Your message dated Sun, 06 Jul 2008 17:39:24 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#441082: fixed in linux-igd 1.0+cvs20070630-1
has caused the Debian Bug report #441082,
regarding linux-igd does not restrict itself to the internal interface
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
441082: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=441082
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: linux-igd
Version: 0.cvs20060201-2
Severity: important
Tags: security, patch
linux-igd listens for UDP mutlicast packets but does not restrict
itself to just the internal interface (which has to be specified in
any case), thereby opening itself to possible external requests for
port forwarding. In many cases this would be blocked by firewalling
rules on the same machine as the daemon, so would not be any issue
there.
This can be fixed with a simple bind() or SO_BINDTODEVICE as in the
attached patch. Note that this patch is against the latest CVS, but
should be correct for the Debian versions.
Note that a more recent version of linux-igd has been packaged for Debian here:
http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=linux-igd
Index: util.c
===================================================================
RCS file: /cvsroot/linux-igd/linux-igd/util.c,v
retrieving revision 1.3
diff -u -r1.3 util.c
--- util.c 1 Aug 2006 22:48:00 -0000 1.3
+++ util.c 6 Sep 2007 15:25:34 -0000
@@ -8,10 +8,11 @@
#include <netinet/in.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
+#include <unistd.h>
#include "globals.h"
-static int get_sockfd(void)
+static int get_sockfd(const char *ifname)
{
static int sockfd = -1;
@@ -22,18 +23,26 @@
perror("user: socket creating failed");
return (-1);
}
+
+ if (setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, ifname, sizeof(ifname)))
+ {
+ perror("could not bind to device");
+ close(sockfd);
+ return (-1);
+ }
+
}
return sockfd;
}
-int GetIpAddressStr(char *address, char *ifname)
+int GetIpAddressStr(char *address, const char *ifname)
{
struct ifreq ifr;
struct sockaddr_in *saddr;
int fd;
int succeeded = 0;
- fd = get_sockfd();
+ fd = get_sockfd(ifname);
if (fd >= 0 )
{
strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
Index: util.h
===================================================================
RCS file: /cvsroot/linux-igd/linux-igd/util.h,v
retrieving revision 1.3
diff -u -r1.3 util.h
--- util.h 1 Aug 2006 22:48:00 -0000 1.3
+++ util.h 6 Sep 2007 15:25:34 -0000
@@ -1,8 +1,8 @@
#ifndef _UTIL_H_
#define _UTIL_H_
-int get_sockfd(void);
-int GetIpAddressStr(char *address, char *ifname);
+int get_sockfd(const char *ifname);
+int GetIpAddressStr(char *address, const char *ifname);
void trace(int debuglevel, const char *format, ...);
#endif //_UTIL_H_
--- End Message ---
--- Begin Message ---
Source: linux-igd
Source-Version: 1.0+cvs20070630-1
We believe that the bug you reported is fixed in the latest version of
linux-igd, which is due to be installed in the Debian FTP archive:
linux-igd_1.0+cvs20070630-1.diff.gz
to pool/main/l/linux-igd/linux-igd_1.0+cvs20070630-1.diff.gz
linux-igd_1.0+cvs20070630-1.dsc
to pool/main/l/linux-igd/linux-igd_1.0+cvs20070630-1.dsc
linux-igd_1.0+cvs20070630-1_sparc.deb
to pool/main/l/linux-igd/linux-igd_1.0+cvs20070630-1_sparc.deb
linux-igd_1.0+cvs20070630.orig.tar.gz
to pool/main/l/linux-igd/linux-igd_1.0+cvs20070630.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nick Leverton <[EMAIL PROTECTED]> (supplier of updated linux-igd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 01 Jul 2008 21:33:13 +0100
Source: linux-igd
Binary: linux-igd
Architecture: source sparc
Version: 1.0+cvs20070630-1
Distribution: unstable
Urgency: low
Maintainer: Nick Leverton <[EMAIL PROTECTED]>
Changed-By: Nick Leverton <[EMAIL PROTECTED]>
Description:
linux-igd - Linux UPnP Internet Gateway Device
Closes: 399960 411875 415981 423189 436365 436919 441082
Changes:
linux-igd (1.0+cvs20070630-1) unstable; urgency=low
.
