Your message dated Sat, 05 Nov 2016 18:17:09 +0000
with message-id <e1c35wf-000hlo...@fasolo.debian.org>
and subject line Bug#816759: fixed in minissdpd 1.2.20130907-3+deb8u1
has caused the Debian Bug report #816759,
regarding minissdpd: CVE-2016-3178 CVE-2016-3179
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
816759: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816759
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: minissdpd
Version: 1.2.20130907-3
Justification: renders package unusable
Severity: grave
Tags: security patch
Dear Maintainer,
The following bug report provides the technical description and bug fixes
and has been extracted from the detailed security advisory
at http://speirofr.appspot.com/files/advisory/SPADV-2016-02.md
Best,
Vulnerability details
=====================
The minissdpd daemon (version: 1.2.20130907-3) contains a
improper validation of array index vulnerability (CWE-129)
when processing requests sent to the Unix socket at /var/run/minissdpd.sock
the Unix socket can be accessed by an unprivileged user to send invalid
request causes an out-of-bounds memory access that crashes the minissdpd
daemon.
Technical Details
=================
The vulnerability can be triggered by a local unprivileged user performs
the following request:
$ echo -en '\x04\x01\x60\x8f\xff\xff\xff\x7f\x0a' | nc.openbsd -U
/var/run/minissdpd.sock
The request is processed by the processRequest() function at minissdpd.c
which identifies the request of type=4, and performs the parsing of the
"new service" request, the decoding of the length of the usn field
performed at
line 663, sets l = 0xffffffff, with p = buf+4, and n = 9, the negative
length
l=-1 passes the check at line 664 with (buf+4-1) < (buf + 9), continuing
with
the allocation of the usn field at line 673, that initialises newserv->usn =
malloc(0), where in the case of Linux malloc(3) the allocator returns a
pointer
that can be later passed to free(). The line 668 attempts to copy
0xffffffff
bytes from the message pointer p to newserv->usn, that causes the daemon to
perform an out-of-bound memory access writing outside the allocated buffer.
~~~
663 DECODELENGTH_CHECKLIMIT(l, p, buf + n);
664 if(p+l > buf+n) {
665 syslog(LOG_WARNING, "bad request (length encoding)");
666 goto error;
667 }
...
673 newserv->usn = malloc(l + 1);
674 if(!newserv->usn) {
675 syslog(LOG_ERR, "cannot allocate memory");
676 goto error;
677 }
668 memcpy(newserv->usn, p, l);
~~~
The problem is the incorrect validation on the length returned by the
DECODELENGTH_CHECKLIMIT macro at line 664, that does not consider negative
length values. The fix of the length has already been applied to the
upstream
minissdpd repository see [2], the bug happens at multiple locations after
the
DECODELENGTH_CHECKLIMIT macro that also need to be fixed:
~~~
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
- if(p+l > buf+n) {
+ if(l > (unsigned)(buf+n-p)) {
syslog(LOG_ERR, "cannot allocate memory");
goto error;
}
~~~
After performing the corrections of the length check the minissdpd daemon
properly detects the invalid negative values and performs error handling.
However, the error handling code at line 753 attempts to free the undefined
memory contents that newserv = malloc() allocated at line 642.
~~~
753 if(newserv) {
754 free(newserv->st);
755 free(newserv->usn);
756 free(newserv->server);
757 free(newserv->location);
758 free(newserv);
759 newserv = NULL;
760 }
~~~
The issue is corrected by applying initialising the contents of the newserv
to zero [3].
That causes free() to correctly operate when freeing the uninitialised
struct fields.
~~~
642 newserv = malloc(sizeof(struct service));
643 if(!newserv) {
644 syslog(LOG_ERR, "cannot allocate memory");
645 goto error;
646 }
+ memset(newserv, 0, sizeof(struct service));
~~~
Solution
========
Apply the proposed fixes, contained in the patch below.
~~~
>From 2f6746a0c00872b977cc81452d77463aa39609e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speir...@gmail.com>
Date: Fri, 4 Mar 2016 12:38:18 +0100
Subject: [PATCH] Fix minissdpd.c handling of request with negative length
---
minissdpd.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/minissdpd.c b/minissdpd.c
index 520a6c5..1cd079e 100644
--- a/minissdpd.c
+++ b/minissdpd.c
@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req)
type = buf[0];
p = buf + 1;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
- if(p+l > buf+n) {
+ if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
@@ -644,6 +644,7 @@ void processRequest(struct reqelem * req)
syslog(LOG_ERR, "cannot allocate memory");
goto error;
}
+ memset(newserv, 0, sizeof(struct service));
if(containsForbiddenChars(p, l)) {
syslog(LOG_ERR, "bad request (st contains forbidden chars)");
goto error;
@@ -661,7 +662,7 @@ void processRequest(struct reqelem * req)
goto error;
}
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
- if(p+l > buf+n) {
+ if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
@@ -679,7 +680,7 @@ void processRequest(struct reqelem * req)
newserv->usn[l] = '\0';
p += l;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
- if(p+l > buf+n) {
+ if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
@@ -697,7 +698,7 @@ void processRequest(struct reqelem * req)
newserv->server[l] = '\0';
p += l;
DECODELENGTH_CHECKLIMIT(l, p, buf + n);
- if(p+l > buf+n) {
+ if(l > (unsigned)(buf+n-p)) {
syslog(LOG_WARNING, "bad request (length encoding)");
goto error;
}
--
2.1.4
~~~
Affected versions
=================
Debian: https://packages.debian.org/jessie/minissdpd
minissdpd version 1.2.20130907-3
Ubuntu: https://launchpad.net/ubuntu/+source/minissdpd
minissdpd version 1.2.20130907-3
History
=======
2016/03/04 - Vendor notified
Credits
=======
Vulnerability found and advisory written by Salva Peiró.
References
==========
[1] https://speirofr.appspot.com/files/advisory/SPADV-2016-02.md
[2]
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
[3]
https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages minissdpd depends on:
ii libc6 2.19-18+deb8u1
minissdpd recommends no packages.
minissdpd suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: minissdpd
Source-Version: 1.2.20130907-3+deb8u1
We believe that the bug you reported is fixed in the latest version of
minissdpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 816...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <jcowg...@debian.org> (supplier of updated minissdpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 24 Oct 2016 22:46:46 +0100
Source: minissdpd
Binary: minissdpd
Architecture: source
Version: 1.2.20130907-3+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Thomas Goirand <z...@debian.org>
Changed-By: James Cowgill <jcowg...@debian.org>
Description:
minissdpd - keep memory of all UPnP devices that announced themselves
Closes: 816759
Changes:
minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
The minissdpd daemon contains a improper validation of array index
vulnerability (CWE-129) when processing requests sent to the Unix
socket at /var/run/minissdpd.sock the Unix socket can be accessed
by an unprivileged user to send invalid request causes an
out-of-bounds memory access that crashes the minissdpd daemon.
Checksums-Sha1:
1d4e123c34c7e3d23a1d61ead86f4be2dcfd4ecd 1912
minissdpd_1.2.20130907-3+deb8u1.dsc
515c45758c0e8220012c8687a60fefd1526ae7eb 6440
minissdpd_1.2.20130907-3+deb8u1.debian.tar.xz
Checksums-Sha256:
2104bb177beee002212ea9fac5eafb848b666bdcda10b1cf6833e30dba395b41 1912
minissdpd_1.2.20130907-3+deb8u1.dsc
7fb1982fcb81b2d4eb62b1fff2ad43bdc24e52a59a5e8d743d966630d00e61db 6440
minissdpd_1.2.20130907-3+deb8u1.debian.tar.xz
Files:
bafcb48b4c6d0f6bc69716a2aabc7ee0 1912 net optional
minissdpd_1.2.20130907-3+deb8u1.dsc
134860e3a3a12933aa9f2198ab666098 6440 net optional
minissdpd_1.2.20130907-3+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYGK9vAAoJEMfxZ23qLQHvw50QAIJOvs9LdZJnXS4scrWyxQft
Lc8EO1M6OszA6GVB1GuQdZb0YQNFBIB5Pi2Lnqw6TI3Rv40SFrSfRy876fPGk+TS
5aR1ChzksDcDWsuFje2QYVdxhkZ4w5j6v9iIYrUpmXwuY7oa5+5f6VF1O4gxGVVT
oWwJGw0HRAKyY2M8qwa0tZIcE7JeNBrv7/qjM+2IJDdwclMPGGjy/RE8yKGz7DyK
YfQ11Z0uIELwT7tnHZq9LF61w1BpUIV3Iibs3TgLdmtJTJdjoxqcBf2yAO6T8aCa
yA/P8uPNNmgFvxaC2tn3cfwzmmnep+15Gl6aBcDAdEw/R0kZ4CAAyfxl9ScLuVg6
fhsVGcH48AcdLQDod0XRQKFMKQMj1mnSe2b2P3eqIZHWw9r4cpe3MmMc0RGACSVF
oGfvX5ANF6xylg+23mnvF6PhOkjEkQ6NVTS39j7ycBajwTnXyUA0AYtAq2vBfHJH
hsRiC7ZiEmmlvKDKexySUlPu9YmfwGeewDBNCJXTnDDMlUOqtiPPEClvtQYaSDCk
s/csE+7ceIXIH0lAb9yh8usA/d3XX4NzFamw4TSeyPXXctFYgDz+HhvjM4HF9Tak
OT131qfyKIaLPwFMkDk6c7T0GwxIduLd/RKRPwt3oQXBqaKEmKDBagEjVRkO78OO
T4ZVSaD34S+C9Tlfedch
=nQVr
-----END PGP SIGNATURE-----
--- End Message ---