Bug#930357: marked as done (stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110)

To: Thomas Goirand <zigo@debian.org>
Subject: Bug#930357: marked as done (stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 04 Nov 2019 16:39:04 +0000
Message-id: <[🔎] handler.930357.D930357.157288546623368.ackdone@bugs.debian.org>
Reply-to: 930357@bugs.debian.org
References: <c71f9be1-f958-21cc-5361-28df4e288ed0@debian.org> <156025251720.9537.15847568783469362853.reportbug@buzig2.debian.org>

Your message dated Mon, 4 Nov 2019 17:37:37 +0100
with message-id <c71f9be1-f958-21cc-5361-28df4e288ed0@debian.org>
and subject line Uploaded
has caused the Debian Bug report #930357,
regarding stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
930357: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930357
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 11 Jun 2019 13:28:37 +0200
Message-id: <156025251720.9537.15847568783469362853.reportbug@buzig2.debian.org>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

Please allow me to upload miniupnpd/1.8.20140523-4.1+deb9u2, as the
security team told me the CVE in the Subject do not need a DSA.

The upload only adds the upstream patches, Stretch doesn't seem to
be affected by CVE-2019-12111. On top of that, the fixed version adds
a change to debian/gbp.conf (only branch names), please allow this to
get in as well, as this simplifies the packaging update tasks.

Debdiff attached, pre-built packages available from here:
http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/

Cheers,

Thomas Goirand (zigo)

diff -Nru miniupnpd-1.8.20140523/debian/changelog miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog	2018-02-07 12:18:50.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/changelog	2019-06-07 09:16:03.000000000 +0200
@@ -1,3 +1,11 @@
+miniupnpd (1.8.20140523-4.1+deb9u2) stretch; urgency=medium
+
+  * Applied upstream patches for CVE-2019-12107, CVE-2019-12108,
+    CVE-2019-12109, CVE-2019-12110. This version looks like not affected by
+    CVE-2019-12111. (Closes: #930050).
+
+ -- Thomas Goirand <zigo@debian.org>  Fri, 07 Jun 2019 09:16:03 +0200
+
 miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium
 
   * Apply patch from upstream for CVE-2017-1000494 (Closes: #887129).
diff -Nru miniupnpd-1.8.20140523/debian/gbp.conf miniupnpd-1.8.20140523/debian/gbp.conf
--- miniupnpd-1.8.20140523/debian/gbp.conf	2014-12-09 15:37:29.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/gbp.conf	2019-06-07 09:16:03.000000000 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
-upstream-branch = upstream-sid
-debian-branch = debian-sid
+upstream-branch = upstream-stretch
+debian-branch = debian-stretch
 pristine-tar = True
 
 [git-buildpackage]
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch	1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch	2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,57 @@
+Description: CVE-2019-12107: upnp_event_prepare(): check the return value of snprintf()
+Author: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 22:37:14 +0100
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpevents.c
+===================================================================
+--- miniupnpd.orig/upnpevents.c
++++ miniupnpd/upnpevents.c
+@@ -383,19 +383,34 @@ static void upnp_event_prepare(struct up
+ 		l = 0;
+ 	}
+ 	obj->buffersize = 1024;
+-	obj->buffer = malloc(obj->buffersize);
+-	if(!obj->buffer) {
+-		syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
+-		if(xml) {
+-			free(xml);
++	for (;;) {
++		obj->buffer = malloc(obj->buffersize);
++		if(!obj->buffer) {
++			syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
++			if(xml) {
++				free(xml);
++			}
++			obj->state = EError;
++			return;
+ 		}
+-		obj->state = EError;
+-		return;
++		obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
++		                       obj->path, obj->addrstr, obj->portstr, l+2,
++		                       obj->sub->uuid, obj->sub->seq,
++		                       l, xml);
++		if (obj->tosend < 0) {
++			syslog(LOG_ERR, "%s: snprintf() failed", "upnp_event_prepare");
++			if(xml) {
++				free(xml);
++			}
++			obj->state = EError;
++			return;
++		} else if (obj->tosend < obj->buffersize) {
++			break; /* the buffer was large enough */
++		}
++		/* Try again with a buffer big enough */
++		free(obj->buffer);
++		obj->buffersize = obj->tosend + 1;	/* reserve space for the final 0 */
+ 	}
+-	obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
+-	                       obj->path, obj->addrstr, obj->portstr, l+2,
+-	                       obj->sub->uuid, obj->sub->seq,
+-	                       l, xml);
+ 	if(xml) {
+ 		free(xml);
+ 		xml = NULL;
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch	1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch	2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,25 @@
+Subject: CVE-2019-12108: GetOutboundPinholeTimeout: check args
+Author: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 22:54:51 +0100
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c.patch
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c
++++ miniupnpd/upnpsoap.c
+@@ -1651,6 +1651,13 @@ GetOutboundPinholeTimeout(struct upnphtt
+ 	rem_port = GetValueFromNameValueList(&data, "RemotePort");
+ 	protocol = GetValueFromNameValueList(&data, "Protocol");
+ 
++	if (!int_port || !ext_port || !protocol)
++	{
++		ClearNameValueList(&data);
++		SoapError(h, 402, "Invalid Args");
++		return;
++	}
++
+ 	rport = (unsigned short)atoi(rem_port);
+ 	iport = (unsigned short)atoi(int_port);
+ 	proto = atoi(protocol);
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch	1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch	2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,20 @@
+Subject: CVE-2019-12109 fix error from commit 13585f15c7f7dc28bbbba1661efb280d530d114c
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 23:47:54 +0100
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692.patch
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c
++++ miniupnpd/upnpsoap.c
+@@ -1651,7 +1651,7 @@ GetOutboundPinholeTimeout(struct upnphtt
+ 	rem_port = GetValueFromNameValueList(&data, "RemotePort");
+ 	protocol = GetValueFromNameValueList(&data, "Protocol");
+ 
+-	if (!int_port || !ext_port || !protocol)
++	if (!int_port || !rem_port || !protocol)
+ 	{
+ 		ClearNameValueList(&data);
+ 		SoapError(h, 402, "Invalid Args");
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch	1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch	2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,21 @@
+Subject: CVE-2019-12110: upnp_redirect(): accept NULL desc argument
+Author: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 22:59:18 +0100
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+diff --git a/upnpredirect.c b/upnpredirect.c
+index 7c179b62..74926f08 100644
+--- a/upnpredirect.c
++++ b/upnpredirect.c
+@@ -279,6 +279,10 @@
+ 		                 "%hu->%s:%hu %s", eport, iaddr, iport, protocol);
+ 		return -3;
+ 	}
++
++	if (desc == NULL)
++		desc = "";      /* assume empty description */
++
+ 	r = get_redirect_rule(ext_if_name, eport, proto,
+ 	                      iaddr_old, sizeof(iaddr_old), &iport_old, 0, 0,
+ 	                      0, 0,
diff -Nru miniupnpd-1.8.20140523/debian/patches/series miniupnpd-1.8.20140523/debian/patches/series
--- miniupnpd-1.8.20140523/debian/patches/series	2018-02-07 12:18:49.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/series	2019-06-07 09:16:03.000000000 +0200
@@ -5,3 +5,7 @@
 0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch
 0060_iptables_check.patch
 CVE-2017-1000494.patch
+CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
+CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
+CVE-2019-12109_fix_error_from_commit_13585f1.patch
+CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch

--- End Message ---

--- Begin Message ---

To: 930357-done@bugs.debian.org

Subject: Uploaded

From: Thomas Goirand <zigo@debian.org>

Date: Mon, 4 Nov 2019 17:37:37 +0100

Message-id: <c71f9be1-f958-21cc-5361-28df4e288ed0@debian.org>
Hi Adam,

The package was uploaded at the end of July, and was as much as I can
tell, accepted, so I'm closing this bug.

Thomas Goirand (zigo)
--- End Message ---

Reply to:

Prev by Date: Bug#944119: buster-pu: package modsecurity-crs/3.1.0-1
Next by Date: Bug#944133: buster-pu: package glib2.0/2.58.3-2+deb10u2
Previous by thread: Bug#944119: marked as done (buster-pu: package modsecurity-crs/3.1.0-1)
Next by thread: Bug#944133: buster-pu: package glib2.0/2.58.3-2+deb10u2
Index(es):
- Date
- Thread