Control: tags -1 patch pending Hi,
I am about to upload the attached NMU to finally fix this bug. I've also attached a patch suitable for jessie-security, and a test script I used to create a libupnp server for testing the fix with. Thanks, James
/* * Upnp CVE-2016-6255 test program * * This program runs the webserver from libupnp serving files from the current * directory. If libupnp is vulnerable to CVE-2016-6255, it will allow uploading * files. * * Example: * * $ gcc -I/usr/include/upnp cve-2016-6255-test.c -lupnp -ocve-2016-6255-test * $ cat testfile * cat: testfile: No such file or directory * $ ./cve-2016-6255-test > /dev/null & * [2] 32309 * $ curl -i --data $'FAIL\n' http://localhost:49152/testfile * $ cat testfile * FAIL */ #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <upnp.h> int main(void) { char* wd = get_current_dir_name(); // Setup upnp printf("Init = %d\n", UpnpInit("127.0.0.1", 0)); printf("SetRoot = %d\n", UpnpSetWebServerRootDir(wd)); free(wd); // Hang for (;;) pause(); }
diff -Nru libupnp-1.6.19+git20141001/debian/changelog
libupnp-1.6.19+git20141001/debian/changelog
--- libupnp-1.6.19+git20141001/debian/changelog 2014-10-23 21:48:01.000000000
+0100
+++ libupnp-1.6.19+git20141001/debian/changelog 2016-10-19 21:02:05.000000000
+0100
@@ -1,3 +1,12 @@
+libupnp (1:1.6.19+git20141001-1+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload.
+ * Don't allow unhandled POSTs to write to the filesystem by
+ default (Closes: #831857) (CVE-2016-6255)
+ Thanks to Matthew Garrett for the patch.
+
+ -- James Cowgill <jcowg...@debian.org> Wed, 19 Oct 2016 21:02:05 +0100
+
libupnp (1:1.6.19+git20141001-1) unstable; urgency=low
* Ack both NMUs, thankyou for your care of this package.
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch
libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch
1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch
2016-10-19 21:00:38.000000000 +0100
@@ -0,0 +1,61 @@
+From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mj...@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+
+Signed-off-by: Marcelo Roberto Jimenez <mrobe...@users.sourceforge.net>
+---
+ configure.ac | 4 ++++
+ upnp/inc/upnpconfig.h.in | 5 +++++
+ upnp/src/genlib/net/http/webserver.c | 4 ++++
+ 3 files changed, 13 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -495,6 +495,10 @@ if test "x$enable_blocking_tcp_connectio
+ AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
+ fi
+
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise
unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++ AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -131,5 +131,10 @@
+ * header (i.e. configure --enable-unspecified_server) */
+ #undef UPNP_ENABLE_UNSPECIFIED_SERVER
+
++/** Defined to 1 if the library has been compiled to support filesystem
writes on POST
++ * (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
++
+ #endif /* UPNP_CONFIG_H */
+
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1366,9 +1366,13 @@ static int http_RecvPostMessage(
+ if (Fp == NULL)
+ return HTTP_INTERNAL_SERVER_ERROR;
+ } else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ Fp = fopen(filename, "wb");
+ if (Fp == NULL)
+ return HTTP_UNAUTHORIZED;
++#else
++ return HTTP_NOT_FOUND;
++#endif
+ }
+ parser->position = POS_ENTITY;
+ do {
diff -Nru libupnp-1.6.19+git20141001/debian/patches/series
libupnp-1.6.19+git20141001/debian/patches/series
--- libupnp-1.6.19+git20141001/debian/patches/series 2014-10-04
05:26:29.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/series 2016-10-19
21:00:43.000000000 +0100
@@ -5,3 +5,4 @@
18-url-upnpstrings.patch
19_fix_tests.patch
21_fix-1.6.19+git.patch
+CVE-2016-6255.patch
diff -Nru libupnp-1.6.19+git20160116/debian/changelog
libupnp-1.6.19+git20160116/debian/changelog
--- libupnp-1.6.19+git20160116/debian/changelog 2016-01-17 01:04:37.000000000
+0000
+++ libupnp-1.6.19+git20160116/debian/changelog 2016-10-19 21:03:51.000000000
+0100
@@ -1,3 +1,12 @@
+libupnp (1:1.6.19+git20160116-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Don't allow unhandled POSTs to write to the filesystem by
+ default (Closes: #831857) (CVE-2016-6255)
+ Thanks to Matthew Garrett for the patch.
+
+ -- James Cowgill <jcowg...@debian.org> Wed, 19 Oct 2016 21:03:51 +0100
+
libupnp (1:1.6.19+git20160116-1) unstable; urgency=medium
* Update to latest git:
diff -Nru libupnp-1.6.19+git20160116/debian/patches/CVE-2016-6255.patch
libupnp-1.6.19+git20160116/debian/patches/CVE-2016-6255.patch
--- libupnp-1.6.19+git20160116/debian/patches/CVE-2016-6255.patch
1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20160116/debian/patches/CVE-2016-6255.patch
2016-10-18 21:07:50.000000000 +0100
@@ -0,0 +1,61 @@
+From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mj...@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+
+Signed-off-by: Marcelo Roberto Jimenez <mrobe...@users.sourceforge.net>
+---
+ configure.ac | 4 ++++
+ upnp/inc/upnpconfig.h.in | 5 +++++
+ upnp/src/genlib/net/http/webserver.c | 4 ++++
+ 3 files changed, 13 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -495,6 +495,10 @@ if test "x$enable_blocking_tcp_connectio
+ AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
+ fi
+
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise
unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++ AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -131,5 +131,10 @@
+ * header (i.e. configure --enable-unspecified_server) */
+ #undef UPNP_ENABLE_UNSPECIFIED_SERVER
+
++/** Defined to 1 if the library has been compiled to support filesystem
writes on POST
++ * (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
++
+ #endif /* UPNP_CONFIG_H */
+
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1366,9 +1366,13 @@ static int http_RecvPostMessage(
+ if (Fp == NULL)
+ return HTTP_INTERNAL_SERVER_ERROR;
+ } else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ Fp = fopen(filename, "wb");
+ if (Fp == NULL)
+ return HTTP_UNAUTHORIZED;
++#else
++ return HTTP_NOT_FOUND;
++#endif
+ }
+ parser->position = POS_ENTITY;
+ do {
diff -Nru libupnp-1.6.19+git20160116/debian/patches/series
libupnp-1.6.19+git20160116/debian/patches/series
--- libupnp-1.6.19+git20160116/debian/patches/series 2016-01-17
00:59:28.000000000 +0000
+++ libupnp-1.6.19+git20160116/debian/patches/series 2016-10-18
21:07:32.000000000 +0100
@@ -8,3 +8,4 @@
24-miniserver_IPV4_INADDR_ANY.patch
27-LFS-fix-32bit-large_files.patch
28-fix-git-version.patch
+CVE-2016-6255.patch
signature.asc
Description: OpenPGP digital signature
