On 07/26/2016 10:51 PM, Bálint Réczey wrote:
> Hi Nick,
>
> 2016-07-19 15:35 GMT+02:00 Nick Leverton <n...@leverton.org>:
>> On Tue, Jul 19, 2016 at 08:54:18AM +0200, Chris Lamb wrote:
>>> Hello dear maintainer(s),
>>>
>>> the Debian LTS team would like to fix the security issues which are
>>> currently open in the Wheezy version of libupnp:
>>> https://security-tracker.debian.org/tracker/TEMP-0000000-867096
>>>
>>> Would you like to take care of this yourself?
>>
>> Hi,
>>
>> Thanks very much for the headsup on this. I've a bit to do for Squeeze
>> at the moment and would really appreciate any help your team can provide
>> on LTS. If I do get enough time though I'll check in on your task
>> tracker as suggested.
>
> I will prepare a fix for Wheezy tomorrow.
It took some more time but I also reported the problem upstream in their
public bug tracker:
https://sourceforge.net/p/pupnp/bugs/132/
Please see the attached patch which I will upload in a few days if
upstream does not react.
The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/
Cheers,
Balint
diff -Nru libupnp-1.6.17/debian/changelog libupnp-1.6.17/debian/changelog
--- libupnp-1.6.17/debian/changelog 2013-02-01 21:56:14.000000000 +0100
+++ libupnp-1.6.17/debian/changelog 2016-07-27 19:05:24.000000000 +0200
@@ -1,3 +1,12 @@
+libupnp (1:1.6.17-1.2+deb7u1) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Team
+ * Don't allow unhandled POSTs to write to the filesystem by
+ default (Closes: #831857) (CVE-2016-6255)
+ Thanks to Matthew Garrett for the patch.
+
+ -- Balint Reczey <bal...@balintreczey.hu> Wed, 27 Jul 2016 19:01:31 +0200
+
libupnp (1:1.6.17-1.2) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch
--- libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch 1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch 2016-07-27 19:01:19.000000000 +0200
@@ -0,0 +1,59 @@
+From be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mj...@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+---
+ configure.ac | 4 ++++
+ upnp/inc/upnpconfig.h.in | 5 +++++
+ upnp/src/genlib/net/http/webserver.c | 4 ++++
+ 3 files changed, 13 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -452,6 +452,10 @@
+ AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
+ fi
+
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++ AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -131,5 +131,10 @@
+ * header (i.e. configure --enable-unspecified_server) */
+ #undef UPNP_ENABLE_UNSPECIFIED_SERVER
+
++/** Defined to 1 if the library has been compiled to support filesystem writes on POST
++ * (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
++
+ #endif /* UPNP_CONFIG_H */
+
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1354,9 +1354,13 @@
+ if (Fp == NULL)
+ return HTTP_INTERNAL_SERVER_ERROR;
+ } else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ Fp = fopen(filename, "wb");
+ if (Fp == NULL)
+ return HTTP_UNAUTHORIZED;
++#else
++ return HTTP_NOT_FOUND;
++#endif
+ }
+ parser->position = POS_ENTITY;
+ do {
diff -Nru libupnp-1.6.17/debian/patches/series libupnp-1.6.17/debian/patches/series
--- libupnp-1.6.17/debian/patches/series 2013-02-01 18:36:23.000000000 +0100
+++ libupnp-1.6.17/debian/patches/series 2016-07-27 19:00:56.000000000 +0200
@@ -4,3 +4,4 @@
12-debian-always-debug.patch
18-url-upnpstrings.patch
0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch
+0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch
