Bug#930357: marked as done (stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110)

Debian Bug Tracking System Mon, 04 Nov 2019 08:40:50 -0800

Your message dated Mon, 4 Nov 2019 17:37:37 +0100
with message-id <c71f9be1-f958-21cc-5361-28df4e288...@debian.org>
and subject line Uploaded
has caused the Debian Bug report #930357,
regarding stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, 
CVE-2019-12108, CVE-2019-12109, CVE-2019-12110
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930357: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930357
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

Please allow me to upload miniupnpd/1.8.20140523-4.1+deb9u2, as the
security team told me the CVE in the Subject do not need a DSA.

The upload only adds the upstream patches, Stretch doesn't seem to
be affected by CVE-2019-12111. On top of that, the fixed version adds
a change to debian/gbp.conf (only branch names), please allow this to
get in as well, as this simplifies the packaging update tasks.

Debdiff attached, pre-built packages available from here:
http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/

Cheers,

Thomas Goirand (zigo)

diff -Nru miniupnpd-1.8.20140523/debian/changelog 
miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog     2018-02-07 12:18:50.000000000 
+0100
+++ miniupnpd-1.8.20140523/debian/changelog     2019-06-07 09:16:03.000000000 
+0200
@@ -1,3 +1,11 @@
+miniupnpd (1.8.20140523-4.1+deb9u2) stretch; urgency=medium
+
+  * Applied upstream patches for CVE-2019-12107, CVE-2019-12108,
+    CVE-2019-12109, CVE-2019-12110. This version looks like not affected by
+    CVE-2019-12111. (Closes: #930050).
+
+ -- Thomas Goirand <z...@debian.org>  Fri, 07 Jun 2019 09:16:03 +0200
+
 miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium
 
   * Apply patch from upstream for CVE-2017-1000494 (Closes: #887129).
diff -Nru miniupnpd-1.8.20140523/debian/gbp.conf 
miniupnpd-1.8.20140523/debian/gbp.conf
--- miniupnpd-1.8.20140523/debian/gbp.conf      2014-12-09 15:37:29.000000000 
+0100
+++ miniupnpd-1.8.20140523/debian/gbp.conf      2019-06-07 09:16:03.000000000 
+0200
@@ -1,6 +1,6 @@
 [DEFAULT]
-upstream-branch = upstream-sid
-debian-branch = debian-sid
+upstream-branch = upstream-stretch
+debian-branch = debian-stretch
 pristine-tar = True
 
 [git-buildpackage]
diff -Nru 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
--- 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
    2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,57 @@
+Description: CVE-2019-12107: upnp_event_prepare(): check the return value of 
snprintf()
+Author: Thomas Bernard <miniu...@free.fr>
+Date: Tue, 18 Dec 2018 22:37:14 +0100
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpevents.c
+===================================================================
+--- miniupnpd.orig/upnpevents.c
++++ miniupnpd/upnpevents.c
+@@ -383,19 +383,34 @@ static void upnp_event_prepare(struct up
+               l = 0;
+       }
+       obj->buffersize = 1024;
+-      obj->buffer = malloc(obj->buffersize);
+-      if(!obj->buffer) {
+-              syslog(LOG_ERR, "%s: malloc returned NULL", 
"upnp_event_prepare");
+-              if(xml) {
+-                      free(xml);
++      for (;;) {
++              obj->buffer = malloc(obj->buffersize);
++              if(!obj->buffer) {
++                      syslog(LOG_ERR, "%s: malloc returned NULL", 
"upnp_event_prepare");
++                      if(xml) {
++                              free(xml);
++                      }
++                      obj->state = EError;
++                      return;
+               }
+-              obj->state = EError;
+-              return;
++              obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
++                                     obj->path, obj->addrstr, obj->portstr, 
l+2,
++                                     obj->sub->uuid, obj->sub->seq,
++                                     l, xml);
++              if (obj->tosend < 0) {
++                      syslog(LOG_ERR, "%s: snprintf() failed", 
"upnp_event_prepare");
++                      if(xml) {
++                              free(xml);
++                      }
++                      obj->state = EError;
++                      return;
++              } else if (obj->tosend < obj->buffersize) {
++                      break; /* the buffer was large enough */
++              }
++              /* Try again with a buffer big enough */
++              free(obj->buffer);
++              obj->buffersize = obj->tosend + 1;      /* reserve space for 
the final 0 */
+       }
+-      obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
+-                             obj->path, obj->addrstr, obj->portstr, l+2,
+-                             obj->sub->uuid, obj->sub->seq,
+-                             l, xml);
+       if(xml) {
+               free(xml);
+               xml = NULL;
diff -Nru 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
--- 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
     1970-01-01 01:00:00.000000000 +0100
+++ 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
     2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,25 @@
+Subject: CVE-2019-12108: GetOutboundPinholeTimeout: check args
+Author: Thomas Bernard <miniu...@free.fr>
+Date: Tue, 18 Dec 2018 22:54:51 +0100
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c.patch
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c
++++ miniupnpd/upnpsoap.c
+@@ -1651,6 +1651,13 @@ GetOutboundPinholeTimeout(struct upnphtt
+       rem_port = GetValueFromNameValueList(&data, "RemotePort");
+       protocol = GetValueFromNameValueList(&data, "Protocol");
+ 
++      if (!int_port || !ext_port || !protocol)
++      {
++              ClearNameValueList(&data);
++              SoapError(h, 402, "Invalid Args");
++              return;
++      }
++
+       rport = (unsigned short)atoi(rem_port);
+       iport = (unsigned short)atoi(int_port);
+       proto = atoi(protocol);
diff -Nru 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
--- 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12109_fix_error_from_commit_13585f1.patch
    2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,20 @@
+Subject: CVE-2019-12109 fix error from commit 
13585f15c7f7dc28bbbba1661efb280d530d114c
+From: Thomas Bernard <miniu...@free.fr>
+Date: Tue, 18 Dec 2018 23:47:54 +0100
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692.patch
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpsoap.c
+===================================================================
+--- miniupnpd.orig/upnpsoap.c
++++ miniupnpd/upnpsoap.c
+@@ -1651,7 +1651,7 @@ GetOutboundPinholeTimeout(struct upnphtt
+       rem_port = GetValueFromNameValueList(&data, "RemotePort");
+       protocol = GetValueFromNameValueList(&data, "Protocol");
+ 
+-      if (!int_port || !ext_port || !protocol)
++      if (!int_port || !rem_port || !protocol)
+       {
+               ClearNameValueList(&data);
+               SoapError(h, 402, "Invalid Args");
diff -Nru 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
--- 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch
  2019-06-07 09:16:03.000000000 +0200
@@ -0,0 +1,21 @@
+Subject: CVE-2019-12110: upnp_redirect(): accept NULL desc argument
+Author: Thomas Bernard <miniu...@free.fr>
+Date: Tue, 18 Dec 2018 22:59:18 +0100
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+diff --git a/upnpredirect.c b/upnpredirect.c
+index 7c179b62..74926f08 100644
+--- a/upnpredirect.c
++++ b/upnpredirect.c
+@@ -279,6 +279,10 @@
+                                "%hu->%s:%hu %s", eport, iaddr, iport, 
protocol);
+               return -3;
+       }
++
++      if (desc == NULL)
++              desc = "";      /* assume empty description */
++
+       r = get_redirect_rule(ext_if_name, eport, proto,
+                             iaddr_old, sizeof(iaddr_old), &iport_old, 0, 0,
+                             0, 0,
diff -Nru miniupnpd-1.8.20140523/debian/patches/series 
miniupnpd-1.8.20140523/debian/patches/series
--- miniupnpd-1.8.20140523/debian/patches/series        2018-02-07 
12:18:49.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/series        2019-06-07 
09:16:03.000000000 +0200
@@ -5,3 +5,7 @@
 0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch
 0060_iptables_check.patch
 CVE-2017-1000494.patch
+CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
+CVE-2019-12108_GetOutboundPinholeTimeout_check_args.patch
+CVE-2019-12109_fix_error_from_commit_13585f1.patch
+CVE-2019-12110_upnp_redirect_accept_NULL_desc_argument.patch

--- End Message ---

--- Begin Message ---

Hi Adam,

The package was uploaded at the end of July, and was as much as I can
tell, accepted, so I'm closing this bug.

Thomas Goirand (zigo)

--- End Message ---

Bug#930357: marked as done (stretch-pu: package miniupnpd/1.8.20140523-4.1+deb9u2 CVE-2019-12107, CVE-2019-12108, CVE-2019-12109, CVE-2019-12110)

Reply via email to