Bug#699613: marked as done (unblock: libupnp4/1.8.0~svn20100507-1.2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 02 Feb 2013 14:48:13 +0000
with message-id <1359816493.4425.3.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#699613: unblock: libupnp4/1.8.0~svn20100507-1.2
has caused the Debian Bug report #699613,
regarding unblock: libupnp4/1.8.0~svn20100507-1.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
699613: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699613
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libupnp4/1.8.0~svn20100507-1.2
• From: Yves-Alexis Perez <corsac@debian.org>
• Date: Sat, 02 Feb 2013 13:48:06 +0100
• Message-id: <20130202124806.6657.17055.reportbug@scapa>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libupnp4

Hi,

same thing as libupnp, I've uploaded an NMU for libupnp4, fixing the
various buffer overflows.

On top of that, I've enabled hardening flags since it processes
untrusted input from the network, it'd help preventing vulnerabilities
to be exploited.

unblock libupnp4/1.8.0~svn20100507-1.2

Thanks in advance.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u libupnp4-1.8.0~svn20100507/debian/rules libupnp4-1.8.0~svn20100507/debian/rules
--- libupnp4-1.8.0~svn20100507/debian/rules
+++ libupnp4-1.8.0~svn20100507/debian/rules
@@ -2,6 +2,9 @@
 
 # Uncomment this to turn on verbose mode. 
 #export DH_VERBOSE=1
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
 
 %:
 	dh --with quilt,autotools-dev $@
diff -u libupnp4-1.8.0~svn20100507/debian/control libupnp4-1.8.0~svn20100507/debian/control
--- libupnp4-1.8.0~svn20100507/debian/control
+++ libupnp4-1.8.0~svn20100507/debian/control
@@ -4,7 +4,8 @@
 Homepage: http://pupnp.sourceforge.net/
 Maintainer: Nick Leverton <nick@leverton.org>
 Build-Depends: debhelper (>= 7.0.50), quilt (>= 0.46-8~),
- autotools-dev (>= 20100122.1~), autoconf, automake, libtool, doxygen, graphviz
+ autotools-dev (>= 20100122.1~), autoconf, automake, libtool, doxygen, graphviz,
+ dpkg-dev (>= 1.16.1~)
 Standards-Version: 3.8.4
 
