Bug#802650: miniupnpc: CVE-2015-6031: Buffer overflow vulnerability in XML parser functionality

Sun, 25 Oct 2015 00:15:41 -0700 

Hi Thomas, and Thomas,

On Fri, Oct 23, 2015 at 12:18:57AM +0200, miniupnp wrote:
> Doesn't the following patch apply ?
> 
> https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78
> 
> I think it applies properly on all release since at least 1.5, maybe even 
> before.

I now uploaded the attached debdiffs to security-master to be released
in a DSA. I can prepare -- if needed -- as well a NMU for sid, but
just applying the patch. I guess though it would be better to go just
for a new upstream version there.

Regards,
Salvatore

diff -u miniupnpc-1.5/debian/changelog miniupnpc-1.5/debian/changelog
--- miniupnpc-1.5/debian/changelog
+++ miniupnpc-1.5/debian/changelog
@@ -1,3 +1,11 @@
+miniupnpc (1.5-2+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2015-6031: Buffer overflow vulnerability in XML parser functionality
+    (Closes: #802650)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 25 Oct 2015 07:35:29 +0100
+
 miniupnpc (1.5-2) unstable; urgency=low
 
   * libminiupnpc-dev now depends on libminiupnpc5 (Closes: #617774).
only in patch2:
unchanged:
--- miniupnpc-1.5.orig/igd_desc_parse.c
+++ miniupnpc-1.5/igd_desc_parse.c
@@ -15,7 +15,9 @@
 void IGDstartelt(void * d, const char * name, int l)
 {
        struct IGDdatas * datas = (struct IGDdatas *)d;
-       memcpy( datas->cureltname, name, l);
+       if(l >= MINIUPNPC_URL_MAXSIZE)
+               l = MINIUPNPC_URL_MAXSIZE-1;
+       memcpy(datas->cureltname, name, l);
        datas->cureltname[l] = '\0';
        datas->level++;
        if( (l==7) && !memcmp(name, "service", l) ) {

diff -Nru miniupnpc-1.9.20140610/debian/changelog 
miniupnpc-1.9.20140610/debian/changelog
--- miniupnpc-1.9.20140610/debian/changelog     2014-07-13 16:43:51.000000000 
+0200
+++ miniupnpc-1.9.20140610/debian/changelog     2015-10-25 07:54:43.000000000 
+0100
@@ -1,3 +1,12 @@
+miniupnpc (1.9.20140610-2+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2015-6031.patch patch.
+    CVE-2015-6031: Buffer overflow vulnerability in XML parser
+    functionality. (Closes: #802650)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 25 Oct 2015 07:49:17 +0100
+
 miniupnpc (1.9.20140610-2) unstable; urgency=medium
 
   * Uploading to unstable.
diff -Nru miniupnpc-1.9.20140610/debian/patches/CVE-2015-6031.patch 
miniupnpc-1.9.20140610/debian/patches/CVE-2015-6031.patch
--- miniupnpc-1.9.20140610/debian/patches/CVE-2015-6031.patch   1970-01-01 
01:00:00.000000000 +0100
+++ miniupnpc-1.9.20140610/debian/patches/CVE-2015-6031.patch   2015-10-25 
07:54:43.000000000 +0100
@@ -0,0 +1,21 @@
+Description: igd_desc_parse.c: fix buffer overflow (CVE-2015-6031)
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78
+Bug-Debian: https://bugs.debian.org/802650
+Forwarded: no
+Author: Thomas Bernard <miniu...@free.fr>
+Last-Update: 2015-10-25
+Applied-Upstream: 1.9.20150917
+---
+--- a/igd_desc_parse.c
++++ b/igd_desc_parse.c
+@@ -15,7 +15,9 @@
+ void IGDstartelt(void * d, const char * name, int l)
+ {
+       struct IGDdatas * datas = (struct IGDdatas *)d;
+-      memcpy( datas->cureltname, name, l);
++      if(l >= MINIUPNPC_URL_MAXSIZE)
++              l = MINIUPNPC_URL_MAXSIZE-1;
++      memcpy(datas->cureltname, name, l);
+       datas->cureltname[l] = '\0';
+       datas->level++;
+       if( (l==7) && !memcmp(name, "service", l) ) {
diff -Nru miniupnpc-1.9.20140610/debian/patches/series 
miniupnpc-1.9.20140610/debian/patches/series
--- miniupnpc-1.9.20140610/debian/patches/series        2014-07-13 
16:43:51.000000000 +0200
+++ miniupnpc-1.9.20140610/debian/patches/series        2015-10-25 
07:54:43.000000000 +0100
@@ -1 +1,2 @@
 correct-typo-in-manpage.patch
+CVE-2015-6031.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to