* New maintainer (Closes: #411875)
* New upstream CVS (Closes: #436919, #436365), including important
option name changes:
- Renamed the insert_forward_rules option to create_forward_rules to
better reflect what it actually does.
- Added the forward_rules_append to do what people thought
insert_forward_rules did.
See /usr/share/doc/linux-igd/CHANGES.gz for further details.
* For compatibility with upstream, the INT_IFACE and EXT_IFACE
initscript variables have been renamed to INTIFACE and EXTIFACE.
* Rename initscript and defaults from /etc/{init.d,default}/upnpd to
/etc/*/linux-igd so that they match our package name.
* Change initscript to do nothing until /etc/default/linux-igd is
configured (Closes: #423189, #399960).
* Add --oknodo to all "start-stop-daemon --stop" calls in initscript
in case daemon wasn't running anyway (Closes: #415981).
* Configurable CHROOT and USER/GROUP for daemon.
* Add SECURITY note and sample conf for jailer chroot.
* Add ALLOW_MULTICAST option for multicast routing setup (compatible
with upstream).
* Abstract the patch for #397572 from .diff.gz into separate quilt patch
01-debian-my_parse_port.diff
* New patch 02-makefile.diff for fixes to makefile
* Patch 03-debian-bindtodevice.diff Closes: #441082 (linux-igd does not
restrict itself to the internal interface) (with further fix from Eric
Valette).
* Honour CFLAGS in compilation (thanks Gianluigi Tiesi <[EMAIL PROTECTED]>
http://debian.cli.unipi.it/debian/pool/sherpya/l/linux-igd/ ).
* Update watchfile as per Jochen Friedrich's suggestion.
* Add paranoid flag to validate port forwarding requests.
* Remove bashisms from initscript, make it dash-compatible.
Checksums-Sha1:
bf918d7d67955ae0c6ea6f56e9b77d4c8c92a96a 1121 linux-igd_1.0+cvs20070630-1.dsc
20be6bb36b314265fdc247323e3f918e063a5fab 36444
linux-igd_1.0+cvs20070630.orig.tar.gz
485fcfd6086b62c4e2bc7cfb42435c24f714686a 16857
linux-igd_1.0+cvs20070630-1.diff.gz
74ebe2d83e1a211d0f7bdefd738bed9adc16fb14 33326
linux-igd_1.0+cvs20070630-1_sparc.deb
Checksums-Sha256:
3d2f7fcde84e78e0152af8e87ee87d0e912a4df75f2def7d1436cd5ddcfd25ae 1121
linux-igd_1.0+cvs20070630-1.dsc
b4734533ba05cf904631d6aea2921910dd39b0df4dc48d21fbe9c5fc7b612184 36444
linux-igd_1.0+cvs20070630.orig.tar.gz
467bc34a6370937a5406ca264e420a58e5ab72d505218cbcb23717dd2f91edb8 16857
linux-igd_1.0+cvs20070630-1.diff.gz
aafdfa0aae1854f9aa0d8f44116c4bd81d48a45c23747c6f31707932e9b6baf4 33326
linux-igd_1.0+cvs20070630-1_sparc.deb
Files:
7b685590b5f3143cfd2073fee6590579 1121 net optional
linux-igd_1.0+cvs20070630-1.dsc
560b530837a0cd3e3c28b4c2578952f7 36444 net optional
linux-igd_1.0+cvs20070630.orig.tar.gz
49c89fee029b5029dc8fb633ea253087 16857 net optional
linux-igd_1.0+cvs20070630-1.diff.gz
ac821ef8f9a8ab0b94d476d5cfba77e1 33326 net optional
linux-igd_1.0+cvs20070630-1_sparc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIa7Zz0fhX0Y/ocz0RAv0aAJ9i8rhcwh3xkR7P1+zhGHRdKjcAzACgkHUD
LGQ+sElfMM1U34ApOfavxuc=
=/x4d
-----END PGP SIGNATURE-----
--- End Message ---
