Hello, as I didn't get any feedback from the maintainer of libupnp for #813249 since January and the package has an open grave bug which was reported in October I intend to upload an NMU with the below debdiff.
I'd like to get an ack from Nick for the NMU, but will upload on Monday if there is no reaction until then. There is another rc bug (#670562) that needs handling (open since April 2012) where the fix isn't clear and so is not fixed here. Best regards Uwe diff -Nru libupnp-1.6.19+git20160116/debian/changelog libupnp-1.6.19+git20160116/debian/changelog --- libupnp-1.6.19+git20160116/debian/changelog 2016-10-19 22:03:51.000000000 +0200 +++ libupnp-1.6.19+git20160116/debian/changelog 2016-12-09 10:40:28.000000000 +0100 @@ -1,3 +1,11 @@ +libupnp (1:1.6.19+git20160116-1.2) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Fix out-of-bounds-access (CVE-2016-8863, Closes: #842093) + * Fix usage on ipv6 enabled hosts (Closes: #813249) + + -- Uwe Kleine-König <[email protected]> Fri, 09 Dec 2016 10:40:28 +0100 + libupnp (1:1.6.19+git20160116-1.1) unstable; urgency=high * Non-maintainer upload. diff -Nru libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch --- libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch 1970-01-01 01:00:00.000000000 +0100 +++ libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch 2016-12-09 10:38:40.000000000 +0100 @@ -0,0 +1,63 @@ +From 8d48f5cf63973c452cb4578a1fbe623ba95a8e65 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <[email protected]> +Date: Thu, 8 Dec 2016 17:11:53 +0100 +Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863) + +If there is an invalid URL in URLS->buf after a valid one, uri_parse is +called with out pointing after the allocated memory. As uri_parse writes +to *out before returning an error the loop in create_url_list must be +stopped early to prevent an out-of-bound access + +Bug: https://sourceforge.net/p/pupnp/bugs/133/ +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863 +Bug-Debian: https://bugs.debian.org/842093 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771 +Applied-Upstream: 1.6.x, commit:a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b +--- + upnp/src/gena/gena_device.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c +index 58a3e55e8973..a49394ab1488 100644 +--- a/upnp/src/gena/gena_device.c ++++ b/upnp/src/gena/gena_device.c +@@ -1113,7 +1113,7 @@ static int create_url_list( + /*! [out] . */ + URL_list *out) + { +- size_t URLcount = 0; ++ size_t URLcount = 0, URLcount2 = 0; + size_t i; + int return_code = 0; + uri_type temp; +@@ -1155,16 +1155,23 @@ static int create_url_list( + } + memcpy( out->URLs, URLS->buff, URLS->size ); + out->URLs[URLS->size] = 0; +- URLcount = 0; + for( i = 0; i < URLS->size; i++ ) { + if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { + if( ( ( return_code = + parse_uri( &out->URLs[i + 1], URLS->size - i + 1, +- &out->parsedURLs[URLcount] ) ) == ++ &out->parsedURLs[URLcount2] ) ) == + HTTP_SUCCESS ) +- && ( out->parsedURLs[URLcount].hostport.text.size != ++ && ( out->parsedURLs[URLcount2].hostport.text.size != + 0 ) ) { +- URLcount++; ++ URLcount2++; ++ if (URLcount2 >= URLcount) ++ /* ++ * break early here in case there is a bogus URL that ++ * was skipped above. This prevents to access ++ * out->parsedURLs[URLcount] which is beyond the ++ * allocation. ++ */ ++ break; + } else { + if( return_code == UPNP_E_OUTOF_MEMORY ) { + free( out->URLs ); +-- +2.10.2 + diff -Nru libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch --- libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch 1970-01-01 01:00:00.000000000 +0100 +++ libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch 2016-12-09 10:39:40.000000000 +0100 @@ -0,0 +1,32 @@ +From 480967ef2dd8a8e66035d878a716a3877439c7ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <[email protected]> +Date: Wed, 30 Nov 2016 22:04:04 +0100 +Subject: [PATCH] miniserver: fix binding to ipv6 link-local addresses + +Linux requires to have sin6_scope_id hold the interface id when binding to +link-local addresses. This is already in use in other parts of upnp, so +portability shouldn't be in the way here. Without this bind(2) fails with +errno=EINVAL (although ipv6(7) from manpages 4.08 specifies ENODEV in this +case). + +Bug-Debian: https://bugs.debian.org/813249 +Applied-Upstream: 1.6.x, commit:96bdeaca867d9eb61e6d6c3e2f751824b09c0358 +--- + upnp/src/genlib/miniserver/miniserver.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/upnp/src/genlib/miniserver/miniserver.c b/upnp/src/genlib/miniserver/miniserver.c +index 683c4b3d36cc..7cd1209d40e4 100644 +--- a/upnp/src/genlib/miniserver/miniserver.c ++++ b/upnp/src/genlib/miniserver/miniserver.c +@@ -583,6 +583,7 @@ static int get_miniserver_sockets( + memset(&__ss_v6, 0, sizeof (__ss_v6)); + serverAddr6->sin6_family = (sa_family_t)AF_INET6; + inet_pton(AF_INET6, gIF_IPV6, &serverAddr6->sin6_addr); ++ serverAddr6->sin6_scope_id = gIF_INDEX; + #endif + /* Getting away with implementation of re-using address:port and + * instead choosing to increment port numbers. +-- +2.10.2 + diff -Nru libupnp-1.6.19+git20160116/debian/patches/series libupnp-1.6.19+git20160116/debian/patches/series --- libupnp-1.6.19+git20160116/debian/patches/series 2016-10-18 22:07:32.000000000 +0200 +++ libupnp-1.6.19+git20160116/debian/patches/series 2016-12-09 10:40:06.000000000 +0100 @@ -9,3 +9,5 @@ 27-LFS-fix-32bit-large_files.patch 28-fix-git-version.patch CVE-2016-6255.patch +CVE-2016-8863.patch +miniserver-fix-binding-to-ipv6-link-local-addresses.patch
signature.asc
Description: PGP signature
