** Description changed:
- SRU request.
+ Security Update and/or SRU request for 14.04.
+
+ There are security fixes to this package in Debian (1.8.20140523-4, in
+ 15.04+) that fix several CVEs and postinst failures (1.8.20130730-3, in
+ 14.10+) . Unfortunately it is not clear precisely which CVEs the Debian
+ security updates resolve.
+
+ I found these issues when a user reported they couldn't start the
+ daemon. I initially fixed the postinst issue locally then discovered
+ Debian had updated the package already, and then discovered the
+ additional fixes for security vulnerabilities.
+
+ Due to the Debian packages also including some unrelated fixes I'm unclear as
to what the best approach is.
+ I've asked for guidance in #ubuntu-devel and rbasak gave useful input but it
comes down to whether a security update would take the Debian package as-is or
want to split out the various specific fixes.
+
+ That looks like quite a lot of involved work to me. I only worked on the
+ postinst issue to solve it for a user who reported it in #ubuntu.
+
+ -----
[Impact]
- There are typos in the postinst script that cause garbage to be written
+ * MiniUPnPd is vulnerable to DNS rebinding attacks
+
+ * DoS: typos in the postinst script that cause garbage to be written
to "/etc/default/miniupnpd" resulting in the service failing to start.
[Test Case]
Install the package and try to start it. It will fail.
"/etc/default/miniupnpd" will contain garbled content due to the bug.
A valid example file exists in the package at
/usr/share/doc/miniupnpd/examples/miniupnpd.default
+ Installing the package from 15.04 or 15.10 resolve the issues.
+
[Regression Potential]
- Non. Changes ensure a valid 'default' file is written and permit the
- daemon to start.
+ Small to Non. postinst changes ensure a valid 'default' file is written
+ and permit the daemon to start. Fixes from upstream prevent DNS
+ rebinding attacks.
- -----
- I found these when a user reported they couldn't start the daemon. It turns
out these were fixed in Debian and are available in 14.10, 15.04 and 15.10.
+ These were fixed in Debian and are available in 15.04+.
- A backport to Trusty would solve this and several other issues.
+ [References]
+
+ security: CVEs
http://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-24263/Miniupnp-Project-Miniupnpd.html
+
+ security: see Debian bug #772644
+
+ postinst: see Debian bug #726915
+
+ see also Debian changelog: http://metadata.ftp-
+
master.debian.org/changelogs//main/m/miniupnpd/miniupnpd_1.8.20140523-4_changelog
** Summary changed:
- postinst script writes garbage to /etc/default/miniupnpd
+ Security vulnerabilities and postinst generating garbage
** Changed in: miniupnpd (Ubuntu Trusty)
Status: New => Triaged
** Changed in: miniupnpd (Ubuntu Trusty)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1468938
Title:
Security vulnerabilities and postinst generating garbage
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/miniupnpd/+bug/1468938/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
