Bug#699459: [rt.debian.org #4133] Patch for libupnp4

Fri, 01 Feb 2013 08:54:16 -0800 

And here's the intended debdiff against libupnp4. It's exactly the same
patch.

Regards,
-- 
Yves-Alexis

diff -u libupnp4-1.8.0~svn20100507/debian/changelog libupnp4-1.8.0~svn20100507/debian/changelog
--- libupnp4-1.8.0~svn20100507/debian/changelog
+++ libupnp4-1.8.0~svn20100507/debian/changelog
@@ -1,3 +1,13 @@
+libupnp4 (1.8.0~svn20100507-1+squeeze1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
+    various stack-based buffer overflows in service_unique_name() function.
+    This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
+    CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699459
+
+ -- Yves-Alexis Perez <[email protected]>  Fri, 01 Feb 2013 17:36:39 +0100
+
 libupnp4 (1.8.0~svn20100507-1) unstable; urgency=low
 
   * New pull from upstream subversion
diff -u libupnp4-1.8.0~svn20100507/debian/patches/series libupnp4-1.8.0~svn20100507/debian/patches/series
--- libupnp4-1.8.0~svn20100507/debian/patches/series
+++ libupnp4-1.8.0~svn20100507/debian/patches/series
@@ -12,0 +13 @@
+0001-Security-fix-for-CERT-issue-VU-922681.patch
only in patch2:
unchanged:
--- libupnp4-1.8.0~svn20100507.orig/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch
+++ libupnp4-1.8.0~svn20100507/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch
@@ -0,0 +1,105 @@
+Fix for VU#922681
+
+This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.
+
+CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
+CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
+CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
+CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
+CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
+CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
+CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
+CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
+
+--- a/upnp/src/ssdp/ssdp_server.c
++++ b/upnp/src/ssdp/ssdp_server.c
+@@ -416,7 +416,7 @@ int unique_service_name(IN char *cmd, IN
+     char *ptr2 = NULL;
+     char *ptr3 = NULL;
+     int CommandFound = 0;
+-    int length = 0;
++    size_t n = (size_t)0;
+ 
+     if( ( TempPtr = strstr( cmd, "uuid:schemas" ) ) != NULL ) {
+         ptr1 = strstr( cmd, ":device" );
+@@ -433,16 +433,23 @@ int unique_service_name(IN char *cmd, IN
+         }
+ 
+         if( ptr3 != NULL ) {
+-            sprintf( Evt->UDN, "uuid:%s", ptr3 + 1 );
++            if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
++                return -1;
++            snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
+         } else {
+             return -1;
+         }
+ 
+         ptr1 = strstr( cmd, ":" );
+         if( ptr1 != NULL ) {
+-            strncpy( TempBuf, ptr1, ptr3 - ptr1 );
+-            TempBuf[ptr3 - ptr1] = '\0';
+-            sprintf( Evt->DeviceType, "urn%s", TempBuf );
++            n = (size_t)ptr3 - (size_t)ptr1;
++            n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
++            strncpy(TempBuf, ptr1, n);
++            TempBuf[n] = '\0';
++            if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
++                return -1;
++            snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
++                "urn%s", TempBuf);
+         } else {
+             return -1;
+         }
+@@ -451,10 +458,13 @@ int unique_service_name(IN char *cmd, IN
+ 
+     if( ( TempPtr = strstr( cmd, "uuid" ) ) != NULL ) {
+         if( ( Ptr = strstr( cmd, "::" ) ) != NULL ) {
+-            strncpy( Evt->UDN, TempPtr, Ptr - TempPtr );
+-            Evt->UDN[Ptr - TempPtr] = '\0';
++            n = (size_t)Ptr - (size_t)TempPtr;
++            n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
++            strncpy(Evt->UDN, TempPtr, n);
++            Evt->UDN[n] = '\0';
+         } else {
+-            strcpy( Evt->UDN, TempPtr );
++            memset(Evt->UDN, 0, sizeof(Evt->UDN));
++            strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
+         }
+         CommandFound = 1;
+     }
+@@ -462,7 +472,9 @@ int unique_service_name(IN char *cmd, IN
+     if( strstr( cmd, "urn:" ) != NULL
+         && strstr( cmd, ":service:" ) != NULL ) {
+         if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
+-            strcpy( Evt->ServiceType, TempPtr );
++            memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
++            strncpy(Evt->ServiceType, TempPtr,
++                sizeof Evt->ServiceType - 1);
+             CommandFound = 1;
+         }
+     }
+@@ -470,7 +482,9 @@ int unique_service_name(IN char *cmd, IN
+     if( strstr( cmd, "urn:" ) != NULL
+         && strstr( cmd, ":device:" ) != NULL ) {
+         if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
+-            strcpy( Evt->DeviceType, TempPtr );
++            memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
++            strncpy(Evt->DeviceType, TempPtr,
++                sizeof Evt->DeviceType - 1);
+             CommandFound = 1;
+         }
+     }
+@@ -478,9 +492,10 @@ int unique_service_name(IN char *cmd, IN
+     if( ( TempPtr = strstr( cmd, "::upnp:rootdevice" ) ) != NULL ) {
+         /* Everything before "::upnp::rootdevice" is the UDN. */
+         if( TempPtr != cmd ) {
+-            length = TempPtr - cmd;
+-            strncpy(Evt->UDN, cmd, length);
+-            Evt->UDN[length] = 0;
++            n = (size_t)TempPtr - (size_t)cmd;
++            n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
++            strncpy(Evt->UDN, cmd, n);
++            Evt->UDN[n] = 0;
+             CommandFound = 1;
+         }
+     }

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to