Control: tags -1 pending Hi,
I have uploaded the attached NMU to fix this bug. It was mostly based on the fix already present in wheezy-lts (the CVE patches are identical). I've done some basic testing of the patches and it fixes the buffer overflow which can be triggered as described earlier in the bugreport. I'll see what I can do about fixing this in jessie as well. Thanks, James
diff -Nru minissdpd-1.2.20130907/debian/changelog minissdpd-1.2.20130907/debian/changelog --- minissdpd-1.2.20130907/debian/changelog 2016-07-13 19:12:39.000000000 +0100 +++ minissdpd-1.2.20130907/debian/changelog 2016-10-24 08:54:59.000000000 +0100 @@ -1,3 +1,15 @@ +minissdpd (1.2.20130907-3.2) unstable; urgency=high + + * Non-maintainer upload. + * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759) + The minissdpd daemon contains a improper validation of array index + vulnerability (CWE-129) when processing requests sent to the Unix + socket at /var/run/minissdpd.sock the Unix socket can be accessed + by an unprivileged user to send invalid request causes an + out-of-bounds memory access that crashes the minissdpd daemon. + + -- James Cowgill <jcowg...@debian.org> Mon, 24 Oct 2016 08:54:59 +0100 + minissdpd (1.2.20130907-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch --- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 1970-01-01 01:00:00.000000000 +0100 +++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 2016-10-24 08:54:59.000000000 +0100 @@ -0,0 +1,95 @@ +Description: Fix CVE-2016-3178 + buffer overflow while handling negative length request +Author: Salva Peiró <speir...@gmail.com> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47 +Bug-Debian: https://bugs.debian.org/816759 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/minissdpd.c ++++ b/minissdpd.c +@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req + type = buf[0]; + p = buf + 1; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req + goto error; + } + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req + newserv->usn[l] = '\0'; + p += l; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req + newserv->server[l] = '\0'; + p += l; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +--- a/testminissdpd.c ++++ b/testminissdpd.c +@@ -45,6 +45,23 @@ void printresponse(const unsigned char * + #define SENDCOMMAND(command, size) write(s, command, size); \ + printf("Command written type=%u\n", (unsigned)command[0]); + ++int connect_unix_socket(const char * sockpath) ++{ ++ int s; ++ struct sockaddr_un addr; ++ ++ s = socket(AF_UNIX, SOCK_STREAM, 0); ++ addr.sun_family = AF_UNIX; ++ strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path)); ++ if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) { ++ fprintf(stderr, "connecting to %s : ", addr.sun_path); ++ perror("connect"); ++ exit(1); ++ } ++ printf("Connected to %s\n", addr.sun_path); ++ return s; ++} ++ + /* test program for minissdpd */ + int + main(int argc, char * * argv) +@@ -52,6 +69,7 @@ main(int argc, char * * argv) + char command1[] = "\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice"; + char command2[] = "\x02\x00uuid:fc4ec57e-b051-11db-88f8-0060085db3f6::upnp:rootdevice"; + char command3[] = { 0x03, 0x00 }; ++ const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f}; + struct sockaddr_un addr; + int s; + int i; +@@ -89,6 +107,15 @@ main(int argc, char * * argv) + n = read(s, buf, sizeof(buf)); + printf("Response received %d bytes\n", (int)n); + printresponse(buf, n); ++ if(n == 0) { ++ close(s); ++ s = connect_unix_socket(sockpath); ++ } ++ ++ n = SENDCOMMAND(bad_command4, sizeof(bad_command4)); ++ n = read(s, buf, sizeof(buf)); ++ printf("Response received %d bytes\n", (int)n); ++ printresponse(buf, n); + + close(s); + return 0; diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch --- minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch 1970-01-01 01:00:00.000000000 +0100 +++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch 2016-10-24 08:54:59.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Fix CVE-2016-3179 + freeing of uninitialized pointer +Author: Salva Peiró <speir...@gmail.com> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a +Bug-Debian: https://bugs.debian.org/816759 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/minissdpd.c ++++ b/minissdpd.c +@@ -644,6 +644,7 @@ void processRequest(struct reqelem * req + syslog(LOG_ERR, "cannot allocate memory"); + goto error; + } ++ memset(newserv, 0, sizeof(struct service)); /* set pointers to NULL */ + if(containsForbiddenChars(p, l)) { + syslog(LOG_ERR, "bad request (st contains forbidden chars)"); + goto error; diff -Nru minissdpd-1.2.20130907/debian/patches/series minissdpd-1.2.20130907/debian/patches/series --- minissdpd-1.2.20130907/debian/patches/series 2014-07-14 08:02:57.000000000 +0100 +++ minissdpd-1.2.20130907/debian/patches/series 2016-10-24 08:54:59.000000000 +0100 @@ -1,2 +1,4 @@ link-with-lfreebsd-glue.patch using-LDFLAGS-in-Makefile.patch +CVE-2016-3178.patch +CVE-2016-3179.patch
signature.asc
Description: OpenPGP digital signature