 Package: libupnp4
diff -u libupnp4-1.8.0~svn20100507/debian/changelog libupnp4-1.8.0~svn20100507/debian/changelog
--- libupnp4-1.8.0~svn20100507/debian/changelog
+++ libupnp4-1.8.0~svn20100507/debian/changelog
@@ -1,3 +1,17 @@
+libupnp4 (1.8.0~svn20100507-1.2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
+    various stack-based buffer overflows in service_unique_name() function.
+    This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
+    CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699459
+  * debian/rules:
+    - enable hardening flags.
+  * debian/control:
+    - add build-dep on dpkg-dev (>= 1.16.1~)
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Fri, 01 Feb 2013 22:53:13 +0100
+
 libupnp4 (1.8.0~svn20100507-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u libupnp4-1.8.0~svn20100507/debian/patches/series libupnp4-1.8.0~svn20100507/debian/patches/series
--- libupnp4-1.8.0~svn20100507/debian/patches/series
+++ libupnp4-1.8.0~svn20100507/debian/patches/series
@@ -12,0 +13 @@
+0001-Security-fix-for-CERT-issue-VU-922681.patch
only in patch2:
unchanged:
--- libupnp4-1.8.0~svn20100507.orig/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch
+++ libupnp4-1.8.0~svn20100507/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch
@@ -0,0 +1,105 @@
+Fix for VU#922681
+
+This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.
+
+CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
+CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
+CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
+CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
+CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
+CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
+CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
+CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
+
+--- a/upnp/src/ssdp/ssdp_server.c
++++ b/upnp/src/ssdp/ssdp_server.c
+@@ -416,7 +416,7 @@ int unique_service_name(IN char *cmd, IN
+     char *ptr2 = NULL;
+     char *ptr3 = NULL;
+     int CommandFound = 0;
+-    int length = 0;
++    size_t n = (size_t)0;
+ 
+     if( ( TempPtr = strstr( cmd, "uuid:schemas" ) ) != NULL ) {
+         ptr1 = strstr( cmd, ":device" );
+@@ -433,16 +433,23 @@ int unique_service_name(IN char *cmd, IN
+         }
+ 
+         if( ptr3 != NULL ) {
+-            sprintf( Evt->UDN, "uuid:%s", ptr3 + 1 );
++            if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
++                return -1;
++            snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
+         } else {
+             return -1;
+         }
+ 
+         ptr1 = strstr( cmd, ":" );
+         if( ptr1 != NULL ) {
+-            strncpy( TempBuf, ptr1, ptr3 - ptr1 );
+-            TempBuf[ptr3 - ptr1] = '\0';
+-            sprintf( Evt->DeviceType, "urn%s", TempBuf );
++            n = (size_t)ptr3 - (size_t)ptr1;
++            n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
++            strncpy(TempBuf, ptr1, n);
++            TempBuf[n] = '\0';
++            if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
++                return -1;
++            snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
++                "urn%s", TempBuf);
+         } else {
+             return -1;
+         }
+@@ -451,10 +458,13 @@ int unique_service_name(IN char *cmd, IN
+ 
+     if( ( TempPtr = strstr( cmd, "uuid" ) ) != NULL ) {
+         if( ( Ptr = strstr( cmd, "::" ) ) != NULL ) {
+-            strncpy( Evt->UDN, TempPtr, Ptr - TempPtr );
+-            Evt->UDN[Ptr - TempPtr] = '\0';
++            n = (size_t)Ptr - (size_t)TempPtr;
++            n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
++            strncpy(Evt->UDN, TempPtr, n);
++            Evt->UDN[n] = '\0';
+         } else {
+-            strcpy( Evt->UDN, TempPtr );
++            memset(Evt->UDN, 0, sizeof(Evt->UDN));
++            strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
+         }
+         CommandFound = 1;
+     }
+@@ -462,7 +472,9 @@ int unique_service_name(IN char *cmd, IN
+     if( strstr( cmd, "urn:" ) != NULL
+         && strstr( cmd, ":service:" ) != NULL ) {
+         if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
+-            strcpy( Evt->ServiceType, TempPtr );
++            memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
++            strncpy(Evt->ServiceType, TempPtr,
++                sizeof Evt->ServiceType - 1);
+             CommandFound = 1;
+         }
+     }
+@@ -470,7 +482,9 @@ int unique_service_name(IN char *cmd, IN
+     if( strstr( cmd, "urn:" ) != NULL
+         && strstr( cmd, ":device:" ) != NULL ) {
+         if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
+-            strcpy( Evt->DeviceType, TempPtr );
++            memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
++            strncpy(Evt->DeviceType, TempPtr,
++                sizeof Evt->DeviceType - 1);
+             CommandFound = 1;
+         }
+     }
+@@ -478,9 +492,10 @@ int unique_service_name(IN char *cmd, IN
+     if( ( TempPtr = strstr( cmd, "::upnp:rootdevice" ) ) != NULL ) {
+         /* Everything before "::upnp::rootdevice" is the UDN. */
+         if( TempPtr != cmd ) {
+-            length = TempPtr - cmd;
+-            strncpy(Evt->UDN, cmd, length);
+-            Evt->UDN[length] = 0;
++            n = (size_t)TempPtr - (size_t)cmd;
++            n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
++            strncpy(Evt->UDN, cmd, n);
++            Evt->UDN[n] = 0;
+             CommandFound = 1;
+         }
+     }

--- End Message ---

--- Begin Message ---

• To: Yves-Alexis Perez <corsac@debian.org>, 699613-done@bugs.debian.org
• Subject: Re: Bug#699613: unblock: libupnp4/1.8.0~svn20100507-1.2
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 02 Feb 2013 14:48:13 +0000
• Message-id: <1359816493.4425.3.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <20130202124806.6657.17055.reportbug@scapa>
• References: <20130202124806.6657.17055.reportbug@scapa>

On Sat, 2013-02-02 at 13:48 +0100, Yves-Alexis Perez wrote:
> same thing as libupnp, I've uploaded an NMU for libupnp4, fixing the
> various buffer overflows.
> 
> On top of that, I've enabled hardening flags since it processes
> untrusted input from the network, it'd help preventing vulnerabilities
> to be exploited.

Unblocked; thanks.

Regards,

Adam

--- End Message ---