[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#841979: marked as done (jessie-pu: package minissdpd/1.2.20130907-3)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #841979,
regarding jessie-pu: package minissdpd/1.2.20130907-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
841979: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841979
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: Thomas Goirand <zigo@debian.org>

Hi,

The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
team.

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru minissdpd-1.2.20130907/debian/changelog minissdpd-1.2.20130907/debian/changelog
--- minissdpd-1.2.20130907/debian/changelog	2014-07-14 08:02:57.000000000 +0100
+++ minissdpd-1.2.20130907/debian/changelog	2016-10-24 22:46:46.000000000 +0100
@@ -1,3 +1,15 @@
+minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
+    The minissdpd daemon contains a improper validation of array index
+    vulnerability (CWE-129) when processing requests sent to the Unix
+    socket at /var/run/minissdpd.sock the Unix socket can be accessed
+    by an unprivileged user to send invalid request causes an
+    out-of-bounds memory access that crashes the minissdpd daemon.
+
+ -- James Cowgill <jcowgill@debian.org>  Mon, 24 Oct 2016 22:46:46 +0100
+
 minissdpd (1.2.20130907-3) unstable; urgency=medium
 
   * Removed $all from init.d script.
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch	1970-01-01 01:00:00.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch	2016-10-24 22:43:23.000000000 +0100
@@ -0,0 +1,95 @@
+Description: Fix CVE-2016-3178
+ buffer overflow while handling negative length request
+Author: Salva Peiró <speirofr@gmail.com>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
++++ b/minissdpd.c
+@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req
+ 	type = buf[0];
+ 	p = buf + 1;
+ 	DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-	if(p+l > buf+n) {
++	if(l > (unsigned)(buf+n-p)) {
+ 		syslog(LOG_WARNING, "bad request (length encoding)");
+ 		goto error;
+ 	}
+@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req
+ 			goto error;
+ 		}
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req
+ 		newserv->usn[l] = '\0';
+ 		p += l;
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req
+ 		newserv->server[l] = '\0';
+ 		p += l;
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+--- a/testminissdpd.c
++++ b/testminissdpd.c
+@@ -45,6 +45,23 @@ void printresponse(const unsigned char *
+ #define SENDCOMMAND(command, size) write(s, command, size); \
+               printf("Command written type=%u\n", (unsigned)command[0]);
+ 
++int connect_unix_socket(const char * sockpath)
++{
++	int s;
++	struct sockaddr_un addr;
++
++	s = socket(AF_UNIX, SOCK_STREAM, 0);
++	addr.sun_family = AF_UNIX;
++	strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path));
++	if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) {
++		fprintf(stderr, "connecting to %s : ", addr.sun_path);
++		perror("connect");
++		exit(1);
++	}
++	printf("Connected to %s\n", addr.sun_path);
++	return s;
++}
++
+ /* test program for minissdpd */
+ int
+ main(int argc, char * * argv)
+@@ -52,6 +69,7 @@ main(int argc, char * * argv)
+ 	char command1[] = "\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice";
+ 	char command2[] = "\x02\x00uuid:fc4ec57e-b051-11db-88f8-0060085db3f6::upnp:rootdevice";
+ 	char command3[] = { 0x03, 0x00 };
++        const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f};
+ 	struct sockaddr_un addr;
+ 	int s;
+ 	int i;
+@@ -89,6 +107,15 @@ main(int argc, char * * argv)
+ 	n = read(s, buf, sizeof(buf));
+ 	printf("Response received %d bytes\n", (int)n);
+ 	printresponse(buf, n);
++	if(n == 0) {
++		close(s);
++		s = connect_unix_socket(sockpath);
++	}
++
++	n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
++	n = read(s, buf, sizeof(buf));
++	printf("Response received %d bytes\n", (int)n);
++	printresponse(buf, n);
+ 
+ 	close(s);
+ 	return 0;
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch	1970-01-01 01:00:00.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch	2016-10-24 22:43:23.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Fix CVE-2016-3179
+ freeing of uninitialized pointer
+Author: Salva Peiró <speirofr@gmail.com>
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
++++ b/minissdpd.c
+@@ -644,6 +644,7 @@ void processRequest(struct reqelem * req
+ 			syslog(LOG_ERR, "cannot allocate memory");
+ 			goto error;
+ 		}
++		memset(newserv, 0, sizeof(struct service));	/* set pointers to NULL */
+ 		if(containsForbiddenChars(p, l)) {
+ 			syslog(LOG_ERR, "bad request (st contains forbidden chars)");
+ 			goto error;
diff -Nru minissdpd-1.2.20130907/debian/patches/series minissdpd-1.2.20130907/debian/patches/series
--- minissdpd-1.2.20130907/debian/patches/series	2014-07-14 08:02:57.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/series	2016-10-24 22:43:23.000000000 +0100
@@ -1,2 +1,4 @@
 link-with-lfreebsd-glue.patch
 using-LDFLAGS-in-Makefile.patch
+CVE-2016-3178.patch
+CVE-2016-3179.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: