Control: tags -1 + patch Hi
Attached is the debdiff created with the patch found in the RedHat Bugtracker[1]. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=883790 But I have not tested the resulting package. Regards, Salvatore
diff -Nru libupnp-1.6.17/debian/changelog libupnp-1.6.17/debian/changelog --- libupnp-1.6.17/debian/changelog 2012-05-08 16:59:15.000000000 +0200 +++ libupnp-1.6.17/debian/changelog 2013-01-30 23:49:00.000000000 +0100 @@ -1,3 +1,16 @@ +libupnp (1:1.6.17-1.2) unstable; urgency=low + + * Non-maintainer upload. + * Add 19-699316-Fix-buffer-overflows-in-unique_service_name.patch patch + [SECURITY]: Multiple stack-based buffer overflows in + unique_service_name() by processing specially-crafted SSDP request + (VU#922681). + Fixes CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 + CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965. (Closes: #699316) + (LP: #1110273) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 30 Jan 2013 23:48:11 +0100 + libupnp (1:1.6.17-1.1) unstable; urgency=high * Non-maintainer upload. diff -Nru libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows-in-unique_service_name.patch libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows-in-unique_service_name.patch --- libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows-in-unique_service_name.patch 1970-01-01 01:00:00.000000000 +0100 +++ libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows-in-unique_service_name.patch 2013-01-30 23:49:00.000000000 +0100 @@ -0,0 +1,91 @@ +Description: Fix multiple buffer overflows + This patch addresses three possible buffer overflows in function + unique_service_name(). The three issues have the folowing CVE + numbers: + . + CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf + CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN + CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN + . + Notice that the following issues have already been dealt by previous + work: + . + CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN + CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType + CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN + CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType + CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType +Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=667153 +Bug-Debian: http://bugs.debian.org/699316 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=883790 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libupnp/+bug/1110273 +Forwarded: not-needed +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-01-30 +Applied-Upstream: yes + + +--- a/upnp/src/ssdp/ssdp_server.c ++++ b/upnp/src/ssdp/ssdp_server.c +@@ -467,16 +467,16 @@ + else + return -1; + if (ptr3 != NULL) { +- if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof(Evt->UDN)) ++ if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN) + return -1; +- snprintf(Evt->UDN, sizeof(Evt->UDN), "uuid:%s", +- ptr3 + 1); ++ snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1); + } + else + return -1; + ptr1 = strstr(cmd, ":"); + if (ptr1 != NULL) { + n = (size_t)ptr3 - (size_t)ptr1; ++ n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n; + strncpy(TempBuf, ptr1, n); + TempBuf[n] = '\0'; + if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType)) +@@ -490,27 +490,28 @@ + if ((TempPtr = strstr(cmd, "uuid")) != NULL) { + if ((Ptr = strstr(cmd, "::")) != NULL) { + n = (size_t)Ptr - (size_t)TempPtr; ++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n; + strncpy(Evt->UDN, TempPtr, n); + Evt->UDN[n] = '\0'; + } else { + memset(Evt->UDN, 0, sizeof(Evt->UDN)); +- strncpy(Evt->UDN, TempPtr, sizeof(Evt->UDN) - 1); ++ strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1); + } + CommandFound = 1; + } + if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":service:") != NULL) { + if ((TempPtr = strstr(cmd, "urn")) != NULL) { +- memset(Evt->ServiceType, 0, sizeof(Evt->ServiceType)); ++ memset(Evt->ServiceType, 0, sizeof Evt->ServiceType); + strncpy(Evt->ServiceType, TempPtr, +- sizeof(Evt->ServiceType) - 1); ++ sizeof Evt->ServiceType - 1); + CommandFound = 1; + } + } + if (strstr(cmd, "urn:") != NULL && strstr(cmd, ":device:") != NULL) { + if ((TempPtr = strstr(cmd, "urn")) != NULL) { +- memset(Evt->DeviceType, 0, sizeof(Evt->DeviceType)); ++ memset(Evt->DeviceType, 0, sizeof Evt->DeviceType); + strncpy(Evt->DeviceType, TempPtr, +- sizeof(Evt->DeviceType) - 1); ++ sizeof Evt->DeviceType - 1); + CommandFound = 1; + } + } +@@ -518,6 +519,7 @@ + /* Everything before "::upnp::rootdevice" is the UDN. */ + if (TempPtr != cmd) { + n = (size_t)TempPtr - (size_t)cmd; ++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n; + strncpy(Evt->UDN, cmd, n); + Evt->UDN[n] = 0; + CommandFound = 1; diff -Nru libupnp-1.6.17/debian/patches/series libupnp-1.6.17/debian/patches/series --- libupnp-1.6.17/debian/patches/series 2012-03-18 13:07:18.000000000 +0100 +++ libupnp-1.6.17/debian/patches/series 2013-01-30 23:49:00.000000000 +0100 @@ -3,3 +3,4 @@ 09-update-doc.patch 12-debian-always-debug.patch 18-url-upnpstrings.patch +19-699316-Fix-buffer-overflows-in-unique_service_name.patch