--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: libupnp/1:1.6.17-1.2
- From: Yves-Alexis Perez <corsac@debian.org>
- Date: Sat, 02 Feb 2013 13:46:32 +0100
- Message-id: <20130202124632.6420.33528.reportbug@scapa>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libupnp
Hi,
I've just uploaded an NMU for libupnp which fixes the various buffer
overflows. Diff is pretty straightforward, debdiff is attached.
unblock libupnp/1:1.6.17-1.2
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru libupnp-1.6.17/debian/changelog libupnp-1.6.17/debian/changelog
--- libupnp-1.6.17/debian/changelog 2012-05-08 16:59:15.000000000 +0200
+++ libupnp-1.6.17/debian/changelog 2013-02-01 21:56:14.000000000 +0100
@@ -1,3 +1,13 @@
+libupnp (1:1.6.17-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
+ various stack-based buffer overflows in service_unique_name() function.
+ This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
+ CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316
+
+ -- Yves-Alexis Perez <corsac@debian.org> Fri, 01 Feb 2013 21:56:12 +0100
+
libupnp (1:1.6.17-1.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru libupnp-1.6.17/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch libupnp-1.6.17/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch
--- libupnp-1.6.17/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch 1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.17/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch 2013-02-01 22:38:08.000000000 +0100
@@ -0,0 +1,90 @@
+This patch addresses three possible buffer overflows in function
+unique_service_name(). The three issues have the folowing CVE
+numbers:
+
+CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
+CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
+CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
+
+Notice that the following issues have already been dealt by previous
+work:
+
+CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
+CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
+CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
+CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
+CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
+---
+ ChangeLog | 20 ++++++++++++++++++++
+ upnp/src/ssdp/ssdp_server.c | 18 ++++++++++--------
+ 2 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/upnp/src/ssdp/ssdp_server.c b/upnp/src/ssdp/ssdp_server.c
+index 231c2c5..8a57d08 100644
+--- a/upnp/src/ssdp/ssdp_server.c
++++ b/upnp/src/ssdp/ssdp_server.c
+@@ -467,16 +467,16 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
+ else
+ return -1;
+ if (ptr3 != NULL) {
+- if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof(Evt->UDN))
++ if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
+ return -1;
+- snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s",
+- ptr3 + 1);
++ snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
+ }
+ else
+ return -1;
+ ptr1 = strstr(cmd, ":");
+ if (ptr1 != NULL) {
+ n = (size_t)ptr3 - (size_t)ptr1;
++ n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
+ strncpy(TempBuf, ptr1, n);
+ TempBuf[n] = '\0';
+ if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
+@@ -490,27 +490,28 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
+ if ((TempPtr = strstr(cmd, "uuid")) != NULL) {
+ if ((Ptr = strstr(cmd, "::")) != NULL) {
+ n = (size_t)Ptr - (size_t)TempPtr;
++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
+ strncpy(Evt->UDN, TempPtr, n);
+ Evt->UDN[n] = '\0';
+ } else {
+ memset(Evt->UDN, 0, sizeof(Evt->UDN));
+- strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1);
++ strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
+ }
+ CommandFound = 1;
+ }
+ if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) {
+ if ((TempPtr = strstr(cmd, "urn")) != NULL) {
+- memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType));
++ memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
+ strncpy(Evt->ServiceType, TempPtr,
+- sizeof(Evt->ServiceType) - 1);
++ sizeof Evt->ServiceType - 1);
+ CommandFound = 1;
+ }
+ }
+ if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) {
+ if ((TempPtr = strstr(cmd, "urn")) != NULL) {
+- memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType));
++ memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
+ strncpy(Evt->DeviceType, TempPtr,
+- sizeof(Evt->DeviceType) - 1);
++ sizeof Evt->DeviceType - 1);
+ CommandFound = 1;
+ }
+ }
+@@ -518,6 +519,7 @@ int unique_service_name(char *cmd, SsdpEvent *Evt)
+ /* Everything before "::upnp::rootdevice" is the UDN. */
+ if (TempPtr != cmd) {
+ n = (size_t)TempPtr - (size_t)cmd;
++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
+ strncpy(Evt->UDN, cmd, n);
+ Evt->UDN[n] = 0;
+ CommandFound = 1;
+--
+1.7.7
+
diff -Nru libupnp-1.6.17/debian/patches/series libupnp-1.6.17/debian/patches/series
--- libupnp-1.6.17/debian/patches/series 2012-03-18 13:07:18.000000000 +0100
+++ libupnp-1.6.17/debian/patches/series 2013-02-01 18:36:23.000000000 +0100
@@ -3,3 +3,4 @@
09-update-doc.patch
12-debian-always-debug.patch
18-url-upnpstrings.patch
+0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch
--- End Message ---