Package: release.debian.org Severity: grave User: release.debian....@packages.debian.org Usertags: unblock
Dear release team, I have just uploaded a new version of MiniUPnPd which fixes 5 issues that have been found after a security audit from someone at Google. Please unblock miniupnpd/1.8.20140523-4. Cheers, Thomas Goirand (zigo)
diff -Nru miniupnpd-1.8.20140523/debian/changelog miniupnpd-1.8.20140523/debian/changelog --- miniupnpd-1.8.20140523/debian/changelog 2014-11-04 09:01:40.000000000 +0000 +++ miniupnpd-1.8.20140523/debian/changelog 2014-12-09 14:37:29.000000000 +0000 @@ -1,3 +1,9 @@ +miniupnpd (1.8.20140523-4) unstable; urgency=high + + * Fixes multiple vulnerabilities (Closes: #772644). + + -- Thomas Goirand <z...@debian.org> Tue, 09 Dec 2014 22:29:04 +0800 + miniupnpd (1.8.20140523-3) unstable; urgency=medium * Do not install the configuration file in /etc/miniupnpd, use /usr/share diff -Nru miniupnpd-1.8.20140523/debian/patches/0010_fix_upnp_add_inboundpinhole.patch miniupnpd-1.8.20140523/debian/patches/0010_fix_upnp_add_inboundpinhole.patch --- miniupnpd-1.8.20140523/debian/patches/0010_fix_upnp_add_inboundpinhole.patch 1970-01-01 00:00:00.000000000 +0000 +++ miniupnpd-1.8.20140523/debian/patches/0010_fix_upnp_add_inboundpinhole.patch 2014-12-09 14:37:29.000000000 +0000 @@ -0,0 +1,43 @@ +Description: miniupnpd/upnppinhole.c: fix upnp_add_inboundpinhole() + check inet_pton() return +Author: Thomas Bernard <miniu...@free.fr> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/d00b75782e7d73e78d0b935cee6f4873bc48c9e8.patch +Date: Tue, 9 Dec 2014 10:52:26 +0100 +Bug-Debian: https://bugs.debian.org/772644 +Last-Update: 2014-12-09 + +diff --git a/upnppinhole.c b/miniupnpd/upnppinhole.c +index 08f1cf6..932bc11 100644 +--- a/upnppinhole.c ++++ b/upnppinhole.c +@@ -88,10 +88,10 @@ upnp_check_outbound_pinhole(int proto, int * timeout) + #endif + + /* upnp_add_inboundpinhole() +- * returns: 0 on success +- * -1 failed to add pinhole +- * -2 already created +- * -3 inbound pinhole disabled ++ * returns: 1 on success ++ * -1 Pinhole space exhausted ++ * -4 invalid arguments ++ * -42 not implemented + * TODO : return uid on success (positive) or error value (negative) + */ + int +@@ -109,10 +109,11 @@ upnp_add_inboundpinhole(const char * raddr, + unsigned int timestamp; + struct in6_addr address; + +- if(inet_pton(AF_INET6, iaddr, &address) < 0) +- { +- syslog(LOG_ERR, "inet_pton(%s) : %m", iaddr); +- return 0; ++ r = inet_pton(AF_INET6, iaddr, &address); ++ if(r <= 0) { ++ syslog(LOG_ERR, "inet_pton(%d, %s, %p) FAILED", ++ AF_INET6, iaddr, &address); ++ return -4; + } + current = time(NULL); + timestamp = current + leasetime; diff -Nru miniupnpd-1.8.20140523/debian/patches/0020_check_inet_aton_return.patch miniupnpd-1.8.20140523/debian/patches/0020_check_inet_aton_return.patch --- miniupnpd-1.8.20140523/debian/patches/0020_check_inet_aton_return.patch 1970-01-01 00:00:00.000000000 +0000 +++ miniupnpd-1.8.20140523/debian/patches/0020_check_inet_aton_return.patch 2014-12-09 14:37:29.000000000 +0000 @@ -0,0 +1,22 @@ +Description: miniupnpd/upnpredirect.c: check inet_aton() return +Author: Thomas Bernard <miniu...@free.fr> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/7c91c4e933e96b913b72685d093126d282b87db6.patch +Date: Tue, 9 Dec 2014 10:53:52 +0100 +Bug-Debian: https://bugs.debian.org/772644 +Last-Update: 2014-12-09 + +diff --git a/upnpredirect.c b/upnpredirect.c +index 5a50c6d..28560ab 100644 +--- a/upnpredirect.c ++++ b/upnpredirect.c +@@ -268,8 +268,8 @@ upnp_redirect(const char * rhost, unsigned short eport, + unsigned int timestamp; + + proto = proto_atoi(protocol); +- if(inet_aton(iaddr, &address) < 0) { +- syslog(LOG_ERR, "inet_aton(%s) : %m", iaddr); ++ if(inet_aton(iaddr, &address) <= 0) { ++ syslog(LOG_ERR, "inet_aton(%s) FAILED", iaddr); + return -1; + } + diff -Nru miniupnpd-1.8.20140523/debian/patches/0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch miniupnpd-1.8.20140523/debian/patches/0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch --- miniupnpd-1.8.20140523/debian/patches/0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch 1970-01-01 00:00:00.000000000 +0000 +++ miniupnpd-1.8.20140523/debian/patches/0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch 2014-12-09 14:37:29.000000000 +0000 @@ -0,0 +1,41 @@ +Subject: miniupnpd/upnpsoap.c: fix potential memory corruption in upnpsoap.c/GetListOfPortMappings() + Credits goes to Stephen Röttger of the Google Security Team for identifying + the vulnerabilities +Author: Thomas Bernard <miniu...@free.fr> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/e6bc04aa06341fa4df3ccae87a167e9adf816911.patch +Bug-Debian: https://bugs.debian.org/772644 +Date: Tue, 9 Dec 2014 11:01:37 +0100 + +Index: miniupnpd/upnpsoap.c +=================================================================== +--- miniupnpd.orig/upnpsoap.c 2014-07-14 15:08:01.000000000 +0800 ++++ miniupnpd/upnpsoap.c 2014-12-09 22:11:34.000000000 +0800 +@@ -1006,6 +1006,7 @@ + body = realloc(body, bodyalloc); + if(!body) + { ++ syslog(LOG_CRIT, "realloc(%p, %u) FAILED", body_sav, (unsigned)bodyalloc); + ClearNameValueList(&data); + SoapError(h, 501, "ActionFailed"); + free(body_sav); +@@ -1030,6 +1031,20 @@ + free(port_list); + port_list = NULL; + ++ if((bodylen + sizeof(list_end) + 1024) > bodyalloc) ++ { ++ char * body_sav = body; ++ bodyalloc += (sizeof(list_end) + 1024); ++ body = realloc(body, bodyalloc); ++ if(!body) ++ { ++ syslog(LOG_CRIT, "realloc(%p, %u) FAILED", body_sav, (unsigned)bodyalloc); ++ ClearNameValueList(&data); ++ SoapError(h, 501, "ActionFailed"); ++ free(body_sav); ++ return; ++ } ++ } + memcpy(body+bodylen, list_end, sizeof(list_end)); + bodylen += (sizeof(list_end) - 1); + bodylen += snprintf(body+bodylen, bodyalloc-bodylen, resp_end, diff -Nru miniupnpd-1.8.20140523/debian/patches/0040_fix_buffer_overrun_in_ParseHttpHeaders.patch miniupnpd-1.8.20140523/debian/patches/0040_fix_buffer_overrun_in_ParseHttpHeaders.patch --- miniupnpd-1.8.20140523/debian/patches/0040_fix_buffer_overrun_in_ParseHttpHeaders.patch 1970-01-01 00:00:00.000000000 +0000 +++ miniupnpd-1.8.20140523/debian/patches/0040_fix_buffer_overrun_in_ParseHttpHeaders.patch 2014-12-09 14:37:29.000000000 +0000 @@ -0,0 +1,22 @@ +Description: miniupnpd/upnphttp.c: fix buffer overrun in ParseHttpHeaders() if Content-Length doesn't contain any digit + Credits goes to Stephen Röttger of the Google Security Team for identifying + the vulnerabilities +Author: Thomas Bernard <miniu...@free.fr> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/dd39ecaa935a9c23176416b38a3b80d577f21048.patch +Date: Tue, 9 Dec 2014 11:02:57 +0100 +Bug-Debian: https://bugs.debian.org/772644 +Last-Update: 2014-12-09 + +diff --git a/upnphttp.c b/upnphttp.c +index 9e9e7d0..499879f 100644 +--- a/upnphttp.c ++++ b/upnphttp.c +@@ -223,7 +223,7 @@ ParseHttpHeaders(struct upnphttp * h) + if(strncasecmp(line, "Content-Length", 14)==0) + { + p = colon; +- while(*p < '0' || *p > '9') ++ while((*p < '0' || *p > '9') && (*p != '\r') && (*p != '\n')) + p++; + h->req_contentlen = atoi(p); + if(h->req_contentlen < 0) { diff -Nru miniupnpd-1.8.20140523/debian/patches/0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch miniupnpd-1.8.20140523/debian/patches/0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch --- miniupnpd-1.8.20140523/debian/patches/0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch 1970-01-01 00:00:00.000000000 +0000 +++ miniupnpd-1.8.20140523/debian/patches/0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch 2014-12-09 14:37:29.000000000 +0000 @@ -0,0 +1,101 @@ +Description: miniupnpd: check if BuildHeader_upnphttp() failed to allocate memory +Author: Thomas Bernard <miniu...