Bug#772649: marked as done (unblock: miniupnpd/1.8.20140523-4 (security fix))

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 9 Dec 2014 20:01:18 +0100
with message-id <20141209190118.GA5900@ugent.be>
and subject line Re: Bug#772649: unblock: miniupnpd/1.8.20140523-4 (security fix)
has caused the Debian Bug report #772649,
regarding unblock: miniupnpd/1.8.20140523-4 (security fix)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772649: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772649
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: miniupnpd/1.8.20140523-4 (security fix)
• From: Thomas Goirand <zigo@debian.org>
• Date: Tue, 09 Dec 2014 22:49:53 +0800
• Message-id: <[🔎] 20141209144953.8661.55372.reportbug@buzig.gplhost.com>

Package: release.debian.org
Severity: grave
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

I have just uploaded a new version of MiniUPnPd which fixes 5 issues that have
been found after a security audit from someone at Google.

Please unblock miniupnpd/1.8.20140523-4.

Cheers,

Thomas Goirand (zigo)

diff -Nru miniupnpd-1.8.20140523/debian/changelog miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog	2014-11-04 09:01:40.000000000 +0000
+++ miniupnpd-1.8.20140523/debian/changelog	2014-12-09 14:37:29.000000000 +0000
@@ -1,3 +1,9 @@
+miniupnpd (1.8.20140523-4) unstable; urgency=high
+
+  * Fixes multiple vulnerabilities (Closes: #772644).
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 09 Dec 2014 22:29:04 +0800
+
 miniupnpd (1.8.20140523-3) unstable; urgency=medium
 
