Debian Bug report logs -
#929297
minissdpd: CVE-2019-12106
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 21 May 2019 06:09:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions minissdpd/1.2.20130907-3+deb8u1, minissdpd/1.2.20130907-4, minissdpd/1.2.20130907-4.1
Fixed in versions minissdpd/1.5.20190210-1, minissdpd/1.2.20130907-4.1+deb9u1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#929297; Package minissdpd.
(Tue, 21 May 2019 06:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Thomas Goirand <zigo@debian.org>.
(Tue, 21 May 2019 06:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: minissdpd
Version: 1.2.20130907-3+deb8u1
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for minissdpd.
CVE-2019-12106[0]:
| The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and
| 1.5 allows a remote attacker to crash the process due to a Use After
| Free vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12106
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12106
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#929297; Package minissdpd.
(Tue, 21 May 2019 06:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Tue, 21 May 2019 06:15:04 GMT) (full text, mbox, link).
Message #10 received at 929297@bugs.debian.org (full text, mbox, reply):
Hi,
> minissdpd: CVE-2019-12106
Security team, would you like me to prepare an upload for stretch here?
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#929297; Package minissdpd.
(Tue, 21 May 2019 09:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list.
(Tue, 21 May 2019 09:15:03 GMT) (full text, mbox, link).
Message #15 received at 929297@bugs.debian.org (full text, mbox, reply):
On 5/21/19 8:06 AM, Chris Lamb wrote:
> Package: minissdpd
> Version: 1.2.20130907-3+deb8u1
> X-Debbugs-CC: team@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for minissdpd.
>
> CVE-2019-12106[0]:
> | The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and
> | 1.5 allows a remote attacker to crash the process due to a Use After
> | Free vulnerability.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-12106
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12106
>
>
> Regards,
>
Hi Chris & the security team,
The version in Sid / Buster isn't affected, as version 1.5.20190210 from
upstream already has the patch (ie: *pp = p->next). The security tracker
seems to know about it already.
Chris, thanks for your proposal to update Stretch, I very much
appreciate it.
Cheers,
Thomas Goirand (zigo)
Marked as fixed in versions minissdpd/1.5.20190210-1.
Request was from Thomas Goirand <zigo@debian.org>
to control@bugs.debian.org.
(Tue, 21 May 2019 09:15:05 GMT) (full text, mbox, link).
Marked as found in versions minissdpd/1.2.20130907-4.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 21 May 2019 19:24:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 21 May 2019 19:24:04 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 21 May 2019 19:24:05 GMT) (full text, mbox, link).
Message sent on
to "Chris Lamb" <lamby@debian.org>:
Bug#929297.
(Tue, 21 May 2019 19:24:07 GMT) (full text, mbox, link).
Message #26 received at 929297-submitter@bugs.debian.org (full text, mbox, reply):
found 929297 1.2.20130907-4.1
close 929297 1.5.20190210-1
thanks
Marked as found in versions minissdpd/1.2.20130907-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 21 May 2019 19:42:09 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 21 May 2019 19:42:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#929297; Package minissdpd.
(Thu, 23 May 2019 06:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Thu, 23 May 2019 06:06:03 GMT) (full text, mbox, link).
Message #35 received at 929297@bugs.debian.org (full text, mbox, reply):
Hi,
> > The following vulnerability was published for minissdpd.
> >
> > CVE-2019-12106[0]:
> > | The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and
> > | 1.5 allows a remote attacker to crash the process due to a Use After
> > | Free vulnerability.
[…]
> Chris, thanks for your proposal to update Stretch, I very much
> appreciate it.
Ping, security team? :)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#929297; Package minissdpd.
(Sat, 25 May 2019 08:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Sat, 25 May 2019 08:12:06 GMT) (full text, mbox, link).
Message #40 received at 929297@bugs.debian.org (full text, mbox, reply):
Hey,
> > The following vulnerability was published for minissdpd.
> >
> > CVE-2019-12106[0]:
> > | The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and
> > | 1.5 allows a remote attacker to crash the process due to a Use After
> > | Free vulnerability.
[…]
> Chris, thanks for your proposal to update Stretch, I very much
> appreciate it.
Another gentle ping, security team?
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#929297; Package minissdpd.
(Sun, 26 May 2019 20:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Sun, 26 May 2019 20:57:02 GMT) (full text, mbox, link).
Message #45 received at 929297@bugs.debian.org (full text, mbox, reply):
On Sat, May 25, 2019 at 09:08:32AM +0100, Chris Lamb wrote:
> Hey,
>
> > > The following vulnerability was published for minissdpd.
> > >
> > > CVE-2019-12106[0]:
> > > | The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and
> > > | 1.5 allows a remote attacker to crash the process due to a Use After
> > > | Free vulnerability.
> […]
> > Chris, thanks for your proposal to update Stretch, I very much
> > appreciate it.
>
> Another gentle ping, security team?
This doesn't warrant a DSA, feel free to fix it via a point release instead.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#929297; Package minissdpd.
(Mon, 27 May 2019 09:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Mon, 27 May 2019 09:33:06 GMT) (full text, mbox, link).
Message #50 received at 929297@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
> > > Chris, thanks for your proposal to update Stretch, I very much
> > > appreciate it.
[…]
> This doesn't warrant a DSA, feel free to fix it via a point release instead.
Sure thing. Proposed in #929613.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Sat, 08 Jun 2019 17:36:15 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Jun 2019 17:36:15 GMT) (full text, mbox, link).
