Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3
From: James Cowgill <jcowgill@debian.org>
Date: Mon, 24 Oct 2016 23:29:43 +0100
Message-id: <[🔎] 635dad93-5ee9-89ec-4725-2725035c51a6@debian.org>
Reply-to: James Cowgill <jcowgill@debian.org>, 841979@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: Thomas Goirand <zigo@debian.org>

Hi,

The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
team.

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru minissdpd-1.2.20130907/debian/changelog minissdpd-1.2.20130907/debian/changelog
--- minissdpd-1.2.20130907/debian/changelog	2014-07-14 08:02:57.000000000 +0100
+++ minissdpd-1.2.20130907/debian/changelog	2016-10-24 22:46:46.000000000 +0100
@@ -1,3 +1,15 @@
+minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
+    The minissdpd daemon contains a improper validation of array index
+    vulnerability (CWE-129) when processing requests sent to the Unix
+    socket at /var/run/minissdpd.sock the Unix socket can be accessed
+    by an unprivileged user to send invalid request causes an
+    out-of-bounds memory access that crashes the minissdpd daemon.
+
+ -- James Cowgill <jcowgill@debian.org>  Mon, 24 Oct 2016 22:46:46 +0100
+
 minissdpd (1.2.20130907-3) unstable; urgency=medium
 
   * Removed $all from init.d script.
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch	1970-01-01 01:00:00.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch	2016-10-24 22:43:23.000000000 +0100
@@ -0,0 +1,95 @@
+Description: Fix CVE-2016-3178
+ buffer overflow while handling negative length request
+Author: Salva Peiró <speirofr@gmail.com>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
++++ b/minissdpd.c
+@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req
+ 	type = buf[0];
+ 	p = buf + 1;
+ 	DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-	if(p+l > buf+n) {
++	if(l > (unsigned)(buf+n-p)) {
+ 		syslog(LOG_WARNING, "bad request (length encoding)");
+ 		goto error;
+ 	}
+@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req
+ 			goto error;
+ 		}
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req
+ 		newserv->usn[l] = '\0';
+ 		p += l;
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req
+ 		newserv->server[l] = '\0';
+ 		p += l;
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+--- a/testminissdpd.c
++++ b/testminissdpd.c
+@@ -45,6 +45,23 @@ void printresponse(const unsigned char *
+ #define SENDCOMMAND(command, size) write(s, command, size); \
+               printf("Command written type=%u\n", (unsigned)command[0]);
+ 
++int connect_unix_socket(const char * sockpath)
++{
++	int s;
++	struct sockaddr_un addr;
++
++	s = socket(AF_UNIX, SOCK_STREAM, 0);
++	addr.sun_family = AF_UNIX;
++	strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path));
++	if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) {
++		fprintf(stderr, "connecting to %s : ", addr.sun_path);
++		perror("connect");
++		exit(1);
++	}
++	printf("Connected to %s\n", addr.sun_path);
++	return s;
++}
++
+ /* test program for minissdpd */
+ int
+ main(int argc, char * * argv)
+@@ -52,6 +69,7 @@ main(int argc, char * * argv)
+ 	char command1[] = "\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice";
+ 	char command2[] = "\x02\x00uuid:fc4ec57e-b051-11db-88f8-0060085db3f6::upnp:rootdevice";
+ 	char command3[] = { 0x03, 0x00 };
++        const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f};
+ 	struct sockaddr_un addr;
+ 	int s;
+ 	int i;
+@@ -89,6 +107,15 @@ main(int argc, char * * argv)
+ 	n = read(s, buf, sizeof(buf));
+ 	printf("Response received %d bytes\n", (int)n);
+ 	printresponse(buf, n);
++	if(n == 0) {
++		close(s);
++		s = connect_unix_socket(sockpath);
++	}
++
++	n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
++	n = read(s, buf, sizeof(buf));
++	printf("Response received %d bytes\n", (int)n);
++	printresponse(buf, n);
+ 
+ 	close(s);
+ 	return 0;
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch	1970-01-01 01:00:00.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch	2016-10-24 22:43:23.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Fix CVE-2016-3179
+ freeing of uninitialized pointer
+Author: Salva Peiró <speirofr@gmail.com>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
++++ b/minissdpd.c
+@@ -644,6 +644,7 @@ void processRequest(struct reqelem * req
+ 			syslog(LOG_ERR, "cannot allocate memory");
+ 			goto error;
+ 		}
++		memset(newserv, 0, sizeof(struct service));	/* set pointers to NULL */
+ 		if(containsForbiddenChars(p, l)) {
+ 			syslog(LOG_ERR, "bad request (st contains forbidden chars)");
+ 			goto error;
diff -Nru minissdpd-1.2.20130907/debian/patches/series minissdpd-1.2.20130907/debian/patches/series
--- minissdpd-1.2.20130907/debian/patches/series	2014-07-14 08:02:57.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/series	2016-10-24 22:43:23.000000000 +0100
@@ -1,2 +1,4 @@
 link-with-lfreebsd-glue.patch
 using-LDFLAGS-in-Makefile.patch
+CVE-2016-3178.patch
+CVE-2016-3179.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Processed: Re: Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#841911: transition: pari
Next by Date: NEW changes in stable-new
Previous by thread: Bug#655976: marked as done (queue-viewer: support binary debdiffs)
Next by thread: Processed: Re: Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3
Index(es):
- Date
- Thread