Your message dated Sat, 14 Jan 2017 12:37:03 +0000 with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk> and subject line Closing requests included in today's point release has caused the Debian Bug report #841979, regarding jessie-pu: package minissdpd/1.2.20130907-3 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 841979: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841979 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-CC: Thomas Goirand <z...@debian.org> Hi, The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178 CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security team. Thanks, James -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)diff -Nru minissdpd-1.2.20130907/debian/changelog minissdpd-1.2.20130907/debian/changelog --- minissdpd-1.2.20130907/debian/changelog 2014-07-14 08:02:57.000000000 +0100 +++ minissdpd-1.2.20130907/debian/changelog 2016-10-24 22:46:46.000000000 +0100 @@ -1,3 +1,15 @@ +minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high + + * Non-maintainer upload. + * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759) + The minissdpd daemon contains a improper validation of array index + vulnerability (CWE-129) when processing requests sent to the Unix + socket at /var/run/minissdpd.sock the Unix socket can be accessed + by an unprivileged user to send invalid request causes an + out-of-bounds memory access that crashes the minissdpd daemon. + + -- James Cowgill <jcowg...@debian.org> Mon, 24 Oct 2016 22:46:46 +0100 + minissdpd (1.2.20130907-3) unstable; urgency=medium * Removed $all from init.d script. diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch --- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 1970-01-01 01:00:00.000000000 +0100 +++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 2016-10-24 22:43:23.000000000 +0100 @@ -0,0 +1,95 @@ +Description: Fix CVE-2016-3178 + buffer overflow while handling negative length request +Author: Salva Peiró <speir...@gmail.com> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47 +Bug-Debian: https://bugs.debian.org/816759 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/minissdpd.c ++++ b/minissdpd.c +@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req + type = buf[0]; + p = buf + 1; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req + goto error; + } + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req + newserv->usn[l] = '\0'; + p += l; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req + newserv->server[l] = '\0'; + p += l; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +--- a/testminissdpd.c ++++ b/testminissdpd.c +@@ -45,6 +45,23 @@ void printresponse(const unsigned char * + #define SENDCOMMAND(command, size) write(s, command, size); \ + printf("Command written type=%u\n", (unsigned)command[0]); + ++int connect_unix_socket(const char * sockpath) ++{ ++ int s; ++ struct sockaddr_un addr; ++ ++ s = socket(AF_UNIX, SOCK_STREAM, 0); ++ addr.sun_family = AF_UNIX; ++ strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path)); ++ if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) { ++ fprintf(stderr, "connecting to %s : ", addr.sun_path); ++ perror("connect"); ++ exit(1); ++ } ++ printf("Connected to %s\n", addr.sun_path); ++ return s; ++} ++ + /* test program for minissdpd */ + int + main(int argc, char * * argv) +@@ -52,6 +69,7 @@ main(int argc, char * * argv) + char command1[] = "\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice"; + char command2[] = "\x02\x00uuid:fc4ec57e-b051-11db-88f8-0060085db3f6::upnp:rootdevice"; + char command3[] = { 0x03, 0x00 }; ++ const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f}; + struct sockaddr_un addr; + int s; + int i; +@@ -89,6 +107,15 @@ main(int argc, char * * argv) + n = read(s, buf, sizeof(buf)); + printf("Response received %d bytes\n", (int)n); + printresponse(buf, n); ++ if(n == 0) { ++ close(s); ++ s = connect_unix_socket(sockpath); ++ } ++ ++ n = SENDCOMMAND(bad_command4, sizeof(bad_command4)); ++ n = read(s, buf, sizeof(buf)); ++ printf("Response received %d bytes\n", (int)n); ++ printresponse(buf, n); + + close(s); + return 0; diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch --- minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch 1970-01-01 01:00:00.000000000 +0100 +++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch 2016-10-24 22:43:23.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Fix CVE-2016-3179 + freeing of uninitialized pointer +Author: Salva Peiró <speir...@gmail.com> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a +Bug-Debian: https://bugs.debian.org/816759 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/minissdpd.c ++++ b/minissdpd.c +@@ -644,6 +644,7 @@ void processRequest(struct reqelem * req + syslog(LOG_ERR, "cannot allocate memory"); + goto error; + } ++ memset(newserv, 0, sizeof(struct service)); /* set pointers to NULL */ + if(containsForbiddenChars(p, l)) { + syslog(LOG_ERR, "bad request (st contains forbidden chars)"); + goto error; diff -Nru minissdpd-1.2.20130907/debian/patches/series minissdpd-1.2.20130907/debian/patches/series --- minissdpd-1.2.20130907/debian/patches/series 2014-07-14 08:02:57.000000000 +0100 +++ minissdpd-1.2.20130907/debian/patches/series 2016-10-24 22:43:23.000000000 +0100 @@ -1,2 +1,4 @@ link-with-lfreebsd-glue.patch using-LDFLAGS-in-Makefile.patch +CVE-2016-3178.patch +CVE-2016-3179.patchsignature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Version: 8.7 Hi, Each of these bugs refers to an update that was included in today's 8.7 point release. Regards, Adam
--- End Message ---