Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package libupnp Hi, I've just uploaded an NMU for libupnp which fixes the various buffer overflows. Diff is pretty straightforward, debdiff is attached. unblock libupnp/1:1.6.17-1.2 Regards, -- Yves-Alexis -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru libupnp-1.6.17/debian/changelog libupnp-1.6.17/debian/changelog --- libupnp-1.6.17/debian/changelog 2012-05-08 16:59:15.000000000 +0200 +++ libupnp-1.6.17/debian/changelog 2013-02-01 21:56:14.000000000 +0100 @@ -1,3 +1,13 @@ +libupnp (1:1.6.17-1.2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix + various stack-based buffer overflows in service_unique_name() function. + This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, + CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316 + + -- Yves-Alexis Perez <[email protected]> Fri, 01 Feb 2013 21:56:12 +0100 + libupnp (1:1.6.17-1.1) unstable; urgency=high * Non-maintainer upload. diff -Nru libupnp-1.6.17/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch libupnp-1.6.17/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch --- libupnp-1.6.17/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch 1970-01-01 01:00:00.000000000 +0100 +++ libupnp-1.6.17/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch 2013-02-01 22:38:08.000000000 +0100 @@ -0,0 +1,90 @@ +This patch addresses three possible buffer overflows in function +unique_service_name(). The three issues have the folowing CVE +numbers: + +CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf +CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN +CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN + +Notice that the following issues have already been dealt by previous +work: + +CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN +CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType +CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN +CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType +CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType +--- + ChangeLog | 20 ++++++++++++++++++++ + upnp/src/ssdp/ssdp_server.c | 18 ++++++++++-------- + 2 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/upnp/src/ssdp/ssdp_server.c b/upnp/src/ssdp/ssdp_server.c +index 231c2c5..8a57d08 100644 +--- a/upnp/src/ssdp/ssdp_server.c ++++ b/upnp/src/ssdp/ssdp_server.c +@@ -467,16 +467,16 @@ int unique_service_name(char *cmd, SsdpEvent *Evt) + else + return -1; + if (ptr3 != NULL) { +- if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof(Evt->UDN)) ++ if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN) + return -1; +- snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s", +- ptr3 + 1); ++ snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1); + } + else + return -1; + ptr1 = strstr(cmd, ":"); + if (ptr1 != NULL) { + n = (size_t)ptr3 - (size_t)ptr1; ++ n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n; + strncpy(TempBuf, ptr1, n); + TempBuf[n] = '\0'; + if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType)) +@@ -490,27 +490,28 @@ int unique_service_name(char *cmd, SsdpEvent *Evt) + if ((TempPtr = strstr(cmd, "uuid")) != NULL) { + if ((Ptr = strstr(cmd, "::")) != NULL) { + n = (size_t)Ptr - (size_t)TempPtr; ++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n; + strncpy(Evt->UDN, TempPtr, n); + Evt->UDN[n] = '\0'; + } else { + memset(Evt->UDN, 0, sizeof(Evt->UDN)); +- strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1); ++ strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1); + } + CommandFound = 1; + } + if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) { + if ((TempPtr = strstr(cmd, "urn")) != NULL) { +- memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType)); ++ memset(Evt->ServiceType, 0, sizeof Evt->ServiceType); + strncpy(Evt->ServiceType, TempPtr, +- sizeof(Evt->ServiceType) - 1); ++ sizeof Evt->ServiceType - 1); + CommandFound = 1; + } + } + if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) { + if ((TempPtr = strstr(cmd, "urn")) != NULL) { +- memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType)); ++ memset(Evt->DeviceType, 0, sizeof Evt->DeviceType); + strncpy(Evt->DeviceType, TempPtr, +- sizeof(Evt->DeviceType) - 1); ++ sizeof Evt->DeviceType - 1); + CommandFound = 1; + } + } +@@ -518,6 +519,7 @@ int unique_service_name(char *cmd, SsdpEvent *Evt) + /* Everything before "::upnp::rootdevice" is the UDN. */ + if (TempPtr != cmd) { + n = (size_t)TempPtr - (size_t)cmd; ++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n; + strncpy(Evt->UDN, cmd, n); + Evt->UDN[n] = 0; + CommandFound = 1; +-- +1.7.7 + diff -Nru libupnp-1.6.17/debian/patches/series libupnp-1.6.17/debian/patches/series --- libupnp-1.6.17/debian/patches/series 2012-03-18 13:07:18.000000000 +0100 +++ libupnp-1.6.17/debian/patches/series 2013-02-01 18:36:23.000000000 +0100 @@ -3,3 +3,4 @@ 09-update-doc.patch 12-debian-always-debug.patch 18-url-upnpstrings.patch +0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch
