Bug#841979: marked as done (jessie-pu: package minissdpd/1.2.20130907-3)

Debian Bug Tracking System Sat, 14 Jan 2017 04:44:38 -0800

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #841979,
regarding jessie-pu: package minissdpd/1.2.20130907-3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
841979: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841979
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-CC: Thomas Goirand <z...@debian.org>

Hi,

The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
team.

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru minissdpd-1.2.20130907/debian/changelog 
minissdpd-1.2.20130907/debian/changelog
--- minissdpd-1.2.20130907/debian/changelog     2014-07-14 08:02:57.000000000 
+0100
+++ minissdpd-1.2.20130907/debian/changelog     2016-10-24 22:46:46.000000000 
+0100
@@ -1,3 +1,15 @@
+minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
+    The minissdpd daemon contains a improper validation of array index
+    vulnerability (CWE-129) when processing requests sent to the Unix
+    socket at /var/run/minissdpd.sock the Unix socket can be accessed
+    by an unprivileged user to send invalid request causes an
+    out-of-bounds memory access that crashes the minissdpd daemon.
+
+ -- James Cowgill <jcowg...@debian.org>  Mon, 24 Oct 2016 22:46:46 +0100
+
 minissdpd (1.2.20130907-3) unstable; urgency=medium
 
   * Removed $all from init.d script.
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 
minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch   1970-01-01 
01:00:00.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch   2016-10-24 
22:43:23.000000000 +0100
@@ -0,0 +1,95 @@
+Description: Fix CVE-2016-3178
+ buffer overflow while handling negative length request
+Author: Salva Peiró <speir...@gmail.com>
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
++++ b/minissdpd.c
+@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req
+       type = buf[0];
+       p = buf + 1;
+       DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-      if(p+l > buf+n) {
++      if(l > (unsigned)(buf+n-p)) {
+               syslog(LOG_WARNING, "bad request (length encoding)");
+               goto error;
+       }
+@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req
+                       goto error;
+               }
+               DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-              if(p+l > buf+n) {
++              if(l > (unsigned)(buf+n-p)) {
+                       syslog(LOG_WARNING, "bad request (length encoding)");
+                       goto error;
+               }
+@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req
+               newserv->usn[l] = '\0';
+               p += l;
+               DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-              if(p+l > buf+n) {
++              if(l > (unsigned)(buf+n-p)) {
+                       syslog(LOG_WARNING, "bad request (length encoding)");
+                       goto error;
+               }
+@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req
+               newserv->server[l] = '\0';
+               p += l;
+               DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-              if(p+l > buf+n) {
++              if(l > (unsigned)(buf+n-p)) {
+                       syslog(LOG_WARNING, "bad request (length encoding)");
+                       goto error;
+               }
+--- a/testminissdpd.c
++++ b/testminissdpd.c
+@@ -45,6 +45,23 @@ void printresponse(const unsigned char *
+ #define SENDCOMMAND(command, size) write(s, command, size); \
+               printf("Command written type=%u\n", (unsigned)command[0]);
+ 
++int connect_unix_socket(const char * sockpath)
++{
++      int s;
++      struct sockaddr_un addr;
++
++      s = socket(AF_UNIX, SOCK_STREAM, 0);
++      addr.sun_family = AF_UNIX;
++      strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path));
++      if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 
0) {
++              fprintf(stderr, "connecting to %s : ", addr.sun_path);
++              perror("connect");
++              exit(1);
++      }
++      printf("Connected to %s\n", addr.sun_path);
++      return s;
++}
++
+ /* test program for minissdpd */
+ int
+ main(int argc, char * * argv)
+@@ -52,6 +69,7 @@ main(int argc, char * * argv)
+       char command1[] = 
"\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice";
+       char command2[] = 
"\x02\x00uuid:fc4ec57e-b051-11db-88f8-0060085db3f6::upnp:rootdevice";
+       char command3[] = { 0x03, 0x00 };
++        const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 
0xff, 0x7f};
+       struct sockaddr_un addr;
+       int s;
+       int i;
+@@ -89,6 +107,15 @@ main(int argc, char * * argv)
+       n = read(s, buf, sizeof(buf));
+       printf("Response received %d bytes\n", (int)n);
+       printresponse(buf, n);
++      if(n == 0) {
++              close(s);
++              s = connect_unix_socket(sockpath);
++      }
++
++      n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
++      n = read(s, buf, sizeof(buf));
++      printf("Response received %d bytes\n", (int)n);
++      printresponse(buf, n);
+ 
+       close(s);
+       return 0;
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch 
minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch   1970-01-01 
01:00:00.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch   2016-10-24 
22:43:23.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Fix CVE-2016-3179
+ freeing of uninitialized pointer
+Author: Salva Peiró <speir...@gmail.com>
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
++++ b/minissdpd.c
+@@ -644,6 +644,7 @@ void processRequest(struct reqelem * req
+                       syslog(LOG_ERR, "cannot allocate memory");
+                       goto error;
+               }
++              memset(newserv, 0, sizeof(struct service));     /* set pointers 
to NULL */
+               if(containsForbiddenChars(p, l)) {
+                       syslog(LOG_ERR, "bad request (st contains forbidden 
chars)");
+                       goto error;
diff -Nru minissdpd-1.2.20130907/debian/patches/series 
minissdpd-1.2.20130907/debian/patches/series
--- minissdpd-1.2.20130907/debian/patches/series        2014-07-14 
08:02:57.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/series        2016-10-24 
22:43:23.000000000 +0100
@@ -1,2 +1,4 @@
 link-with-lfreebsd-glue.patch
 using-LDFLAGS-in-Makefile.patch
+CVE-2016-3178.patch
+CVE-2016-3179.patch

signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---

Bug#841979: marked as done (jessie-pu: package minissdpd/1.2.20130907-3)

Reply via email to