Control: tags -1 patch pending Hi,
I am about to upload the attached NMU to finally fix this bug. I've also attached a patch suitable for jessie-security, and a test script I used to create a libupnp server for testing the fix with. Thanks, James
/* * Upnp CVE-2016-6255 test program * * This program runs the webserver from libupnp serving files from the current * directory. If libupnp is vulnerable to CVE-2016-6255, it will allow uploading * files. * * Example: * * $ gcc -I/usr/include/upnp cve-2016-6255-test.c -lupnp -ocve-2016-6255-test * $ cat testfile * cat: testfile: No such file or directory * $ ./cve-2016-6255-test > /dev/null & * [2] 32309 * $ curl -i --data $'FAIL\n' http://localhost:49152/testfile * $ cat testfile * FAIL */ #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <upnp.h> int main(void) { char* wd = get_current_dir_name(); // Setup upnp printf("Init = %d\n", UpnpInit("127.0.0.1", 0)); printf("SetRoot = %d\n", UpnpSetWebServerRootDir(wd)); free(wd); // Hang for (;;) pause(); }
diff -Nru libupnp-1.6.19+git20141001/debian/changelog libupnp-1.6.19+git20141001/debian/changelog --- libupnp-1.6.19+git20141001/debian/changelog 2014-10-23 21:48:01.000000000 +0100 +++ libupnp-1.6.19+git20141001/debian/changelog 2016-10-19 21:02:05.000000000 +0100 @@ -1,3 +1,12 @@ +libupnp (1:1.6.19+git20141001-1+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload. + * Don't allow unhandled POSTs to write to the filesystem by + default (Closes: #831857) (CVE-2016-6255) + Thanks to Matthew Garrett for the patch. + + -- James Cowgill <jcowg...@debian.org> Wed, 19 Oct 2016 21:02:05 +0100 + libupnp (1:1.6.19+git20141001-1) unstable; urgency=low * Ack both NMUs, thankyou for your care of this package. diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch --- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch 1970-01-01 01:00:00.000000000 +0100 +++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch 2016-10-19 21:00:38.000000000 +0100 @@ -0,0 +1,61 @@ +From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <mj...@srcf.ucam.org> +Date: Tue, 23 Feb 2016 13:53:20 -0800 +Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by + default + +If there's no registered handler for a POST request, the default behaviour +is to write it to the filesystem. Several million deployed devices appear +to have this behaviour, making it possible to (at least) store arbitrary +data on them. Add a configure option that enables this behaviour, and change +the default to just drop POSTs that aren't directly handled. + +Signed-off-by: Marcelo Roberto Jimenez <mrobe...@users.sourceforge.net> +--- + configure.ac | 4 ++++ + upnp/inc/upnpconfig.h.in | 5 +++++ + upnp/src/genlib/net/http/webserver.c | 4 ++++ + 3 files changed, 13 insertions(+) + +--- a/configure.ac ++++ b/configure.ac +@@ -495,6 +495,10 @@ if test "x$enable_blocking_tcp_connectio + AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h]) + fi + ++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests]) ++if test "x$enable_postwrite" = xyes ; then ++ AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h]) ++fi + + RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code]) + +--- a/upnp/inc/upnpconfig.h.in ++++ b/upnp/inc/upnpconfig.h.in +@@ -131,5 +131,10 @@ + * header (i.e. configure --enable-unspecified_server) */ + #undef UPNP_ENABLE_UNSPECIFIED_SERVER + ++/** Defined to 1 if the library has been compiled to support filesystem writes on POST ++ * (i.e. configure --enable-postwrite) */ ++#undef UPNP_ENABLE_POST_WRITE ++ ++ + #endif /* UPNP_CONFIG_H */ + +--- a/upnp/src/genlib/net/http/webserver.c ++++ b/upnp/src/genlib/net/http/webserver.c +@@ -1366,9 +1366,13 @@ static int http_RecvPostMessage( + if (Fp == NULL) + return HTTP_INTERNAL_SERVER_ERROR; + } else { ++#ifdef UPNP_ENABLE_POST_WRITE + Fp = fopen(filename, "wb"); + if (Fp == NULL) + return HTTP_UNAUTHORIZED; ++#else ++ return HTTP_NOT_FOUND; ++#endif + } + parser->position = POS_ENTITY; + do { diff -Nru libupnp-1.6.19+git20141001/debian/patches/series libupnp-1.6.19+git20141001/debian/patches/series --- libupnp-1.6.19+git20141001/debian/patches/series 2014-10-04 05:26:29.000000000 +0100 +++ libupnp-1.6.19+git20141001/debian/patches/series 2016-10-19 21:00:43.000000000 +0100 @@ -5,3 +5,4 @@ 18-url-upnpstrings.patch 19_fix_tests.patch 21_fix-1.6.19+git.patch +CVE-2016-6255.patch
diff -Nru libupnp-1.6.19+git20160116/debian/changelog libupnp-1.6.19+git20160116/debian/changelog --- libupnp-1.6.19+git20160116/debian/changelog 2016-01-17 01:04:37.000000000 +0000 +++ libupnp-1.6.19+git20160116/debian/changelog 2016-10-19 21:03:51.000000000 +0100 @@ -1,3 +1,12 @@ +libupnp (1:1.6.19+git20160116-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Don't allow unhandled POSTs to write to the filesystem by + default (Closes: #831857) (CVE-2016-6255) + Thanks to Matthew Garrett for the patch. + + -- James Cowgill <jcowg...@debian.org> Wed, 19 Oct 2016 21:03:51 +0100 + libupnp (1:1.6.19+git20160116-1) unstable; urgency=medium * Update to latest git: diff -Nru libupnp-1.6.19+git20160116/debian/patches/CVE-2016-6255.patch libupnp-1.6.19+git20160116/debian/patches/CVE-2016-6255.patch --- libupnp-1.6.19+git20160116/debian/patches/CVE-2016-6255.patch 1970-01-01 01:00:00.000000000 +0100 +++ libupnp-1.6.19+git20160116/debian/patches/CVE-2016-6255.patch 2016-10-18 21:07:50.000000000 +0100 @@ -0,0 +1,61 @@ +From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <mj...@srcf.ucam.org> +Date: Tue, 23 Feb 2016 13:53:20 -0800 +Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by + default + +If there's no registered handler for a POST request, the default behaviour +is to write it to the filesystem. Several million deployed devices appear +to have this behaviour, making it possible to (at least) store arbitrary +data on them. Add a configure option that enables this behaviour, and change +the default to just drop POSTs that aren't directly handled. + +Signed-off-by: Marcelo Roberto Jimenez <mrobe...@users.sourceforge.net> +--- + configure.ac | 4 ++++ + upnp/inc/upnpconfig.h.in | 5 +++++ + upnp/src/genlib/net/http/webserver.c | 4 ++++ + 3 files changed, 13 insertions(+) + +--- a/configure.ac ++++ b/configure.ac +@@ -495,6 +495,10 @@ if test "x$enable_blocking_tcp_connectio + AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h]) + fi + ++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests]) ++if test "x$enable_postwrite" = xyes ; then ++ AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h]) ++fi + + RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code]) + +--- a/upnp/inc/upnpconfig.h.in ++++ b/upnp/inc/upnpconfig.h.in +@@ -131,5 +131,10 @@ + * header (i.e. configure --enable-unspecified_server) */ + #undef UPNP_ENABLE_UNSPECIFIED_SERVER + ++/** Defined to 1 if the library has been compiled to support filesystem writes on POST ++ * (i.e. configure --enable-postwrite) */ ++#undef UPNP_ENABLE_POST_WRITE ++ ++ + #endif /* UPNP_CONFIG_H */ + +--- a/upnp/src/genlib/net/http/webserver.c ++++ b/upnp/src/genlib/net/http/webserver.c +@@ -1366,9 +1366,13 @@ static int http_RecvPostMessage( + if (Fp == NULL) + return HTTP_INTERNAL_SERVER_ERROR; + } else { ++#ifdef UPNP_ENABLE_POST_WRITE + Fp = fopen(filename, "wb"); + if (Fp == NULL) + return HTTP_UNAUTHORIZED; ++#else ++ return HTTP_NOT_FOUND; ++#endif + } + parser->position = POS_ENTITY; + do { diff -Nru libupnp-1.6.19+git20160116/debian/patches/series libupnp-1.6.19+git20160116/debian/patches/series --- libupnp-1.6.19+git20160116/debian/patches/series 2016-01-17 00:59:28.000000000 +0000 +++ libupnp-1.6.19+git20160116/debian/patches/series 2016-10-18 21:07:32.000000000 +0100 @@ -8,3 +8,4 @@ 24-miniserver_IPV4_INADDR_ANY.patch 27-LFS-fix-32bit-large_files.patch 28-fix-git-version.patch +CVE-2016-6255.patch
signature.asc
Description: OpenPGP digital signature