Message #55 received at 929297-close@bugs.debian.org (full text, mbox, reply):
Source: minissdpd
Source-Version: 1.2.20130907-4.1+deb9u1
We believe that the bug you reported is fixed in the latest version of
minissdpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929297@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated minissdpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 May 2019 10:14:26 +0100
Source: minissdpd
Binary: minissdpd
Architecture: source amd64
Version: 1.2.20130907-4.1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
minissdpd - keep memory of all UPnP devices that announced themselves
Closes: 929297
Changes:
minissdpd (1.2.20130907-4.1+deb9u1) stretch; urgency=medium
.
* CVE-2019-12106: Prevent a use-after-free vulnerability that would allow a
remote attacker to crash the process. (Closes: #929297)
Checksums-Sha1:
73df7e00168675324260ac4b92694cd540c58f70 1961 minissdpd_1.2.20130907-4.1+deb9u1.dsc
9d548a55449e7eb2638631562cc35df9434b7a74 20237 minissdpd_1.2.20130907.orig.tar.gz
429f27387bda690a5ef02bc43056990c11668e66 7032 minissdpd_1.2.20130907-4.1+deb9u1.debian.tar.xz
6a28ee5ed764ef3fb06a07efafc23f61aeffab27 34204 minissdpd-dbgsym_1.2.20130907-4.1+deb9u1_amd64.deb
657b4760bff9c73b0a504e99d70d0f6788b2b3bc 6120 minissdpd_1.2.20130907-4.1+deb9u1_amd64.buildinfo
ac0bfe0e859714c1731a2fbe4592219bc8777d83 20110 minissdpd_1.2.20130907-4.1+deb9u1_amd64.deb
Checksums-Sha256:
2ddfcf6d30de6a343df000504badb874bbdfc30ce51f3c4e95280052907a6e37 1961 minissdpd_1.2.20130907-4.1+deb9u1.dsc
18bc5b9336947d63724c85402dbb8bb134eab2a2ba8ecae4446232f01683b468 20237 minissdpd_1.2.20130907.orig.tar.gz
30cb9a99dcde2c1007071ffe516e56738451f25ac28910232f08fd71f1a325c0 7032 minissdpd_1.2.20130907-4.1+deb9u1.debian.tar.xz
6cd08d88237deaec5358f983eee24207cd47c3cc58b46f47ce0f958bfb9f8d3a 34204 minissdpd-dbgsym_1.2.20130907-4.1+deb9u1_amd64.deb
1fa3c61180d9cf5ffd59ab647c52730baf3609d889c308296f6f962c5a84b93c 6120 minissdpd_1.2.20130907-4.1+deb9u1_amd64.buildinfo
f60d9f067ab7d5a5dfef665acf3cd1802c798889644f615aa6437d7145643146 20110 minissdpd_1.2.20130907-4.1+deb9u1_amd64.deb
Files:
979fb7e988a60a1c184fbc9d88ea28cd 1961 net optional minissdpd_1.2.20130907-4.1+deb9u1.dsc
abe636faef155cd8f606bcb32cd257e9 20237 net optional minissdpd_1.2.20130907.orig.tar.gz
ff5e5202f57f7a9179d9c48b2c5a00ff 7032 net optional minissdpd_1.2.20130907-4.1+deb9u1.debian.tar.xz
340d0aca34052783c62f74cb7a22244b 34204 debug extra minissdpd-dbgsym_1.2.20130907-4.1+deb9u1_amd64.deb
e058c830292e368a380ac33e4044bdcf 6120 net optional minissdpd_1.2.20130907-4.1+deb9u1_amd64.buildinfo
b7a7f5864a9476a712b314ae4391a7e9 20110 net optional minissdpd_1.2.20130907-4.1+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlz2peoACgkQHpU+J9Qx
Hlj58RAAkrLfwCljKrirsxUc1oTTfaLDZh8I/NRkk7PJobZRvnR2Z+MxmtxRlhqS
S+9GTaWEnINW5FMOQmguwNEOg/S5LLxrh9pGu5P7pxbOqFozOdeXzjE3b4/5LpNl
vYfOHRoSy97Hf5QBeF3RB+ru50XrpYH5i5MtvRQSM3vhk70Hc2beOeFqe72q7sKU
mx9lANebYf3qSoDJKHMzUX1wpVsZ2nCPAK9O2AAUBhDCDIQxNr0umIg4GCB9bu1H
sTSLKb8ur+cGWcYUoBUjKWO6VMubcwbBXIcy+/WxqNHOTzoz80mqZdu2QbuYt6hm
f+JEPixDi0Qpi8yr1OkjjGpb1vP1aolTUSnGRmVL/z9hJ53ThX0B2VNXDqTaFN3q
tuBTiCB476WiTL1y94V4SOshmruK0iP2Z7+w4WluuE3EfqUScHMa9ZKqEDHl+eXS
nSHxQ/YePcIwh7diLrNQER/RU7ZIt7YMyA0CUSCJQV/1NYECZ/K0yNu8WcakI5kZ
49YS0umyHhA1JRT94x7sKuDt99X9t/0NG74+WwAUSJ6i+fkjCERCdeZGd3Mn0piV
0pMLN16DuarfC1jSW640i4LtbLDnXCJLOztPHp9f6jAlo8wT85+cSXzYrVD82xm2
XQVpDjWE1m4LA2fEl42YHU6eNCaXFPbeKLQO1+Y9qrYkmnc18rA=
=xE0V
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:18:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon