Bug#930357: stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110

Thomas Goirand Tue, 11 Jun 2019 04:33:46 -0700

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu


Dear release team,

Please allow me to upload miniupnpd/1.8.20140523-4.1+deb9u2, as the
security team told me the CVE in the Subject do not need a DSA.

The upload only adds the upstream patches, Stretch doesn't seem to
be affected by CVE-2019-12111. On top of that, the fixed version adds
a change to debian/gbp.conf (only branch names), please allow this to
get in as well, as this simplifies the packaging update tasks.

Debdiff attached, pre-built packages available from here:
http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/

Cheers,

Thomas Goirand (zigo)

diff -Nru miniupnpd-1.8.20140523/debian/changelog 
miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog     2018-02-07 12:18:50.000000000 
+0100
+++ miniupnpd-1.8.20140523/debian/changelog     2019-06-07 09:16:03.000000000 
+0200
@@ -1,3 +1,11 @@
+miniupnpd (1.8.20140523-4.1+deb9u2) stretch; urgency=medium
+
+  * Applied upstream patches for CVE-2019-12107, CVE-2019-12108,
+    CVE-2019-12109, CVE-2019-12110. This version looks like not affected by
+    CVE-2019-12111. (Closes: #930050).
+
+ -- Thomas Goirand <z...@debian.org>  Fri, 07 Jun 2019 09:16:03 +0200
+
 miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium
 
   * Apply patch from upstream for CVE-2017-1000494 (Closes: #887129).
diff -Nru miniupnpd-1.8.20140523/debian/gbp.conf 
miniupnpd-1.8.20140523/debian/gbp.conf
--- miniupnpd-1.8.20140523/debian/gbp.conf      2014-12-09 15:37:29.000000000 
+0100
+++ miniupnpd-1.8.20140523/debian/gbp.conf      2019-06-07 09:16:03.000000000 
+0200
@@ -1,6 +1,6 @@
 [DEFAULT]
-upstream-branch = upstream-sid
-debian-branch = debian-sid
+upstream-branch = upstream-stretch
+debian-branch = debian-stretch
 pristine-tar = True
 
 [git-buildpackage]
diff -Nru 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
--- 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
    2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,57 @@
+Description: CVE-2019-12107: upnp_event_prepare(): check the return value of 
snprintf()
+Author: Thomas Bernard <miniu...@free.fr>
+Date: Tue, 18 Dec 2018 22:37:14 +0100
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpevents.c
+===================================================================
+--- miniupnpd.orig/upnpevents.c
++++ miniupnpd/upnpevents.c
+@@ -383,19 +383,34 @@ static void upnp_event_prepare(struct up
+               l = 0;
+       }
+       obj->buffersize = 1024;
+-      obj->buffer = malloc(obj->buffersize);
+-      if(!obj->buffer) {
+-              syslog(LOG_ERR, "%s: malloc returned NULL", 
"upnp_event_prepare");
+-              if(xml) {
+-                      free(xml);
++      for (;;) {
++              obj->buffer = malloc(obj->buffersize);
++              if(!obj->buffer) {
++                      syslog(LOG_ERR, "%s: malloc returned NULL", 
"upnp_event_prepare");
++                      if(xml) {
++                              free(xml);
++                      }
++                      obj->state = EError;
++                      return;
+               }
+-              obj->state = EError;
+-              return;
++              obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
++                                     obj->path, obj->addrstr, obj->portstr, 
l+2,
++                                     obj->sub->uuid, obj->sub->seq,
++                                     l, xml);
++              if (obj->tosend < 0) {
++                      syslog(LOG_ERR, "%s: snprintf() failed", 
"upnp_event_prepare");
++                      if(xml) {
++                              free(xml);
++                      }
++                      obj->state = EError;
++                      return;
++              } else if (obj->tosend < obj->buffersize) {
++                      break; /* the buffer was large enough */
++              }
++              /* Try again with a buffer big enough */
++              free(obj->buffer);
++              obj->buffersize = obj->tosend + 1;      /* reserve space for 
the final 0 */
+       }
+-      obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
+-                             obj->path, obj->addrstr, obj->portstr, l+2,
+-                             obj->sub->uuid, obj->sub->seq,
+-                             l, xml);
+       if(xml) {
+               free(xml);
+               xml = NULL;
diff -Nru 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
--- 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
     1970-01-01 01:00:00.000000000 +0100
+++ 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
     2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,25 @@
+Subject: CVE-2019-12108: GetOutboundPinholeTimeout: check args
+Author: Thomas Bernard <miniu...@free.fr>
+Date: Tue, 18 Dec 2018 22:54:51 +0100
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c.patch
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c
++++ miniupnpd/upnpsoap.c
+@@ -1651,6 +1651,13 @@ GetOutboundPinholeTimeout(struct upnphtt
+       rem_port = GetValueFromNameValueList(&data, "RemotePort");
+       protocol = GetValueFromNameValueList(&data, "Protocol");
+ 
++      if (!int_port || !ext_port || !protocol)
++      {
++              ClearNameValueList(&data);
++              SoapError(h, 402, "Invalid Args");
++              return;
++      }
++
+       rport = (unsigned short)atoi(rem_port);
+       iport = (unsigned short)atoi(int_port);
+       proto = atoi(protocol);
diff -Nru 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
--- 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
    2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,20 @@
+Subject: CVE-2019-12109 fix error from commit 
13585f15c7f7dc28bbbba1661efb280d530d114c
+From: Thomas Bernard <miniu...@free.fr>
+Date: Tue, 18 Dec 2018 23:47:54 +0100
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692.patch
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c
++++ miniupnpd/upnpsoap.c
+@@ -1651,7 +1651,7 @@ GetOutboundPinholeTimeout(struct upnphtt
+       rem_port = GetValueFromNameValueList(&data, "RemotePort");
+       protocol = GetValueFromNameValueList(&data, "Protocol");
+ 
+-      if (!int_port || !ext_port || !protocol)
++      if (!int_port || !rem_port || !protocol)
+       {
+               ClearNameValueList(&data);
+               SoapError(h, 402, "Invalid Args");
diff -Nru 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
--- 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
  2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,21 @@
+Subject: CVE-2019-12110: upnp_redirect(): accept NULL desc argument
+Author: Thomas Bernard <miniu...@free.fr>
+Date: Tue, 18 Dec 2018 22:59:18 +0100
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+diff --git a/upnpredirect.c b/upnpredirect.c
+index 7c179b62..74926f08 100644
+--- a/upnpredirect.c
++++ b/upnpredirect.c
+@@ -279,6 +279,10 @@
+                                "%hu->%s:%hu %s", eport, iaddr, iport, 
protocol);
+               return -3;
+       }
++
++      if (desc == NULL)
++              desc = "";      /* assume empty description */
++
+       r = get_redirect_rule(ext_if_name, eport, proto,
+                             iaddr_old, sizeof(iaddr_old), &iport_old, 0, 0,
+                             0, 0,
diff -Nru miniupnpd-1.8.20140523/debian/patches/series 
miniupnpd-1.8.20140523/debian/patches/series
--- miniupnpd-1.8.20140523/debian/patches/series        2018-02-07 
12:18:49.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/series        2019-06-07 
09:16:03.000000000 +0200
@@ -5,3 +5,7 @@
 0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch
 0060_iptables_check.patch
 CVE-2017-1000494.patch
+CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
+CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
+CVE-2019-12109_fix_error_from_commit_13585f1.patch
+CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch

Bug#930357: stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110

Reply via email to