Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package libupnp4

Hi,

same thing as libupnp, I've uploaded an NMU for libupnp4, fixing the
various buffer overflows.

On top of that, I've enabled hardening flags since it processes
untrusted input from the network, it'd help preventing vulnerabilities
to be exploited.

unblock libupnp4/1.8.0~svn20100507-1.2

Thanks in advance.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u libupnp4-1.8.0~svn20100507/debian/rules libupnp4-1.8.0~svn20100507/debian/rules
--- libupnp4-1.8.0~svn20100507/debian/rules
+++ libupnp4-1.8.0~svn20100507/debian/rules
@@ -2,6 +2,9 @@
 
 # Uncomment this to turn on verbose mode. 
 #export DH_VERBOSE=1
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
 
 %:
 	dh --with quilt,autotools-dev $@
diff -u libupnp4-1.8.0~svn20100507/debian/control libupnp4-1.8.0~svn20100507/debian/control
--- libupnp4-1.8.0~svn20100507/debian/control
+++ libupnp4-1.8.0~svn20100507/debian/control
@@ -4,7 +4,8 @@
 Homepage: http://pupnp.sourceforge.net/
 Maintainer: Nick Leverton <n...@leverton.org>
 Build-Depends: debhelper (>= 7.0.50), quilt (>= 0.46-8~),
- autotools-dev (>= 20100122.1~), autoconf, automake, libtool, doxygen, graphviz
+ autotools-dev (>= 20100122.1~), autoconf, automake, libtool, doxygen, graphviz,
+ dpkg-dev (>= 1.16.1~)
 Standards-Version: 3.8.4
 
 Package: libupnp4
diff -u libupnp4-1.8.0~svn20100507/debian/changelog libupnp4-1.8.0~svn20100507/debian/changelog
--- libupnp4-1.8.0~svn20100507/debian/changelog
+++ libupnp4-1.8.0~svn20100507/debian/changelog
@@ -1,3 +1,17 @@
+libupnp4 (1.8.0~svn20100507-1.2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
+    various stack-based buffer overflows in service_unique_name() function.
+    This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
+    CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699459
+  * debian/rules:
+    - enable hardening flags.
+  * debian/control:
+    - add build-dep on dpkg-dev (>= 1.16.1~)
+
+ -- Yves-Alexis Perez <cor...@debian.org>  Fri, 01 Feb 2013 22:53:13 +0100
+
 libupnp4 (1.8.0~svn20100507-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u libupnp4-1.8.0~svn20100507/debian/patches/series libupnp4-1.8.0~svn20100507/debian/patches/series
--- libupnp4-1.8.0~svn20100507/debian/patches/series
+++ libupnp4-1.8.0~svn20100507/debian/patches/series
@@ -12,0 +13 @@
+0001-Security-fix-for-CERT-issue-VU-922681.patch
only in patch2:
unchanged:
--- libupnp4-1.8.0~svn20100507.orig/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch
+++ libupnp4-1.8.0~svn20100507/debian/patches/0001-Security-fix-for-CERT-issue-VU-922681.patch
@@ -0,0 +1,105 @@
+Fix for VU#922681
+
+This includes fix for various CVEs by more or less backporting the whole unique_service_name() function from 1.6.18.
+
+CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
+CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
+CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
+CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
+CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
+CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
+CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
+CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
+
+--- a/upnp/src/ssdp/ssdp_server.c
++++ b/upnp/src/ssdp/ssdp_server.c
+@@ -416,7 +416,7 @@ int unique_service_name(IN char *cmd, IN
+     char *ptr2 = NULL;
+     char *ptr3 = NULL;
+     int CommandFound = 0;
+-    int length = 0;
++    size_t n = (size_t)0;
+ 
+     if( ( TempPtr = strstr( cmd, "uuid:schemas" ) ) != NULL ) {
+         ptr1 = strstr( cmd, ":device" );
+@@ -433,16 +433,23 @@ int unique_service_name(IN char *cmd, IN
+         }
+ 
+         if( ptr3 != NULL ) {
+-            sprintf( Evt->UDN, "uuid:%s", ptr3 + 1 );
++            if (strlen("uuid:") + strlen(ptr3 + 1) >= sizeof Evt->UDN)
++                return -1;
++            snprintf(Evt->UDN, sizeof Evt->UDN, "uuid:%s", ptr3 + 1);
+         } else {
+             return -1;
+         }
+ 
+         ptr1 = strstr( cmd, ":" );
+         if( ptr1 != NULL ) {
+-            strncpy( TempBuf, ptr1, ptr3 - ptr1 );
+-            TempBuf[ptr3 - ptr1] = '\0';
+-            sprintf( Evt->DeviceType, "urn%s", TempBuf );
++            n = (size_t)ptr3 - (size_t)ptr1;
++            n = n >= sizeof TempBuf ? sizeof TempBuf - 1 : n;
++            strncpy(TempBuf, ptr1, n);
++            TempBuf[n] = '\0';
++            if (strlen("urn") + strlen(TempBuf) >= sizeof(Evt->DeviceType))
++                return -1;
++            snprintf(Evt->DeviceType, sizeof(Evt->DeviceType),
++                "urn%s", TempBuf);
+         } else {
+             return -1;
+         }
+@@ -451,10 +458,13 @@ int unique_service_name(IN char *cmd, IN
+ 
+     if( ( TempPtr = strstr( cmd, "uuid" ) ) != NULL ) {
+         if( ( Ptr = strstr( cmd, "::" ) ) != NULL ) {
+-            strncpy( Evt->UDN, TempPtr, Ptr - TempPtr );
+-            Evt->UDN[Ptr - TempPtr] = '\0';
++            n = (size_t)Ptr - (size_t)TempPtr;
++            n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
++            strncpy(Evt->UDN, TempPtr, n);
++            Evt->UDN[n] = '\0';
+         } else {
+-            strcpy( Evt->UDN, TempPtr );
++            memset(Evt->UDN, 0, sizeof(Evt->UDN));
++            strncpy(Evt->UDN, TempPtr, sizeof Evt->UDN - 1);
+         }
+         CommandFound = 1;
+     }
+@@ -462,7 +472,9 @@ int unique_service_name(IN char *cmd, IN
+     if( strstr( cmd, "urn:" ) != NULL
+         && strstr( cmd, ":service:" ) != NULL ) {
+         if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
+-            strcpy( Evt->ServiceType, TempPtr );
++            memset(Evt->ServiceType, 0, sizeof Evt->ServiceType);
++            strncpy(Evt->ServiceType, TempPtr,
++                sizeof Evt->ServiceType - 1);
+             CommandFound = 1;
+         }
+     }
+@@ -470,7 +482,9 @@ int unique_service_name(IN char *cmd, IN
+     if( strstr( cmd, "urn:" ) != NULL
+         && strstr( cmd, ":device:" ) != NULL ) {
+         if( ( TempPtr = strstr( cmd, "urn" ) ) != NULL ) {
+-            strcpy( Evt->DeviceType, TempPtr );
++            memset(Evt->DeviceType, 0, sizeof Evt->DeviceType);
++            strncpy(Evt->DeviceType, TempPtr,
++                sizeof Evt->DeviceType - 1);
+             CommandFound = 1;
+         }
+     }
+@@ -478,9 +492,10 @@ int unique_service_name(IN char *cmd, IN
+     if( ( TempPtr = strstr( cmd, "::upnp:rootdevice" ) ) != NULL ) {
+         /* Everything before "::upnp::rootdevice" is the UDN. */
+         if( TempPtr != cmd ) {
+-            length = TempPtr - cmd;
+-            strncpy(Evt->UDN, cmd, length);
+-            Evt->UDN[length] = 0;
++            n = (size_t)TempPtr - (size_t)cmd;
++            n = n >= sizeof Evt->UDN ? sizeof Evt->UDN - 1 : n;
++            strncpy(Evt->UDN, cmd, n);
++            Evt->UDN[n] = 0;
+             CommandFound = 1;
+         }
+     }

Reply via email to