   * Do not install the configuration file in /etc/miniupnpd, use /usr/share
diff -Nru miniupnpd-1.8.20140523/debian/patches/0010_fix_upnp_add_inboundpinhole.patch miniupnpd-1.8.20140523/debian/patches/0010_fix_upnp_add_inboundpinhole.patch
--- miniupnpd-1.8.20140523/debian/patches/0010_fix_upnp_add_inboundpinhole.patch	1970-01-01 00:00:00.000000000 +0000
+++ miniupnpd-1.8.20140523/debian/patches/0010_fix_upnp_add_inboundpinhole.patch	2014-12-09 14:37:29.000000000 +0000
@@ -0,0 +1,43 @@
+Description: miniupnpd/upnppinhole.c: fix upnp_add_inboundpinhole()
+ check inet_pton() return
+Author: Thomas Bernard <miniupnp@free.fr>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/d00b75782e7d73e78d0b935cee6f4873bc48c9e8.patch
+Date: Tue, 9 Dec 2014 10:52:26 +0100
+Bug-Debian: https://bugs.debian.org/772644
+Last-Update: 2014-12-09
+
+diff --git a/upnppinhole.c b/miniupnpd/upnppinhole.c
+index 08f1cf6..932bc11 100644
+--- a/upnppinhole.c
++++ b/upnppinhole.c
+@@ -88,10 +88,10 @@ upnp_check_outbound_pinhole(int proto, int * timeout)
+ #endif
+ 
+ /* upnp_add_inboundpinhole()
+- * returns: 0 on success
+- *          -1 failed to add pinhole
+- *          -2 already created
+- *          -3 inbound pinhole disabled
++ * returns:  1 on success
++ *          -1 Pinhole space exhausted
++ *          -4 invalid arguments
++ *         -42 not implemented
+  * TODO : return uid on success (positive) or error value (negative)
+  */
+ int
+@@ -109,10 +109,11 @@ upnp_add_inboundpinhole(const char * raddr,
+ 	unsigned int timestamp;
+ 	struct in6_addr address;
+ 
+-	if(inet_pton(AF_INET6, iaddr, &address) < 0)
+-	{
+-		syslog(LOG_ERR, "inet_pton(%s) : %m", iaddr);
+-		return 0;
++	r = inet_pton(AF_INET6, iaddr, &address);
++	if(r <= 0) {
++		syslog(LOG_ERR, "inet_pton(%d, %s, %p) FAILED",
++		       AF_INET6, iaddr, &address);
++		return -4;
+ 	}
+ 	current = time(NULL);
+ 	timestamp = current + leasetime;
diff -Nru miniupnpd-1.8.20140523/debian/patches/0020_check_inet_aton_return.patch miniupnpd-1.8.20140523/debian/patches/0020_check_inet_aton_return.patch
--- miniupnpd-1.8.20140523/debian/patches/0020_check_inet_aton_return.patch	1970-01-01 00:00:00.000000000 +0000
+++ miniupnpd-1.8.20140523/debian/patches/0020_check_inet_aton_return.patch	2014-12-09 14:37:29.000000000 +0000
@@ -0,0 +1,22 @@
+Description: miniupnpd/upnpredirect.c:  check inet_aton() return
+Author: Thomas Bernard <miniupnp@free.fr>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/7c91c4e933e96b913b72685d093126d282b87db6.patch
+Date: Tue, 9 Dec 2014 10:53:52 +0100
+Bug-Debian: https://bugs.debian.org/772644
+Last-Update: 2014-12-09
+
+diff --git a/upnpredirect.c b/upnpredirect.c
+index 5a50c6d..28560ab 100644
+--- a/upnpredirect.c
++++ b/upnpredirect.c
+@@ -268,8 +268,8 @@ upnp_redirect(const char * rhost, unsigned short eport,
+ 	unsigned int timestamp;
+ 
+ 	proto = proto_atoi(protocol);
+-	if(inet_aton(iaddr, &address) < 0) {
+-		syslog(LOG_ERR, "inet_aton(%s) : %m", iaddr);
++	if(inet_aton(iaddr, &address) <= 0) {
++		syslog(LOG_ERR, "inet_aton(%s) FAILED", iaddr);
+ 		return -1;
+ 	}
+ 
diff -Nru miniupnpd-1.8.20140523/debian/patches/0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch miniupnpd-1.8.20140523/debian/patches/0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch
--- miniupnpd-1.8.20140523/debian/patches/0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch	1970-01-01 00:00:00.000000000 +0000
+++ miniupnpd-1.8.20140523/debian/patches/0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch	2014-12-09 14:37:29.000000000 +0000
@@ -0,0 +1,41 @@
+Subject: miniupnpd/upnpsoap.c: fix potential memory corruption in upnpsoap.c/GetListOfPortMappings()
+ Credits goes to Stephen Röttger of the Google Security Team for identifying
+ the vulnerabilities
+Author: Thomas Bernard <miniupnp@free.fr>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/e6bc04aa06341fa4df3ccae87a167e9adf816911.patch
+Bug-Debian: https://bugs.debian.org/772644
+Date: Tue, 9 Dec 2014 11:01:37 +0100
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c	2014-07-14 15:08:01.000000000 +0800
++++ miniupnpd/upnpsoap.c	2014-12-09 22:11:34.000000000 +0800
+@@ -1006,6 +1006,7 @@
+ 			body = realloc(body, bodyalloc);
+ 			if(!body)
+ 			{
++				syslog(LOG_CRIT, "realloc(%p, %u) FAILED", body_sav, (unsigned)bodyalloc);
+ 				ClearNameValueList(&data);
+ 				SoapError(h, 501, "ActionFailed");
+ 				free(body_sav);
+@@ -1030,6 +1031,20 @@
+ 	free(port_list);
+ 	port_list = NULL;
+ 
++	if((bodylen + sizeof(list_end) + 1024) > bodyalloc)
++	{
++		char * body_sav = body;
++		bodyalloc += (sizeof(list_end) + 1024);
++		body = realloc(body, bodyalloc);
++		if(!body)
++		{
++			syslog(LOG_CRIT, "realloc(%p, %u) FAILED", body_sav, (unsigned)bodyalloc);
++			ClearNameValueList(&data);
++			SoapError(h, 501, "ActionFailed");
++			free(body_sav);
++			return;
++		}
++	}
+ 	memcpy(body+bodylen, list_end, sizeof(list_end));
+ 	bodylen += (sizeof(list_end) - 1);
+ 	bodylen += snprintf(body+bodylen, bodyalloc-bodylen, resp_end,
diff -Nru miniupnpd-1.8.20140523/debian/patches/0040_fix_buffer_overrun_in_ParseHttpHeaders.patch miniupnpd-1.8.20140523/debian/patches/0040_fix_buffer_overrun_in_ParseHttpHeaders.patch
--- miniupnpd-1.8.20140523/debian/patches/0040_fix_buffer_overrun_in_ParseHttpHeaders.patch	1970-01-01 00:00:00.000000000 +0000
+++ miniupnpd-1.8.20140523/debian/patches/0040_fix_buffer_overrun_in_ParseHttpHeaders.patch	2014-12-09 14:37:29.000000000 +0000
@@ -0,0 +1,22 @@
+Description: miniupnpd/upnphttp.c: fix buffer overrun in ParseHttpHeaders() if Content-Length doesn't contain any digit
+ Credits goes to Stephen Röttger of the Google Security Team for identifying
+ the vulnerabilities
+Author: Thomas Bernard <miniupnp@free.fr>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/dd39ecaa935a9c23176416b38a3b80d577f21048.patch
+Date: Tue, 9 Dec 2014 11:02:57 +0100
+Bug-Debian: https://bugs.debian.org/772644
+Last-Update: 2014-12-09
+
+diff --git a/upnphttp.c b/upnphttp.c
+index 9e9e7d0..499879f 100644
+--- a/upnphttp.c
++++ b/upnphttp.c
+@@ -223,7 +223,7 @@ ParseHttpHeaders(struct upnphttp * h)
+ 			if(strncasecmp(line, "Content-Length", 14)==0)
+ 			{
+ 				p = colon;
+-				while(*p < '0' || *p > '9')
++				while((*p < '0' || *p > '9') && (*p != '\r') && (*p != '\n'))
+ 					p++;
+ 				h->req_contentlen = atoi(p);
+ 				if(h->req_contentlen < 0) {
diff -Nru miniupnpd-1.8.20140523/debian/patches/0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch miniupnpd-1.8.20140523/debian/patches/0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch
--- miniupnpd-1.8.20140523/debian/patches/0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch	1970-01-01 00:00:00.000000000 +0000
+++ miniupnpd-1.8.20140523/debian/patches/0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch	2014-12-09 14:37:29.000000000 +0000
@@ -0,0 +1,101 @@
+Description: miniupnpd: check if BuildHeader_upnphttp() failed to allocate memory
+Author: Thomas Bernard <miniupnp@free.fr>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/ec94c5663fe80dd6ceea895c73e2be66b1ef6bf4.patch
+Date: Tue, 9 Dec 2014 11:04:15 +0100
+Bug-Debian: https://bugs.debian.org/772644
+Last-Update: 2014-12-09
+
+diff --git a/upnphttp.c b/upnphttp.c
+index 499879f..f23832a 100644
+--- a/upnphttp.c
++++ b/upnphttp.c
+@@ -986,7 +986,7 @@ static const char httpresphead[] =
+ /* with response code and response message
+  * also allocate enough memory */
+ 
+-void
++int
+ BuildHeader_upnphttp(struct upnphttp * h, int respcode,
+                      const char * respmsg,
+                      int bodylen)
