Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

James Cowgill Mon, 24 Oct 2016 15:34:05 -0700

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-CC: Thomas Goirand <z...@debian.org>


Hi,

The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
team.

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru minissdpd-1.2.20130907/debian/changelog 
minissdpd-1.2.20130907/debian/changelog
--- minissdpd-1.2.20130907/debian/changelog     2014-07-14 08:02:57.000000000 
+0100
+++ minissdpd-1.2.20130907/debian/changelog     2016-10-24 22:46:46.000000000 
+0100
@@ -1,3 +1,15 @@
+minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
+    The minissdpd daemon contains a improper validation of array index
+    vulnerability (CWE-129) when processing requests sent to the Unix
+    socket at /var/run/minissdpd.sock the Unix socket can be accessed
+    by an unprivileged user to send invalid request causes an
+    out-of-bounds memory access that crashes the minissdpd daemon.
+
+ -- James Cowgill <jcowg...@debian.org>  Mon, 24 Oct 2016 22:46:46 +0100
+
 minissdpd (1.2.20130907-3) unstable; urgency=medium
 
   * Removed $all from init.d script.
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 
minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch   1970-01-01 
01:00:00.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch   2016-10-24 
22:43:23.000000000 +0100
@@ -0,0 +1,95 @@
+Description: Fix CVE-2016-3178
+ buffer overflow while handling negative length request
+Author: Salva Peiró <speir...@gmail.com>
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
++++ b/minissdpd.c
+@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req
+       type = buf[0];
+       p = buf + 1;
+       DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-      if(p+l > buf+n) {
++      if(l > (unsigned)(buf+n-p)) {
+               syslog(LOG_WARNING, "bad request (length encoding)");
+               goto error;
+       }
+@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req
+                       goto error;
+               }
+               DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-              if(p+l > buf+n) {
++              if(l > (unsigned)(buf+n-p)) {
+                       syslog(LOG_WARNING, "bad request (length encoding)");
+                       goto error;
+               }
+@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req
+               newserv->usn[l] = '\0';
+               p += l;
+               DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-              if(p+l > buf+n) {
++              if(l > (unsigned)(buf+n-p)) {
+                       syslog(LOG_WARNING, "bad request (length encoding)");
+                       goto error;
+               }
+@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req
+               newserv->server[l] = '\0';
+               p += l;
+               DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-              if(p+l > buf+n) {
++              if(l > (unsigned)(buf+n-p)) {
+                       syslog(LOG_WARNING, "bad request (length encoding)");
+                       goto error;
+               }
+--- a/testminissdpd.c
++++ b/testminissdpd.c
+@@ -45,6 +45,23 @@ void printresponse(const unsigned char *
+ #define SENDCOMMAND(command, size) write(s, command, size); \
+               printf("Command written type=%u\n", (unsigned)command[0]);
+ 
++int connect_unix_socket(const char * sockpath)
++{
++      int s;
++      struct sockaddr_un addr;
++
++      s = socket(AF_UNIX, SOCK_STREAM, 0);
++      addr.sun_family = AF_UNIX;
++      strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path));
++      if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 
0) {
++              fprintf(stderr, "connecting to %s : ", addr.sun_path);
++              perror("connect");
++              exit(1);
++      }
++      printf("Connected to %s\n", addr.sun_path);
++      return s;
++}
++
+ /* test program for minissdpd */
+ int
+ main(int argc, char * * argv)
+@@ -52,6 +69,7 @@ main(int argc, char * * argv)
+       char command1[] = 
"\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice";
+       char command2[] = 
"\x02\x00uuid:fc4ec57e-b051-11db-88f8-0060085db3f6::upnp:rootdevice";
+       char command3[] = { 0x03, 0x00 };
++        const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 
0xff, 0x7f};
+       struct sockaddr_un addr;
+       int s;
+       int i;
+@@ -89,6 +107,15 @@ main(int argc, char * * argv)
+       n = read(s, buf, sizeof(buf));
+       printf("Response received %d bytes\n", (int)n);
+       printresponse(buf, n);
++      if(n == 0) {
++              close(s);
++              s = connect_unix_socket(sockpath);
++      }
++
++      n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
++      n = read(s, buf, sizeof(buf));
++      printf("Response received %d bytes\n", (int)n);
++      printresponse(buf, n);
+ 
+       close(s);
+       return 0;
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch 
minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch   1970-01-01 
01:00:00.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3179.patch   2016-10-24 
22:43:23.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Fix CVE-2016-3179
+ freeing of uninitialized pointer
+Author: Salva Peiró <speir...@gmail.com>
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
++++ b/minissdpd.c
+@@ -644,6 +644,7 @@ void processRequest(struct reqelem * req
+                       syslog(LOG_ERR, "cannot allocate memory");
+                       goto error;
+               }
++              memset(newserv, 0, sizeof(struct service));     /* set pointers 
to NULL */
+               if(containsForbiddenChars(p, l)) {
+                       syslog(LOG_ERR, "bad request (st contains forbidden 
chars)");
+                       goto error;
diff -Nru minissdpd-1.2.20130907/debian/patches/series 
minissdpd-1.2.20130907/debian/patches/series
--- minissdpd-1.2.20130907/debian/patches/series        2014-07-14 
08:02:57.000000000 +0100
+++ minissdpd-1.2.20130907/debian/patches/series        2016-10-24 
22:43:23.000000000 +0100
@@ -1,2 +1,4 @@
 link-with-lfreebsd-glue.patch
 using-LDFLAGS-in-Makefile.patch
+CVE-2016-3178.patch
+CVE-2016-3179.patch

signature.asc
Description: OpenPGP digital signature

Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

Reply via email to