I reviewed gupnp 1.2.1-1 as checked in to eoan. This isn't a full
security audit, but rather a quick gauge of maintainability.
- gupnp is a gobject based library for implementing and consuming UPnP
services, and is required by Rygel.
- It's part of the GNOME project.
- It's written in C.
- One CVE in our database from 2009 (a DoS). Doesn't affect current releases,
although it doesn't look like it was fixed in Ubuntu before the affected
releases went EoL.
- Build-dependencies in main except for libgssdp-doc and libgssdp-1.2-dev (bug
1799977). Also gnome-pkg-tools, meson, valac, gtk-doc-tools, docbook-xml,
docbook-xsl - none of these create binary dependencies.
- No maintainer scripts
- No init scripts / systemd units.
- No dbus services.
- No setuid binaries.
- Only binary is gupnp-binding-tool-1.2 in libgupnp-1.2-dev
- No sudo fragments.
- No udev rules.
- There's a few tests that seem to run in the build.
- No cron jobs.
- Build logs clean other than some documentation warnings.
- Lintian clean
- Doesn't spawn any subprocesses.
- Memory management looks ok - there is a g_malloc in strip_camel_case that
allocates memory based on a multiplication that isn't overflow safe, but the
source of this isn't attacker controlled and I don't think it can overflow
anyway.
- The only file IO it seems to do is using glib's GMappedFile API, which is
used for providing file contents to libsoup for hosting local files. See below
for how paths are looked up.
- Not much logging - a few g_debugs (not enabled by default) and some g_message
calls. It doesn't look like anything sensitive is logged.
- Reads a couple of variables from the environment - GUPNP_DEBUG and
GUPNP_DEBUG_NETLINK. The first one enables logging to stdout of headers +
request/response bodies in libsoup, and enables reporting of warnings and
errors in libxml when loading local XML files. The second one enables the
dumping of netlink packets to stdout.
- Doesn't call any privileged commands.
- No crypto.
- Doesn't use temporary files.
- GUPnPContext creates a HTTP server using libsoup. There is one GUPnPContext
per network interface, created and managed by GUPnPContextManager. The
availability of services is advertised via SSDP (using gssdp - GUPnPContext
sub-classes GSSDPClient for this)
- The default handler just returns 404.
- It provides a simple API for hosting local paths for read access. The
default libsoup handler (host_path_handler) for this supports directory listing
and automatic redirection to index.html for paths to directories. This API is
used by root device instances to host device and service XML descriptions.
- host_path_handler() uses construct_local_path() to build a local file path,
which just appends the request path to the handler's base path. It's relying on
a feature of libsoup to not be vulnerable to path traversal attacks, which I've
tested and seems to work.
- GUPnPContext provides a mechanism to register handler functions for
specific server paths, which is used by service instances to implement action
handlers. I believe rygel also uses this for hosting media files.
- It provides a mechanism for applications to implement ACLs by registering
an ACL handler, which is called before server handler functions are executed.
The ACL handler can make access control decisions based on source IP / source
user agent and request path.
- The 2 handlers registered by each service instance can be protected with
ACLs.
- The control handler function for each service instance
(control_server_handler) parses the HTTP body with xmlRecoverMemory. This
doesn't perform replacement of entity references with content by default, which
is good. It converts requests to gobject signals which are delivered to
application code, or returns a 401 if the request doesn't have a corresponding
gobject signal handler.
- A service instance provides a way for clients to subscribe to events (via
subscription_server_handler). A subscription is referenced by a SID, which is a
uuid created by uuid_generate(). The SID is used in order to unsubscibe and
provided in the event notification headers. Subscriptions timeout and are
automatically removed after 5 minutes, unless the client resubscribes with the
same SID.
- The subscribe() handler calls gupnp_context_rewrite_url() on each callback
URL, which are provided by the requesting client device. This function extracts
the host from the URL, constructs a GInetAddress instance by calling
g_inet_address_new_from_string() with this host string and then calls
g_inet_address_get_is_link_local() without any null check. Won't
g_inet_address_new_from_string() fail if the host isn't a valid IPV4 or IPV6
address though?
- The default GUPnPContextManager implementation uses NETLINK_ROUTE for
observing network interface changes to manage GUPnPContext instances.
There is a network manager implementation, but it doesn't look like it's
built.
- No webkit.
- No policykit.
- No sql.
- Parses XML - doesn't appear to use unsafe options such as XML_PARSE_NOENT.
- No configuration files.
- No fs capabilities.
Security team ACK for promoting gupnp to main, although I'd like someone
to take a look at the issue I mentioned with the subscribe() handler.
** Changed in: gupnp (Ubuntu)
Assignee: Chris Coulson (chrisccoulson) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1799974
Title:
[MIR] gupnp
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gupnp/+bug/1799974/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
