This software should not be in main. It seems to be very buggy and
dangerous.
- auto-starts a network-listening port on all interfaces
- needlessly runs as root
- off-by-one in packet parsing can trigger crashes on unluckily alignment
minissdpd.c line ~290
- walk off end of memory without length check in "cache-control" packet
minissdpd.c line ~314
- spews DEBUG and INFO level syslog lines on device updates/discovery
- unchecked malloc uses
- linefeed injection in service requests
- multiple buffer overflows in processRequest
- unchecked decoded lengths
- unchecked buffer creation length
- integer overflows in decoded lengths
- write null byte arbitrarily in heap
- could read stack memory out on requests (including canary if our canary
wasn't null-started)
add bogus service with giant "location" entry
read back with type==1 and matching "st"
- unchecked write lengths (could get interrupted)
- does not clean up /var/run files correctly
** Changed in: minissdpd (Ubuntu)
Status: Confirmed => Incomplete
** Changed in: minissdpd (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/813313
Title:
[mir] minissdpd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/minissdpd/+bug/813313/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
