.000000000 +0100
+++ libupnp-1.6.17/debian/patches/series	2016-07-27 19:00:56.000000000 +0200
@@ -4,3 +4,4 @@
 12-debian-always-debug.patch
 18-url-upnpstrings.patch
 0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch
+0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch

Reply to:

Prev by Date: Re: Redis not uploaded and timely security announcements
Next by Date: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Previous by thread: Re: Icedtea plugin
Next by thread: Wheezy update of libsys-syslog-perl?
Index(es):
- Date
- Thread