On jeu., 2013-01-31 at 22:25 +0100, Salvatore Bonaccorso wrote: > > Nick, sorry for not putting you in the loop sooner. Can you prepare > an > > update for stable or do you want us to handle it? > > Okay thanks for the followup, and for adding Nick to the loop. > > In case there is still open work until monday evening I can try to > start helping there then again.
Here's a debdiff against stable, more or less backporting the function and minimizing the diff. I don't have a working UPnP setup so if someone can test it to make sure it doesn't break anything, it'd be nice. Regards, -- Yves-Alexis
diff -u libupnp-1.6.6/debian/changelog libupnp-1.6.6/debian/changelog --- libupnp-1.6.6/debian/changelog +++ libupnp-1.6.6/debian/changelog @@ -1,3 +1,14 @@ +libupnp (1:1.6.6-5+squeeze1) UNRELEASED; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches: + - debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix + various stack-based buffer overflows in service_unique_name() function. + This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, + CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, and CVE-2012-5965. + + -- Yves-Alexis Perez <cor...@debian.org> Fri, 01 Feb 2013 14:22:39 +0100 + libupnp (1:1.6.6-5) unstable; urgency=low * Fixes to BSD build issues (Closes: #573319, FTBFS on Gnu/kFreeBSD) diff -u libupnp-1.6.6/debian/patches/series libupnp-1.6.6/debian/patches/series --- libupnp-1.6.6/debian/patches/series +++ libupnp-1.6.6/debian/patches/series @@ -17,0 +18 @@ +0001-Security-fix-for-CERT-issue-VU-922681.patch only in patch2: unchanged: --- libupnp-1.6.6.orig/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch +++ libupnp-1.6.6/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch @@ -0,0 +1,105 @@ +Fix for VU#922681 + +This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18. + +CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN +CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf +CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType +CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN +CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN +CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN +CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType +CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType + +--- a/upnp/src/ssdp/ssdp_server.c ++++ b/upnp/src/ssdp/ssdp_server.c +@@ -412,7 +412,7 @@ int unique_service_name(IN char *cmd, IN + char *ptr2 = NULL; + char *ptr3 = NULL; + int CommandFound = 0; +- int length = 0; ++ size_t n = (size_t)0; + + if( ( TempPtr = strstr( cmd, "uuid:schemas" ) ) != NULL ) { + ptr1 = strstr( cmd, ":device" ); +@@ -429,16 +429,23 @@ int unique_service_name(IN char *cmd, IN + } + + if( ptr3 != NULL ) { +- sprintf( Evt->UDN, "uuid:%s", ptr3 + 1 ); ++ if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN) ++ return -1; ++ snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1); + } else { + return -1; + } + + ptr1 = strstr( cmd, ":" ); + if( ptr1 != NULL ) { +- strncpy( TempBuf, ptr1, ptr3 - ptr1 ); +- TempBuf[ptr3 - ptr1] = '\0'; +- sprintf( Evt->DeviceType, "urn%s", TempBuf ); ++ n = (size_t)ptr3 - (size_t)ptr1; ++ n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n; ++ strncpy(TempBuf, ptr1, n); ++ TempBuf[n] = '\0'; ++ if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType)) ++ return -1; ++ snprintf(Evt->DeviceType, sizeof(Evt->DeviceType), ++ "urn%s", TempBuf); + } else { + return -1; + } +@@ -447,10 +454,13 @@ int unique_service_name(IN char *cmd, IN + + if( ( TempPtr = strstr( cmd, "uuid" ) ) != NULL ) { + if( ( Ptr = strstr( cmd, "::" ) ) != NULL ) { +- strncpy( Evt->UDN, TempPtr, Ptr - TempPtr ); +- Evt->UDN[Ptr - TempPtr] = '\0'; ++ n = (size_t)Ptr - (size_t)TempPtr; ++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n; ++ strncpy(Evt->UDN, TempPtr, n); ++ Evt->UDN[n] = '\0'; + } else { +- strcpy( Evt->UDN, TempPtr ); ++ memset(Evt->UDN, 0, sizeof(Evt->UDN)); ++ strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1); + } + CommandFound = 1; + } +@@ -458,7 +468,9 @@ int unique_service_name(IN char *cmd, IN + if( strstr( cmd, "urn:" ) != NULL + && strstr( cmd, ":service:" ) != NULL ) { + if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) { +- strcpy( Evt->ServiceType, TempPtr ); ++ memset(Evt->ServiceType, 0, sizeof Evt->ServiceType); ++ strncpy(Evt->ServiceType, TempPtr, ++ sizeof Evt->ServiceType - 1); + CommandFound = 1; + } + } +@@ -466,7 +478,9 @@ int unique_service_name(IN char *cmd, IN + if( strstr( cmd, "urn:" ) != NULL + && strstr( cmd, ":device:" ) != NULL ) { + if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) { +- strcpy( Evt->DeviceType, TempPtr ); ++ memset(Evt->DeviceType, 0, sizeof Evt->DeviceType); ++ strncpy(Evt->DeviceType, TempPtr, ++ sizeof Evt->DeviceType - 1); + CommandFound = 1; + } + } +@@ -474,9 +488,10 @@ int unique_service_name(IN char *cmd, IN + if( ( TempPtr = strstr( cmd, "::upnp:rootdevice" ) ) != NULL ) { + /* Everything before "::upnp::rootdevice" is the UDN. */ + if( TempPtr != cmd ) { +- length = TempPtr - cmd; +- strncpy(Evt->UDN, cmd, length); +- Evt->UDN[length] = 0; ++ n = (size_t)TempPtr - (size_t)cmd; ++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n; ++ strncpy(Evt->UDN, cmd, n); ++ Evt->UDN[n] = 0; + CommandFound = 1; + } + }
signature.asc
Description: This is a digitally signed message part