libupnp: CVE-2016-6255: write files via POST

Debian Bug report logs - #831857
libupnp: CVE-2016-6255: write files via POST

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libupnp: write files via POST

Date: Wed, 20 Jul 2016 11:03:34 +0200

Source: libupnp
Version: 1:1.6.17-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi

See http://www.openwall.com/lists/oss-security/2016/07/18/13 and
https://twitter.com/mjg59/status/755062278513319936 .

Proposed fix:
https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd

Regards,
Salvatore

Message #18 received at 831857@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 831857@bugs.debian.org

Subject: Bug#831857: libupnp: CVE-2016-6255: write files via POST

Date: Wed, 19 Oct 2016 21:22:50 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 patch pending

Hi,

I am about to upload the attached NMU to finally fix this bug. I've also
attached a patch suitable for jessie-security, and a test script I used
to create a libupnp server for testing the fix with.

Thanks,
James

[cve-2016-6255-test.c (text/x-csrc, attachment)]

[jessie-security.debdiff (text/plain, attachment)]

[libupnp_1.6.19+git20160116-1.1-nmu.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 831857-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 831857-close@bugs.debian.org

Subject: Bug#831857: fixed in libupnp 1:1.6.19+git20160116-1.1

Date: Wed, 19 Oct 2016 22:47:26 +0000

Source: libupnp
Source-Version: 1:1.6.19+git20160116-1.1

We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 831857@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated libupnp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 19 Oct 2016 21:03:51 +0100
Source: libupnp
Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc
Architecture: source
Version: 1:1.6.19+git20160116-1.1
Distribution: unstable
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libupnp-dev - Portable SDK for UPnP Devices (development files)
 libupnp6   - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
 libupnp6-dbg - debugging symbols for libupnp6
 libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
 libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6
Closes: 831857
Changes:
 libupnp (1:1.6.19+git20160116-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Don't allow unhandled POSTs to write to the filesystem by
     default (Closes: #831857) (CVE-2016-6255)
     Thanks to Matthew Garrett for the patch.
Checksums-Sha1:
 8f31c49dbce41876d8b24c2da80251ea01336680 2063 libupnp_1.6.19+git20160116-1.1.dsc
 c1c0a4ec12985d7c05622de385089eb1b1499118 27556 libupnp_1.6.19+git20160116-1.1.debian.tar.xz
Checksums-Sha256:
 f5f1ebe446db23082da1cfd02f0c7402c31e61e94758d332154282901f65fec6 2063 libupnp_1.6.19+git20160116-1.1.dsc
 b046b9278c828dc2d6507dd470b8bf9ef81710b711748799d1812489df5672a7 27556 libupnp_1.6.19+git20160116-1.1.debian.tar.xz
Files:
 a0befa3ea459b2448280b273709c81d8 2063 net optional libupnp_1.6.19+git20160116-1.1.dsc
 5ef9b6f217cd269cf186b68527ba4244 27556 net optional libupnp_1.6.19+git20160116-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYB9WHAAoJEMfxZ23qLQHv2lIQAKIiJkq6VIsfVMXs7KA+0cu3
oql7QnodK/loAHXx+4DTi6ccqxCAXe05eILRDESwxBHkE+xUZMZQ2zAqmIt9cJIs
FPYRDJ6n7nAxejj2cgTa4ZxNcJRqpaInF/1R3lwD5U4Bn5mBRrCrTtDAZhjZKJhs
Mo33hCHPqVRRY2wTul1p7Ypp9oYtw/Y8ri3po43WSVVDTVp8TDoVJZ2+3lCL80tr
5eDcmCXBqnhp8BkCwOg368UBUi/fqfFj4CNnQ95P0V2RBD6jPZC35Ge5L1Yfi5dh
oXZBWYDqwRaLwCO1pH1PFpLKWrNAPNWW/N29yXhYHp69b2WRKB+YoBKx5qCv2M6C
OG0H6lEyvPyR3ot3uexlf2l/I5zzusQ50UCcQYGEKNlJPNYPgIaeU+bSP+KjywEQ
e/kUgPOHj2kLd1eqyerBGBIjOpt6GJyKoTCgDlOF15VXj2LnS2QPRgvDVAjvSK1P
OhzqkmIwa3hva1P92wJeTsQrCtBOUIocrSzAWXkZYKNX52JHMfziHbBHxb1FZ+4N
KwM52FJFujdZJ2yYe4RHjldtmH7jJudcnzOQpiUZCukBx35hxVnsm7oUtFWhdCXa
Gp81QE/Z/Bn5T9WyCDbVw/DUUdCf29WWiW4MO/bcJ/r1XuV2X2FE1PFdeGjVBGnd
j20rlFVcmlff870I1PJo
=b/rE
-----END PGP SIGNATURE-----

Message #30 received at 831857@bugs.debian.org (full text, mbox, reply):

From: <htreks@ntc.net.np>

To: <831857@bugs.debian.org>

Subject: 22 831857

Date: Wed, 09 Nov 2016 02:53:51 -0000

[MESSAGE_1032058616_831857.zip (application/zip, attachment)]

Message #35 received at 831857@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: team@security.debian.org

Cc: 831857@bugs.debian.org, 842093@bugs.debian.org

Subject: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

Date: Tue, 13 Dec 2016 13:43:22 +0100

[Message part 1 (text/plain, inline)]

Hello,

Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a
security update for it? If so, I suggest the following debdiff.

Best regards
Uwe

diff -Nru libupnp-1.6.19+git20141001/debian/changelog libupnp-1.6.19+git20141001/debian/changelog
--- libupnp-1.6.19+git20141001/debian/changelog	2014-10-23 22:48:01.000000000 +0200
+++ libupnp-1.6.19+git20141001/debian/changelog	2016-12-13 11:46:31.000000000 +0100
@@ -1,3 +1,11 @@
+libupnp (1:1.6.19+git20141001-1.1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * backport fixes for CVE-2016-6255 and CVE-2016-8863
+    (Closes: #831857, #842093)
+
+ -- Uwe Kleine-König <ukleinek@debian.org>  Tue, 13 Dec 2016 11:46:31 +0100
+
 libupnp (1:1.6.19+git20141001-1) unstable; urgency=low
 
   * Ack both NMUs, thankyou for your care of this package.
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch	2016-12-13 11:46:31.000000000 +0100
@@ -0,0 +1,63 @@
+From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+
+Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
+Bug: https://sourceforge.net/p/pupnp/bugs/132/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
+Bug-Debian: https://bugs.debian.org/831857
+---
+ configure.ac                         |    4 ++++
+ upnp/inc/upnpconfig.h.in             |    4 ++++
+ upnp/src/genlib/net/http/webserver.c |    4 ++++
+ 3 files changed, 12 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -495,6 +495,10 @@
+         AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
+ fi
+ 
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++	AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+ 
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+ 
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -131,5 +131,9 @@
+  * header (i.e. configure --enable-unspecified_server) */
+ #undef UPNP_ENABLE_UNSPECIFIED_SERVER
+ 
++/** Defined to 1 if the library has been compiled to support filesystem writes on POST
++ * (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
+ #endif /* UPNP_CONFIG_H */
+ 
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1366,9 +1366,13 @@
+ 		if (Fp == NULL)
+ 			return HTTP_INTERNAL_SERVER_ERROR;
+ 	} else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ 		Fp = fopen(filename, "wb");
+ 		if (Fp == NULL)
+ 			return HTTP_UNAUTHORIZED;
++#else
++		return HTTP_NOT_FOUND;
++#endif
+ 	}
+ 	parser->position = POS_ENTITY;
+ 	do {
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch	2016-12-13 11:46:31.000000000 +0100
@@ -0,0 +1,59 @@
+From 8d48f5cf63973c452cb4578a1fbe623ba95a8e65 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
+Date: Thu, 8 Dec 2016 17:11:53 +0100
+Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
+
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+
+Bug: https://sourceforge.net/p/pupnp/bugs/133/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+Bug-Debian: https://bugs.debian.org/842093
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+Applied-Upstream: 1.6.x, commit:a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b
+
+---
+ upnp/src/gena/gena_device.c |   17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/upnp/src/gena/gena_device.c
++++ b/upnp/src/gena/gena_device.c
+@@ -1113,7 +1113,7 @@
+ 	/*! [out] . */
+ 	URL_list *out)
+ {
+-    size_t URLcount = 0;
++    size_t URLcount = 0, URLcount2 = 0;
+     size_t i;
+     int return_code = 0;
+     uri_type temp;
+@@ -1155,16 +1155,23 @@
+         }
+         memcpy( out->URLs, URLS->buff, URLS->size );
+         out->URLs[URLS->size] = 0;
+-        URLcount = 0;
+         for( i = 0; i < URLS->size; i++ ) {
+             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+                 if( ( ( return_code =
+                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+-                                   &out->parsedURLs[URLcount] ) ) ==
++                                   &out->parsedURLs[URLcount2] ) ) ==
+                       HTTP_SUCCESS )
+-                    && ( out->parsedURLs[URLcount].hostport.text.size !=
++                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
+                          0 ) ) {
+-                    URLcount++;
++                    URLcount2++;
++		    if (URLcount2 >= URLcount)
++			    /*
++			     * break early here in case there is a bogus URL that
++			     * was skipped above. This prevents to access
++			     * out->parsedURLs[URLcount] which is beyond the
++			     * allocation.
++			     */
++			    break;
+                 } else {
+                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
+                         free( out->URLs );
diff -Nru libupnp-1.6.19+git20141001/debian/patches/series libupnp-1.6.19+git20141001/debian/patches/series
--- libupnp-1.6.19+git20141001/debian/patches/series	2014-10-04 06:26:29.000000000 +0200
+++ libupnp-1.6.19+git20141001/debian/patches/series	2016-12-13 11:46:31.000000000 +0100
@@ -5,3 +5,5 @@
 18-url-upnpstrings.patch
 19_fix_tests.patch
 21_fix-1.6.19+git.patch
+CVE-2016-6255.patch
+CVE-2016-8863.patch

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 831857@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Uwe Kleine-König <uwe@kleine-koenig.org>

Cc: team@security.debian.org, 831857@bugs.debian.org, 842093@bugs.debian.org

Subject: Re: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

Date: Tue, 13 Dec 2016 14:03:50 +0100

On Dec/13, Uwe Kleine-König wrote:
> Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a
> security update for it? If so, I suggest the following debdiff.

Yes, the first one is bad, so let's fix both via a DSA.

Could you please provide a debdiff with 1:1.6.19+git20141001-1+deb8u1 as
a version, instead of 1.1 ?

Cheers,

--Seb

Message #45 received at 831857@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: Sébastien Delafond <seb@debian.org>

Cc: team@security.debian.org, 831857@bugs.debian.org, 842093@bugs.debian.org

Subject: Re: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

Date: Tue, 13 Dec 2016 20:06:57 +0100

[Message part 1 (text/plain, inline)]

On Tue, Dec 13, 2016 at 02:03:50PM +0100, Sébastien Delafond wrote:
> On Dec/13, Uwe Kleine-König wrote:
> > Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a
> > security update for it? If so, I suggest the following debdiff.
> 
> Yes, the first one is bad, so let's fix both via a DSA.

I had the impression that the 2nd might be bad, too. There is no public
exploit available, but AFAIK writing to unallocated memory is dangerous?

> Could you please provide a debdiff with 1:1.6.19+git20141001-1+deb8u1 as
> a version, instead of 1.1 ?

Yeah, I wondered if the version is right and trusted dch --security to
do the right thing. Find below a debdiff using +deb8u1

Best regards
Uwe

dpkg-source: warning: extracting unsigned source package (/home/uwe/tm/libupnp_1.6.19+git20141001-1+deb8u1.dsc)
diff -Nru libupnp-1.6.19+git20141001/debian/changelog libupnp-1.6.19+git20141001/debian/changelog
--- libupnp-1.6.19+git20141001/debian/changelog	2014-10-23 22:48:01.000000000 +0200
+++ libupnp-1.6.19+git20141001/debian/changelog	2016-12-13 11:46:31.000000000 +0100
@@ -1,3 +1,11 @@
+libupnp (1:1.6.19+git20141001-1+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * backport fixes for CVE-2016-6255 and CVE-2016-8863
+    (Closes: #831857, #842093)
+
+ -- Uwe Kleine-König <ukleinek@debian.org>  Tue, 13 Dec 2016 11:46:31 +0100
+
 libupnp (1:1.6.19+git20141001-1) unstable; urgency=low
 
   * Ack both NMUs, thankyou for your care of this package.
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch	2016-12-13 11:46:31.000000000 +0100
@@ -0,0 +1,63 @@
+From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+
+Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
+Bug: https://sourceforge.net/p/pupnp/bugs/132/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
+Bug-Debian: https://bugs.debian.org/831857
+---
+ configure.ac                         |    4 ++++
+ upnp/inc/upnpconfig.h.in             |    4 ++++
+ upnp/src/genlib/net/http/webserver.c |    4 ++++
+ 3 files changed, 12 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -495,6 +495,10 @@
+         AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
+ fi
+ 
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++	AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+ 
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+ 
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -131,5 +131,9 @@
+  * header (i.e. configure --enable-unspecified_server) */
+ #undef UPNP_ENABLE_UNSPECIFIED_SERVER
+ 
++/** Defined to 1 if the library has been compiled to support filesystem writes on POST
++ * (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
+ #endif /* UPNP_CONFIG_H */
+ 
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1366,9 +1366,13 @@
+ 		if (Fp == NULL)
+ 			return HTTP_INTERNAL_SERVER_ERROR;
+ 	} else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ 		Fp = fopen(filename, "wb");
+ 		if (Fp == NULL)
+ 			return HTTP_UNAUTHORIZED;
++#else
++		return HTTP_NOT_FOUND;
++#endif
+ 	}
+ 	parser->position = POS_ENTITY;
+ 	do {
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch	2016-12-13 11:46:31.000000000 +0100
@@ -0,0 +1,59 @@
+From 8d48f5cf63973c452cb4578a1fbe623ba95a8e65 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
+Date: Thu, 8 Dec 2016 17:11:53 +0100
+Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
+
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+
+Bug: https://sourceforge.net/p/pupnp/bugs/133/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+Bug-Debian: https://bugs.debian.org/842093
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+Applied-Upstream: 1.6.x, commit:a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b
+
+---
+ upnp/src/gena/gena_device.c |   17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/upnp/src/gena/gena_device.c
++++ b/upnp/src/gena/gena_device.c
+@@ -1113,7 +1113,7 @@
+ 	/*! [out] . */
+ 	URL_list *out)
+ {
+-    size_t URLcount = 0;
++    size_t URLcount = 0, URLcount2 = 0;
+     size_t i;
+     int return_code = 0;
+     uri_type temp;
+@@ -1155,16 +1155,23 @@
+         }
+         memcpy( out->URLs, URLS->buff, URLS->size );
+         out->URLs[URLS->size] = 0;
+-        URLcount = 0;
+         for( i = 0; i < URLS->size; i++ ) {
+             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+                 if( ( ( return_code =
+                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+-                                   &out->parsedURLs[URLcount] ) ) ==
++                                   &out->parsedURLs[URLcount2] ) ) ==
+                       HTTP_SUCCESS )
+-                    && ( out->parsedURLs[URLcount].hostport.text.size !=
++                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
+                          0 ) ) {
+-                    URLcount++;
++                    URLcount2++;
++		    if (URLcount2 >= URLcount)
++			    /*
++			     * break early here in case there is a bogus URL that
++			     * was skipped above. This prevents to access
++			     * out->parsedURLs[URLcount] which is beyond the
++			     * allocation.
++			     */
++			    break;
+                 } else {
+                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
+                         free( out->URLs );
diff -Nru libupnp-1.6.19+git20141001/debian/patches/series libupnp-1.6.19+git20141001/debian/patches/series
--- libupnp-1.6.19+git20141001/debian/patches/series	2014-10-04 06:26:29.000000000 +0200
+++ libupnp-1.6.19+git20141001/debian/patches/series	2016-12-13 11:46:31.000000000 +0100
@@ -5,3 +5,5 @@
 18-url-upnpstrings.patch
 19_fix_tests.patch
 21_fix-1.6.19+git.patch
+CVE-2016-6255.patch
+CVE-2016-8863.patch