@free.fr> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/ec94c5663fe80dd6ceea895c73e2be66b1ef6bf4.patch +Date: Tue, 9 Dec 2014 11:04:15 +0100 +Bug-Debian: https://bugs.debian.org/772644 +Last-Update: 2014-12-09 + +diff --git a/upnphttp.c b/upnphttp.c +index 499879f..f23832a 100644 +--- a/upnphttp.c ++++ b/upnphttp.c +@@ -986,7 +986,7 @@ static const char httpresphead[] = + /* with response code and response message + * also allocate enough memory */ + +-void ++int + BuildHeader_upnphttp(struct upnphttp * h, int respcode, + const char * respmsg, + int bodylen) +@@ -1000,7 +1000,7 @@ BuildHeader_upnphttp(struct upnphttp * h, int respcode, + h->res_buf = (char *)malloc(templen); + if(!h->res_buf) { + syslog(LOG_ERR, "malloc error in BuildHeader_upnphttp()"); +- return; ++ return -1; + } + h->res_buf_alloclen = templen; + } +@@ -1079,8 +1079,10 @@ BuildHeader_upnphttp(struct upnphttp * h, int respcode, + else + { + syslog(LOG_ERR, "realloc error in BuildHeader_upnphttp()"); ++ return -1; + } + } ++ return 0; + } + + void +@@ -1088,8 +1090,8 @@ BuildResp2_upnphttp(struct upnphttp * h, int respcode, + const char * respmsg, + const char * body, int bodylen) + { +- BuildHeader_upnphttp(h, respcode, respmsg, bodylen); +- if(body) ++ int r = BuildHeader_upnphttp(h, respcode, respmsg, bodylen); ++ if(body && (r >= 0)) + memcpy(h->res_buf + h->res_buflen, body, bodylen); + h->res_buflen += bodylen; + } +diff --git a/upnphttp.h b/upnphttp.h +index 4bd7f9b..70fef8f 100644 +--- a/upnphttp.h ++++ b/upnphttp.h +@@ -136,8 +136,9 @@ Process_upnphttp(struct upnphttp *); + + /* BuildHeader_upnphttp() + * build the header for the HTTP Response +- * also allocate the buffer for body data */ +-void ++ * also allocate the buffer for body data ++ * return -1 on error */ ++int + BuildHeader_upnphttp(struct upnphttp * h, int respcode, + const char * respmsg, + int bodylen); +diff --git a/upnpsoap.c b/upnpsoap.c +index efd0658..e8db166 100644 +--- a/upnpsoap.c ++++ b/upnpsoap.c +@@ -45,17 +45,21 @@ BuildSendAndCloseSoapResp(struct upnphttp * h, + "</s:Body>" + "</s:Envelope>\r\n"; + +- BuildHeader_upnphttp(h, 200, "OK", sizeof(beforebody) - 1 +- + sizeof(afterbody) - 1 + bodylen ); ++ int r = BuildHeader_upnphttp(h, 200, "OK", sizeof(beforebody) - 1 ++ + sizeof(afterbody) - 1 + bodylen ); + +- memcpy(h->res_buf + h->res_buflen, beforebody, sizeof(beforebody) - 1); +- h->res_buflen += sizeof(beforebody) - 1; ++ if(r >= 0) { ++ memcpy(h->res_buf + h->res_buflen, beforebody, sizeof(beforebody) - 1); ++ h->res_buflen += sizeof(beforebody) - 1; + +- memcpy(h->res_buf + h->res_buflen, body, bodylen); +- h->res_buflen += bodylen; ++ memcpy(h->res_buf + h->res_buflen, body, bodylen); ++ h->res_buflen += bodylen; + +- memcpy(h->res_buf + h->res_buflen, afterbody, sizeof(afterbody) - 1); +- h->res_buflen += sizeof(afterbody) - 1; ++ memcpy(h->res_buf + h->res_buflen, afterbody, sizeof(afterbody) - 1); ++ h->res_buflen += sizeof(afterbody) - 1; ++ } else { ++ BuildResp2_upnphttp(h, 500, "Internal Server Error", NULL, 0); ++ } + + SendRespAndClose_upnphttp(h); + } diff -Nru miniupnpd-1.8.20140523/debian/patches/series miniupnpd-1.8.20140523/debian/patches/series --- miniupnpd-1.8.20140523/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ miniupnpd-1.8.20140523/debian/patches/series 2014-12-09 14:37:29.000000000 +0000 @@ -0,0 +1,5 @@ +0010_fix_upnp_add_inboundpinhole.patch +0020_check_inet_aton_return.patch +0030_fix_potential_memory_corruption_in_upnpsoap.c_GetListOfPortMappings.patch +0040_fix_buffer_overrun_in_ParseHttpHeaders.patch +0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch