Package: miniupnpd Version: 1.8.20140523-3 Severity: grave Tags: security patch
Stephen Röttger from Google did a security audit of MiniUPnPd, and found a few issues, all now fixed upstream. Extract from private messages who were forwarded to me (but which is fine to disclose since there's already some public commits. > MiniUPnP is vulnerable to DNS rebinding attacks which allows an attacker to > trigger upnp actions through a malicious website. Wikipedia describes the > attack quite well: http://en.wikipedia.org/wiki/DNS_rebinding. > To mitigate this attack, MiniUPnP should check if the request's host header > either contains an IP address or the hostname of the device. > > Besides that, I found a few memory corruption vulnerabilities in the code. Fixes: https://github.com/miniupnp/miniupnp/commit/d00b75782e7d73e78d0b935cee6f4873bc48c9e8 https://github.com/miniupnp/miniupnp/commit/7c91c4e933e96b913b72685d093126d282b87db6 Some memory corruption fix: https://github.com/miniupnp/miniupnp/commit/e6bc04aa06341fa4df3ccae87a167e9adf816911 A buffer overrun in ParseHttpHeaders() fix: https://github.com/miniupnp/miniupnp/commit/dd39ecaa935a9c23176416b38a3b80d577f21048 Added check if BuildHeader_upnphttp() failed to allocate memory: https://github.com/miniupnp/miniupnp/commit/ec94c5663fe80dd6ceea895c73e2be66b1ef6bf4 I'm following-up with an upload in a few minutes. Cheers, Thomas Goirand (zigo) _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