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 831857@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Uwe Kleine-König <uwe@kleine-koenig.org>

Cc: team@security.debian.org, 831857@bugs.debian.org, 842093@bugs.debian.org

Subject: Re: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

Date: Tue, 13 Dec 2016 20:34:56 +0100

On Dec/13, Uwe Kleine-König wrote:
> I had the impression that the 2nd might be bad, too. There is no
> public exploit available, but AFAIK writing to unallocated memory is
> dangerous?

Yes, it is, you're right. But the first one is such an obvious flaw,
that it doesn't require any sort of creativity to exploit :) Anyway, we
want them both fixed.

> Yeah, I wondered if the version is right and trusted dch --security to
> do the right thing. Find below a debdiff using +deb8u1

Perfect, you can upload to security-master (no source-only
though). Also, make sure you build with -sa, as it will be new on that
host.

Cheers,

--Seb

Message #55 received at 831857-close@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <ukleinek@debian.org>

To: 831857-close@bugs.debian.org

Subject: Bug#831857: fixed in libupnp 1:1.6.19+git20141001-1+deb8u1

Date: Sat, 17 Dec 2016 22:02:13 +0000

Source: libupnp
Source-Version: 1:1.6.19+git20141001-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 831857@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Uwe Kleine-König <ukleinek@debian.org> (supplier of updated libupnp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Dec 2016 11:46:31 +0100
Source: libupnp
Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc
Architecture: source arm64 all
Version: 1:1.6.19+git20141001-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Uwe Kleine-König <ukleinek@debian.org>
Description:
 libupnp-dev - Portable SDK for UPnP Devices (development files)
 libupnp6   - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
 libupnp6-dbg - debugging symbols for libupnp6
 libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
 libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6
Closes: 831857 842093
Changes:
 libupnp (1:1.6.19+git20141001-1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * backport fixes for CVE-2016-6255 and CVE-2016-8863
     (Closes: #831857, #842093)
Checksums-Sha1:
 ca174468c229f9b8393926bb89d2b6bbd53c514a 1770 libupnp_1.6.19+git20141001-1+deb8u1.dsc
 be20a689154f052600a08862a0153b6c52f1ce02 1228484 libupnp_1.6.19+git20141001.orig.tar.bz2
 89bb3566cb115793c6953c2f92816eaa52fe113f 26280 libupnp_1.6.19+git20141001-1+deb8u1.debian.tar.xz
 d8b5c5d573915e799a2169572c23ee351a65ef05 141658 libupnp6_1.6.19+git20141001-1+deb8u1_arm64.deb
 7aa2cedf512eef28e2fe4abbda81544290edf75e 201432 libupnp6-dev_1.6.19+git20141001-1+deb8u1_arm64.deb
 d340ca4daf8f00bc315f80b9dd06f11399fe39ce 47394 libupnp-dev_1.6.19+git20141001-1+deb8u1_all.deb
 c29229b4aa9842ce445281fb3f40d95e9e103977 393430 libupnp6-dbg_1.6.19+git20141001-1+deb8u1_arm64.deb
 cc9754e014d7c725d4d4f24ead45c0408c95f39f 12751656 libupnp6-doc_1.6.19+git20141001-1+deb8u1_all.deb
Checksums-Sha256:
 30a8b2d7885fc667bc05916a7d47c28bb8f00feb9715ffbc54e51e2e7f591a4e 1770 libupnp_1.6.19+git20141001-1+deb8u1.dsc
 d2a0713285f8a1d1a633def7498e24d1341bc086c0c53d92fdda71c431386919 1228484 libupnp_1.6.19+git20141001.orig.tar.bz2
 23392ebd3bf2b6697cddb163cf24c8f40af88eff1820024bbd43c9ba800a2c02 26280 libupnp_1.6.19+git20141001-1+deb8u1.debian.tar.xz
 f15bfe29344e85370cb8fc2d557af6b68a7159787779f865fe0cf1a013c081e5 141658 libupnp6_1.6.19+git20141001-1+deb8u1_arm64.deb
 ac605bb3f0cb494f5ac55ac413e4e2568e815195cef23b05d45eb51ff5b71c41 201432 libupnp6-dev_1.6.19+git20141001-1+deb8u1_arm64.deb
 fec72b2b58e04650e8e39856f796bbb5bf6946006ec0d863938804f13c9901a6 47394 libupnp-dev_1.6.19+git20141001-1+deb8u1_all.deb
 595dfc062fe7bf72ca7b6822dd9a7f5058c463e355aa40b2eeca855ed071c985 393430 libupnp6-dbg_1.6.19+git20141001-1+deb8u1_arm64.deb
 5733e488d8b00115312dfa971b8825bf990897895e246c7fd700576f8161135b 12751656 libupnp6-doc_1.6.19+git20141001-1+deb8u1_all.deb
Files:
 d46eee8441b71d9e77c2eb9a80a0480a 1770 net optional libupnp_1.6.19+git20141001-1+deb8u1.dsc
 eeac640f9cc420c8b4ed2e17094704c7 1228484 net optional libupnp_1.6.19+git20141001.orig.tar.bz2
 f744c68d36208b53a3cbc8949ae78e98 26280 net optional libupnp_1.6.19+git20141001-1+deb8u1.debian.tar.xz
 849a6b8fe54ea453e829d1ed808906c3 141658 libs optional libupnp6_1.6.19+git20141001-1+deb8u1_arm64.deb
 16fc2c9d6f473d4a11e560400f8724be 201432 libdevel optional libupnp6-dev_1.6.19+git20141001-1+deb8u1_arm64.deb
 ceb3975efb6e03b8d0d9aeb34a99b60f 47394 libdevel optional libupnp-dev_1.6.19+git20141001-1+deb8u1_all.deb
 eee152b7437892edf32888d47d82fb2a 393430 debug extra libupnp6-dbg_1.6.19+git20141001-1+deb8u1_arm64.deb
 59ddb88cc435d7b714754fb065bb05ad 12751656 doc optional libupnp6-doc_1.6.19+git20141001-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEfnIqFpAYrP8+dKQLwfwUeK3K7AkFAlhQUP4ACgkQwfwUeK3K
7AmqaAf/fRRTkiH2MosrPYH0Is8DqNWvpTB5S+yAAFTylzUH6CxET7G2lb2Z3V3T
yaRHaHanJNAFW2S26dlhcfbEhqD4b0wqUzl+Ypiu7S/5GP7gkZ20f0pKWxAPgpvS
tGbUsGl+BHscSS/pcUB/10GpSNmbyczppaXlGeUe9SK4hTL18l2U8ha9HFw2V43C
nDOMjl/BR/b4JugXvgNF1S1FSty3EkU3zh4nXU5vfLgl9iaItoOgD13MjpQbbEIe
wBoSxMMRTf+UOe3PVLOPSyhI0QkdzPN5H3XEHMfgfHWE5J+mw6JDxJ4p2qUBkchA
WdfvTn8ZAn4LQnigovZVPUMC28xYZQ==
=u/Xp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.