+@@ -1000,7 +1000,7 @@ BuildHeader_upnphttp(struct upnphttp * h, int respcode,
+ 		h->res_buf = (char *)malloc(templen);
+ 		if(!h->res_buf) {
+ 			syslog(LOG_ERR, "malloc error in BuildHeader_upnphttp()");
+-			return;
++			return -1;
+ 		}
+ 		h->res_buf_alloclen = templen;
+ 	}
+@@ -1079,8 +1079,10 @@ BuildHeader_upnphttp(struct upnphttp * h, int respcode,
+ 		else
+ 		{
+ 			syslog(LOG_ERR, "realloc error in BuildHeader_upnphttp()");
++			return -1;
+ 		}
+ 	}
++	return 0;
+ }
+ 
+ void
+@@ -1088,8 +1090,8 @@ BuildResp2_upnphttp(struct upnphttp * h, int respcode,
+                     const char * respmsg,
+                     const char * body, int bodylen)
+ {
+-	BuildHeader_upnphttp(h, respcode, respmsg, bodylen);
+-	if(body)
++	int r = BuildHeader_upnphttp(h, respcode, respmsg, bodylen);
++	if(body && (r >= 0))
+ 		memcpy(h->res_buf + h->res_buflen, body, bodylen);
+ 	h->res_buflen += bodylen;
+ }
+diff --git a/upnphttp.h b/upnphttp.h
+index 4bd7f9b..70fef8f 100644
+--- a/upnphttp.h
++++ b/upnphttp.h
+@@ -136,8 +136,9 @@ Process_upnphttp(struct upnphttp *);
+ 
+ /* BuildHeader_upnphttp()
+  * build the header for the HTTP Response
+- * also allocate the buffer for body data */
+-void
++ * also allocate the buffer for body data
++ * return -1 on error */
++int
+ BuildHeader_upnphttp(struct upnphttp * h, int respcode,
+                      const char * respmsg,
+                      int bodylen);
+diff --git a/upnpsoap.c b/upnpsoap.c
+index efd0658..e8db166 100644
+--- a/upnpsoap.c
++++ b/upnpsoap.c
+@@ -45,17 +45,21 @@ BuildSendAndCloseSoapResp(struct upnphttp * h,
+ 		"</s:Body>"
+ 		"</s:Envelope>\r\n";
+ 
+-	BuildHeader_upnphttp(h, 200, "OK",  sizeof(beforebody) - 1
+-		+ sizeof(afterbody) - 1 + bodylen );
++	int r = BuildHeader_upnphttp(h, 200, "OK",  sizeof(beforebody) - 1
++	                             + sizeof(afterbody) - 1 + bodylen );
+ 
+-	memcpy(h->res_buf + h->res_buflen, beforebody, sizeof(beforebody) - 1);
+-	h->res_buflen += sizeof(beforebody) - 1;
++	if(r >= 0) {
++		memcpy(h->res_buf + h->res_buflen, beforebody, sizeof(beforebody) - 1);
++		h->res_buflen += sizeof(beforebody) - 1;
+ 
+-	memcpy(h->res_buf + h->res_buflen, body, bodylen);
+-	h->res_buflen += bodylen;
++		memcpy(h->res_buf + h->res_buflen, body, bodylen);
++		h->res_buflen += bodylen;
+ 
+-	memcpy(h->res_buf + h->res_buflen, afterbody, sizeof(afterbody) - 1);
+-	h->res_buflen += sizeof(afterbody) - 1;
++		memcpy(h->res_buf + h->res_buflen, afterbody, sizeof(afterbody) - 1);
++		h->res_buflen += sizeof(afterbody) - 1;
++	} else {
++		BuildResp2_upnphttp(h, 500, "Internal Server Error", NULL, 0);
++	}
+ 
+ 	SendRespAndClose_upnphttp(h);
+ }
diff -Nru miniupnpd-1.8.20140523/debian/patches/series miniupnpd-1.8.20140523/debian/patches/series
--- miniupnpd-1.8.20140523/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ miniupnpd-1.8.20140523/debian/patches/series	2014-12-09 14:37:29.000000000 +0000
@@ -0,0 +1,5 @@
+0010_fix_upnp_add_inboundpinhole.patch
+0020_check_inet_aton_return.patch
+0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch
+0040_fix_buffer_overrun_in_ParseHttpHeaders.patch
+0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch

--- End Message ---

--- Begin Message ---

• To: Thomas Goirand <zigo@debian.org>, 772649-done@bugs.debian.org
• Subject: Re: Bug#772649: unblock: miniupnpd/1.8.20140523-4 (security fix)
• From: Ivo De Decker <ivodd@debian.org>
• Date: Tue, 9 Dec 2014 20:01:18 +0100
• Message-id: <20141209190118.GA5900@ugent.be>
• In-reply-to: <[🔎] 20141209144953.8661.55372.reportbug@buzig.gplhost.com>
• References: <[🔎] 20141209144953.8661.55372.reportbug@buzig.gplhost.com>

Hi,

On Tue, Dec 09, 2014 at 10:49:53PM +0800, Thomas Goirand wrote:
> Please unblock miniupnpd/1.8.20140523-4.

Unblocked.

Cheers,

Ivo

--- End Message ---