Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

[Adam D. Barratt]

Control: tags -1 + pending

On Mon, 2016-10-31 at 21:34 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2016-10-24 at 23:29 +0100, James Cowgill wrote:
> > The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
> > CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
> > team.
> 
> Assuming that the resulting package has been tested on jessie, please go
> ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #841979 [release.debian.org] jessie-pu: package minissdpd/1.2.20130907-3
Added tag(s) pending.

-- 
841979: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841979
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #841979 [release.debian.org] jessie-pu: package minissdpd/1.2.20130907-3
Added tag(s) confirmed.

-- 
841979: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841979
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Mon, 2016-10-24 at 23:29 +0100, James Cowgill wrote:
> The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
> CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
> team.

Assuming that the resulting package has been tested on jessie, please go
ahead.

Regards,

Adam

Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: Thomas Goirand 

Hi,

The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
team.

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru minissdpd-1.2.20130907/debian/changelog 
minissdpd-1.2.20130907/debian/changelog
--- minissdpd-1.2.20130907/debian/changelog 2014-07-14 08:02:57.0 
+0100
+++ minissdpd-1.2.20130907/debian/changelog 2016-10-24 22:46:46.0 
+0100
@@ -1,3 +1,15 @@
+minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
+The minissdpd daemon contains a improper validation of array index
+vulnerability (CWE-129) when processing requests sent to the Unix
+socket at /var/run/minissdpd.sock the Unix socket can be accessed
+by an unprivileged user to send invalid request causes an
+out-of-bounds memory access that crashes the minissdpd daemon.
+
+ -- James Cowgill   Mon, 24 Oct 2016 22:46:46 +0100
+
 minissdpd (1.2.20130907-3) unstable; urgency=medium
 
   * Removed $all from init.d script.
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 
minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch   1970-01-01 
01:00:00.0 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch   2016-10-24 
22:43:23.0 +0100
@@ -0,0 +1,95 @@
+Description: Fix CVE-2016-3178
+ buffer overflow while handling negative length request
+Author: Salva Peiró 
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
 b/minissdpd.c
+@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req
+   type = buf[0];
+   p = buf + 1;
+   DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-  if(p+l > buf+n) {
++  if(l > (unsigned)(buf+n-p)) {
+   syslog(LOG_WARNING, "bad request (length encoding)");
+   goto error;
+   }
+@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req
+   goto error;
+   }
+   DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-  if(p+l > buf+n) {
++  if(l > (unsigned)(buf+n-p)) {
+   syslog(LOG_WARNING, "bad request (length encoding)");
+   goto error;
+   }
+@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req
+   newserv->usn[l] = '\0';
+   p += l;
+   DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-  if(p+l > buf+n) {
++  if(l > (unsigned)(buf+n-p)) {
+   syslog(LOG_WARNING, "bad request (length encoding)");
+   goto error;
+   }
+@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req
+   newserv->server[l] = '\0';
+   p += l;
+   DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-  if(p+l > buf+n) {
++  if(l > (unsigned)(buf+n-p)) {
+   syslog(LOG_WARNING, "bad request (length encoding)");
+   goto error;
+   }
+--- a/testminissdpd.c
 b/testminissdpd.c
+@@ -45,6 +45,23 @@ void printresponse(const unsigned char *
+ #define SENDCOMMAND(command, size) write(s, command, size); \
+   printf("Command written type=%u\n", (unsigned)command[0]);
+ 
++int connect_unix_socket(const char * sockpath)
++{
++  int s;
++  struct sockaddr_un addr;
++
++  s = socket(AF_UNIX, SOCK_STREAM, 0);
++  addr.sun_family = AF_UNIX;
++  strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path));
++  if(connect(s, (struct sockaddr *), sizeof(struct sockaddr_un)) < 
0) {
++  fprintf(stderr, "connecting to %s : ", addr.sun_path);
++  perror("connect");
++  exit(1);
++  }
++  printf("Connected to %s\n", addr.sun_path);
++  return s;
++}
++
+ /* test program for minissdpd */
+ int
+ main(int argc, char * * argv)
+@@ -52,6 +69,7 @@ main(int argc, char * * argv)
+   char command1[] = 
"\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice";
+   char command2[] =