Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: Thomas Goirand
Hi,
The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
team.
Thanks,
James
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru minissdpd-1.2.20130907/debian/changelog
minissdpd-1.2.20130907/debian/changelog
--- minissdpd-1.2.20130907/debian/changelog 2014-07-14 08:02:57.0
+0100
+++ minissdpd-1.2.20130907/debian/changelog 2016-10-24 22:46:46.0
+0100
@@ -1,3 +1,15 @@
+minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
+The minissdpd daemon contains a improper validation of array index
+vulnerability (CWE-129) when processing requests sent to the Unix
+socket at /var/run/minissdpd.sock the Unix socket can be accessed
+by an unprivileged user to send invalid request causes an
+out-of-bounds memory access that crashes the minissdpd daemon.
+
+ -- James Cowgill Mon, 24 Oct 2016 22:46:46 +0100
+
minissdpd (1.2.20130907-3) unstable; urgency=medium
* Removed $all from init.d script.
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch
minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 1970-01-01
01:00:00.0 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 2016-10-24
22:43:23.0 +0100
@@ -0,0 +1,95 @@
+Description: Fix CVE-2016-3178
+ buffer overflow while handling negative length request
+Author: Salva Peiró
+Origin: upstream,
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
b/minissdpd.c
+@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req
+ type = buf[0];
+ p = buf + 1;
+ DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+- if(p+l > buf+n) {
++ if(l > (unsigned)(buf+n-p)) {
+ syslog(LOG_WARNING, "bad request (length encoding)");
+ goto error;
+ }
+@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req
+ goto error;
+ }
+ DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+- if(p+l > buf+n) {
++ if(l > (unsigned)(buf+n-p)) {
+ syslog(LOG_WARNING, "bad request (length encoding)");
+ goto error;
+ }
+@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req
+ newserv->usn[l] = '\0';
+ p += l;
+ DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+- if(p+l > buf+n) {
++ if(l > (unsigned)(buf+n-p)) {
+ syslog(LOG_WARNING, "bad request (length encoding)");
+ goto error;
+ }
+@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req
+ newserv->server[l] = '\0';
+ p += l;
+ DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+- if(p+l > buf+n) {
++ if(l > (unsigned)(buf+n-p)) {
+ syslog(LOG_WARNING, "bad request (length encoding)");
+ goto error;
+ }
+--- a/testminissdpd.c
b/testminissdpd.c
+@@ -45,6 +45,23 @@ void printresponse(const unsigned char *
+ #define SENDCOMMAND(command, size) write(s, command, size); \
+ printf("Command written type=%u\n", (unsigned)command[0]);
+
++int connect_unix_socket(const char * sockpath)
++{
++ int s;
++ struct sockaddr_un addr;
++
++ s = socket(AF_UNIX, SOCK_STREAM, 0);
++ addr.sun_family = AF_UNIX;
++ strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path));
++ if(connect(s, (struct sockaddr *), sizeof(struct sockaddr_un)) <
0) {
++ fprintf(stderr, "connecting to %s : ", addr.sun_path);
++ perror("connect");
++ exit(1);
++ }
++ printf("Connected to %s\n", addr.sun_path);
++ return s;
++}
++
+ /* test program for minissdpd */
+ int
+ main(int argc, char * * argv)
+@@ -52,6 +69,7 @@ main(int argc, char * * argv)
+ char command1[] =
"\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice";
+ char command2[] =