On Tue, Dec 13, 2016 at 02:03:50PM +0100, Sébastien Delafond wrote: > On Dec/13, Uwe Kleine-König wrote: > > Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a > > security update for it? If so, I suggest the following debdiff. > > Yes, the first one is bad, so let's fix both via a DSA.
I had the impression that the 2nd might be bad, too. There is no public exploit available, but AFAIK writing to unallocated memory is dangerous? > Could you please provide a debdiff with 1:1.6.19+git20141001-1+deb8u1 as > a version, instead of 1.1 ? Yeah, I wondered if the version is right and trusted dch --security to do the right thing. Find below a debdiff using +deb8u1 Best regards Uwe dpkg-source: warning: extracting unsigned source package (/home/uwe/tm/libupnp_1.6.19+git20141001-1+deb8u1.dsc) diff -Nru libupnp-1.6.19+git20141001/debian/changelog libupnp-1.6.19+git20141001/debian/changelog --- libupnp-1.6.19+git20141001/debian/changelog 2014-10-23 22:48:01.000000000 +0200 +++ libupnp-1.6.19+git20141001/debian/changelog 2016-12-13 11:46:31.000000000 +0100 @@ -1,3 +1,11 @@ +libupnp (1:1.6.19+git20141001-1+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * backport fixes for CVE-2016-6255 and CVE-2016-8863 + (Closes: #831857, #842093) + + -- Uwe Kleine-König <uklei...@debian.org> Tue, 13 Dec 2016 11:46:31 +0100 + libupnp (1:1.6.19+git20141001-1) unstable; urgency=low * Ack both NMUs, thankyou for your care of this package. diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch --- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch 1970-01-01 01:00:00.000000000 +0100 +++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch 2016-12-13 11:46:31.000000000 +0100 @@ -0,0 +1,63 @@ +From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <mj...@srcf.ucam.org> +Date: Tue, 23 Feb 2016 13:53:20 -0800 +Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by + default + +If there's no registered handler for a POST request, the default behaviour +is to write it to the filesystem. Several million deployed devices appear +to have this behaviour, making it possible to (at least) store arbitrary +data on them. Add a configure option that enables this behaviour, and change +the default to just drop POSTs that aren't directly handled. + +Signed-off-by: Marcelo Roberto Jimenez <mrobe...@users.sourceforge.net> +Bug: https://sourceforge.net/p/pupnp/bugs/132/ +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255 +Bug-Debian: https://bugs.debian.org/831857 +--- + configure.ac | 4 ++++ + upnp/inc/upnpconfig.h.in | 4 ++++ + upnp/src/genlib/net/http/webserver.c | 4 ++++ + 3 files changed, 12 insertions(+) + +--- a/configure.ac ++++ b/configure.ac +@@ -495,6 +495,10 @@ + AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h]) + fi + ++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests]) ++if test "x$enable_postwrite" = xyes ; then ++ AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h]) ++fi + + RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code]) + +--- a/upnp/inc/upnpconfig.h.in ++++ b/upnp/inc/upnpconfig.h.in +@@ -131,5 +131,9 @@ + * header (i.e. configure --enable-unspecified_server) */ + #undef UPNP_ENABLE_UNSPECIFIED_SERVER + ++/** Defined to 1 if the library has been compiled to support filesystem writes on POST ++ * (i.e. configure --enable-postwrite) */ ++#undef UPNP_ENABLE_POST_WRITE ++ + #endif /* UPNP_CONFIG_H */ + +--- a/upnp/src/genlib/net/http/webserver.c ++++ b/upnp/src/genlib/net/http/webserver.c +@@ -1366,9 +1366,13 @@ + if (Fp == NULL) + return HTTP_INTERNAL_SERVER_ERROR; + } else { ++#ifdef UPNP_ENABLE_POST_WRITE + Fp = fopen(filename, "wb"); + if (Fp == NULL) + return HTTP_UNAUTHORIZED; ++#else ++ return HTTP_NOT_FOUND; ++#endif + } + parser->position = POS_ENTITY; + do { diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch --- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch 1970-01-01 01:00:00.000000000 +0100 +++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch 2016-12-13 11:46:31.000000000 +0100 @@ -0,0 +1,59 @@ +From 8d48f5cf63973c452cb4578a1fbe623ba95a8e65 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uklei...@debian.org> +Date: Thu, 8 Dec 2016 17:11:53 +0100 +Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863) + +If there is an invalid URL in URLS->buf after a valid one, uri_parse is +called with out pointing after the allocated memory. As uri_parse writes +to *out before returning an error the loop in create_url_list must be +stopped early to prevent an out-of-bound access + +Bug: https://sourceforge.net/p/pupnp/bugs/133/ +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863 +Bug-Debian: https://bugs.debian.org/842093 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771 +Applied-Upstream: 1.6.x, commit:a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b + +--- + upnp/src/gena/gena_device.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/upnp/src/gena/gena_device.c ++++ b/upnp/src/gena/gena_device.c +@@ -1113,7 +1113,7 @@ + /*! [out] . */ + URL_list *out) + { +- size_t URLcount = 0; ++ size_t URLcount = 0, URLcount2 = 0; + size_t i; + int return_code = 0; + uri_type temp; +@@ -1155,16 +1155,23 @@ + } + memcpy( out->URLs, URLS->buff, URLS->size ); + out->URLs[URLS->size] = 0; +- URLcount = 0; + for( i = 0; i < URLS->size; i++ ) { + if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { + if( ( ( return_code = + parse_uri( &out->URLs[i + 1], URLS->size - i + 1, +- &out->parsedURLs[URLcount] ) ) == ++ &out->parsedURLs[URLcount2] ) ) == + HTTP_SUCCESS ) +- && ( out->parsedURLs[URLcount].hostport.text.size != ++ && ( out->parsedURLs[URLcount2].hostport.text.size != + 0 ) ) { +- URLcount++; ++ URLcount2++; ++ if (URLcount2 >= URLcount) ++ /* ++ * break early here in case there is a bogus URL that ++ * was skipped above. This prevents to access ++ * out->parsedURLs[URLcount] which is beyond the ++ * allocation. ++ */ ++ break; + } else { + if( return_code == UPNP_E_OUTOF_MEMORY ) { + free( out->URLs ); diff -Nru libupnp-1.6.19+git20141001/debian/patches/series libupnp-1.6.19+git20141001/debian/patches/series --- libupnp-1.6.19+git20141001/debian/patches/series 2014-10-04 06:26:29.000000000 +0200 +++ libupnp-1.6.19+git20141001/debian/patches/series 2016-12-13 11:46:31.000000000 +0100 @@ -5,3 +5,5 @@ 18-url-upnpstrings.patch 19_fix_tests.patch 21_fix-1.6.19+git.patch +CVE-2016-6255.patch +CVE-2016-8863.patch
signature.asc
Description: PGP signature
