On jeu., 2013-01-31 at 22:25 +0100, Salvatore Bonaccorso wrote: > > Nick, sorry for not putting you in the loop sooner. Can you prepare > an > > update for stable or do you want us to handle it? > > Okay thanks for the followup, and for adding Nick to the loop. > > In case there is still open work until monday evening I can try to > start helping there then again.
Here's a debdiff against stable, more or less backporting the function and minimizing the diff. I don't have a working UPnP setup so if someone can test it to make sure it doesn't break anything, it'd be nice. Regards, -- Yves-Alexis
diff -u libupnp-1.6.6/debian/changelog libupnp-1.6.6/debian/changelog
--- libupnp-1.6.6/debian/changelog
+++ libupnp-1.6.6/debian/changelog
@@ -1,3 +1,14 @@
+libupnp (1:1.6.6-5+squeeze1) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * debian/patches:
+ - debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
+ various stack-based buffer overflows in service_unique_name() function.
+ This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
+ CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, and CVE-2012-5965.
+
+ -- Yves-Alexis Perez <cor...@debian.org> Fri, 01 Feb 2013 14:22:39 +0100
+
libupnp (1:1.6.6-5) unstable; urgency=low
* Fixes to BSD build issues (Closes: #573319, FTBFS on Gnu/kFreeBSD)
diff -u libupnp-1.6.6/debian/patches/series libupnp-1.6.6/debian/patches/series
--- libupnp-1.6.6/debian/patches/series
+++ libupnp-1.6.6/debian/patches/series
@@ -17,0 +18 @@
+0001-Security-fix-for-CERT-issue-VU-922681.patch
only in patch2:
unchanged:
--- libupnp-1.6.6.orig/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch
+++ libupnp-1.6.6/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch
@@ -0,0 +1,105 @@
+Fix for VU#922681
+
+This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.
+
+CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
+CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
+CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
+CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
+CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
+CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
+CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
+CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
+
+--- a/upnp/src/ssdp/ssdp_server.c
++++ b/upnp/src/ssdp/ssdp_server.c
+@@ -412,7 +412,7 @@ int unique_service_name(IN char *cmd, IN
+ char *ptr2 = NULL;
+ char *ptr3 = NULL;
+ int CommandFound = 0;
+- int length = 0;
++ size_t n = (size_t)0;
+
+ if( ( TempPtr = strstr( cmd, "uuid:schemas" ) ) != NULL ) {
+ ptr1 = strstr( cmd, ":device" );
+@@ -429,16 +429,23 @@ int unique_service_name(IN char *cmd, IN
+ }
+
+ if( ptr3 != NULL ) {
+- sprintf( Evt->UDN, "uuid:%s", ptr3 + 1 );
++ if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
++ return -1;
++ snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
+ } else {
+ return -1;
+ }
+
+ ptr1 = strstr( cmd, ":" );
+ if( ptr1 != NULL ) {
+- strncpy( TempBuf, ptr1, ptr3 - ptr1 );
+- TempBuf[ptr3 - ptr1] = '\0';
+- sprintf( Evt->DeviceType, "urn%s", TempBuf );
++ n = (size_t)ptr3 - (size_t)ptr1;
++ n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
++ strncpy(TempBuf, ptr1, n);
++ TempBuf[n] = '\0';
++ if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
++ return -1;
++ snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
++ "urn%s", TempBuf);
+ } else {
+ return -1;
+ }
+@@ -447,10 +454,13 @@ int unique_service_name(IN char *cmd, IN
+
+ if( ( TempPtr = strstr( cmd, "uuid" ) ) != NULL ) {
+ if( ( Ptr = strstr( cmd, "::" ) ) != NULL ) {
+- strncpy( Evt->UDN, TempPtr, Ptr - TempPtr );
+- Evt->UDN[Ptr - TempPtr] = '\0';
++ n = (size_t)Ptr - (size_t)TempPtr;
++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
++ strncpy(Evt->UDN, TempPtr, n);
++ Evt->UDN[n] = '\0';
+ } else {
+- strcpy( Evt->UDN, TempPtr );
++ memset(Evt->UDN, 0, sizeof(Evt->UDN));
++ strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
+ }
+ CommandFound = 1;
+ }
+@@ -458,7 +468,9 @@ int unique_service_name(IN char *cmd, IN
+ if( strstr( cmd, "urn:" ) != NULL
+ && strstr( cmd, ":service:" ) != NULL ) {
+ if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
+- strcpy( Evt->ServiceType, TempPtr );
++ memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
++ strncpy(Evt->ServiceType, TempPtr,
++ sizeof Evt->ServiceType - 1);
+ CommandFound = 1;
+ }
+ }
+@@ -466,7 +478,9 @@ int unique_service_name(IN char *cmd, IN
+ if( strstr( cmd, "urn:" ) != NULL
+ && strstr( cmd, ":device:" ) != NULL ) {
+ if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
+- strcpy( Evt->DeviceType, TempPtr );
++ memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
++ strncpy(Evt->DeviceType, TempPtr,
++ sizeof Evt->DeviceType - 1);
+ CommandFound = 1;
+ }
+ }
+@@ -474,9 +488,10 @@ int unique_service_name(IN char *cmd, IN
+ if( ( TempPtr = strstr( cmd, "::upnp:rootdevice" ) ) != NULL ) {
+ /* Everything before "::upnp::rootdevice" is the UDN. */
+ if( TempPtr != cmd ) {
+- length = TempPtr - cmd;
+- strncpy(Evt->UDN, cmd, length);
+- Evt->UDN[length] = 0;
++ n = (size_t)TempPtr - (size_t)cmd;
++ n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
++ strncpy(Evt->UDN, cmd, n);
++ Evt->UDN[n] = 0;
+ CommandFound = 1;
+ }
+ }
signature.asc
Description: This is a digitally signed message part
