Bug#930357: stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
Please allow me to upload miniupnpd/1.8.20140523-4.1+deb9u2, as the
security team told me the CVE in the Subject do not need a DSA.
The upload only adds the upstream patches, Stretch doesn't seem to
be affected by CVE-2019-12111. On top of that, the fixed version adds
a change to debian/gbp.conf (only branch names), please allow this to
get in as well, as this simplifies the packaging update tasks.
Debdiff attached, pre-built packages available from here:
http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/
Cheers,
Thomas Goirand (zigo)
diff -Nru miniupnpd-1.8.20140523/debian/changelog miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog 2018-02-07 12:18:50.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/changelog 2019-06-07 09:16:03.000000000 +0200
@@ -1,3 +1,11 @@
+miniupnpd (1.8.20140523-4.1+deb9u2) stretch; urgency=medium
+
+ * Applied upstream patches for CVE-2019-12107, CVE-2019-12108,
+ CVE-2019-12109, CVE-2019-12110. This version looks like not affected by
+ CVE-2019-12111. (Closes: #930050).
+
+ -- Thomas Goirand <zigo@debian.org> Fri, 07 Jun 2019 09:16:03 +0200
+
miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium
* Apply patch from upstream for CVE-2017-1000494 (Closes: #887129).
diff -Nru miniupnpd-1.8.20140523/debian/gbp.conf miniupnpd-1.8.20140523/debian/gbp.conf
--- miniupnpd-1.8.20140523/debian/gbp.conf 2014-12-09 15:37:29.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/gbp.conf 2019-06-07 09:16:03.000000000 +0200
@@ -1,6 +1,6 @@
[DEFAULT]
-upstream-branch = upstream-sid
-debian-branch = debian-sid
+upstream-branch = upstream-stretch
+debian-branch = debian-stretch
pristine-tar = True
[git-buildpackage]
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch 1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch 2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,57 @@
+Description: CVE-2019-12107: upnp_event_prepare(): check the return value of snprintf()
+Author: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 22:37:14 +0100
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpevents.c
+===================================================================
+--- miniupnpd.orig/upnpevents.c
++++ miniupnpd/upnpevents.c
+@@ -383,19 +383,34 @@ static void upnp_event_prepare(struct up
+ l = 0;
+ }
+ obj->buffersize = 1024;
+- obj->buffer = malloc(obj->buffersize);
+- if(!obj->buffer) {
+- syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
+- if(xml) {
+- free(xml);
++ for (;;) {
++ obj->buffer = malloc(obj->buffersize);
++ if(!obj->buffer) {
++ syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
++ if(xml) {
++ free(xml);
++ }
++ obj->state = EError;
++ return;
+ }
+- obj->state = EError;
+- return;
++ obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
++ obj->path, obj->addrstr, obj->portstr, l+2,
++ obj->sub->uuid, obj->sub->seq,
++ l, xml);
++ if (obj->tosend < 0) {
++ syslog(LOG_ERR, "%s: snprintf() failed", "upnp_event_prepare");
++ if(xml) {
++ free(xml);
++ }
++ obj->state = EError;
++ return;
++ } else if (obj->tosend < obj->buffersize) {
++ break; /* the buffer was large enough */
++ }
++ /* Try again with a buffer big enough */
++ free(obj->buffer);
++ obj->buffersize = obj->tosend + 1; /* reserve space for the final 0 */
+ }
+- obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
+- obj->path, obj->addrstr, obj->portstr, l+2,
+- obj->sub->uuid, obj->sub->seq,
+- l, xml);
+ if(xml) {
+ free(xml);
+ xml = NULL;
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch 1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch 2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,25 @@
+Subject: CVE-2019-12108: GetOutboundPinholeTimeout: check args
+Author: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 22:54:51 +0100
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c.patch
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c
++++ miniupnpd/upnpsoap.c
+@@ -1651,6 +1651,13 @@ GetOutboundPinholeTimeout(struct upnphtt
+ rem_port = GetValueFromNameValueList(&data, "RemotePort");
+ protocol = GetValueFromNameValueList(&data, "Protocol");
+
++ if (!int_port || !ext_port || !protocol)
++ {
++ ClearNameValueList(&data);
++ SoapError(h, 402, "Invalid Args");
++ return;
++ }
++
+ rport = (unsigned short)atoi(rem_port);
+ iport = (unsigned short)atoi(int_port);
+ proto = atoi(protocol);
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch 1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch 2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,20 @@
+Subject: CVE-2019-12109 fix error from commit 13585f15c7f7dc28bbbba1661efb280d530d114c
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 23:47:54 +0100
+Origin: upstream, https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692.patch
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c
++++ miniupnpd/upnpsoap.c
+@@ -1651,7 +1651,7 @@ GetOutboundPinholeTimeout(struct upnphtt
+ rem_port = GetValueFromNameValueList(&data, "RemotePort");
+ protocol = GetValueFromNameValueList(&data, "Protocol");
+
+- if (!int_port || !ext_port || !protocol)
++ if (!int_port || !rem_port || !protocol)
+ {
+ ClearNameValueList(&data);
+ SoapError(h, 402, "Invalid Args");
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch 1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch 2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,21 @@
+Subject: CVE-2019-12110: upnp_redirect(): accept NULL desc argument
+Author: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 22:59:18 +0100
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+diff --git a/upnpredirect.c b/upnpredirect.c
+index 7c179b62..74926f08 100644
+--- a/upnpredirect.c
++++ b/upnpredirect.c
+@@ -279,6 +279,10 @@
+ "%hu->%s:%hu %s", eport, iaddr, iport, protocol);
+ return -3;
+ }
++
++ if (desc == NULL)
++ desc = ""; /* assume empty description */
++
+ r = get_redirect_rule(ext_if_name, eport, proto,
+ iaddr_old, sizeof(iaddr_old), &iport_old, 0, 0,
+ 0, 0,
diff -Nru miniupnpd-1.8.20140523/debian/patches/series miniupnpd-1.8.20140523/debian/patches/series
--- miniupnpd-1.8.20140523/debian/patches/series 2018-02-07 12:18:49.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/series 2019-06-07 09:16:03.000000000 +0200
@@ -5,3 +5,7 @@
0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch
0060_iptables_check.patch
CVE-2017-1000494.patch
+CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
+CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
+CVE-2019-12109_fix_error_from_commit_13585f1.patch
+CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
Reply to: