libupnp: CVE-2016-8863

Debian Bug report logs - #842093
libupnp: CVE-2016-8863

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libupnp: CVE-2016-8863

Date: Tue, 25 Oct 2016 22:27:24 +0200

Source: libupnp
Version: 1:1.6.19+git20141001-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for libupnp. The issue is
reproducible easily if libupnp compiled with ASAN and following the
reproducing steps in the upstream bugreport.

CVE-2016-8863[0]:
Buffer overflow in create_url_list

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-8863
[1] https://sourceforge.net/p/pupnp/bugs/133/

Regards,
Salvatore

Message #10 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 842093@bugs.debian.org

Subject: Re: libupnp: CVE-2016-8863

Date: Thu, 8 Dec 2016 14:20:32 +0100

[Message part 1 (text/plain, inline)]

Control: tag -1 + patch

Hello,

On Tue, Oct 25, 2016 at 10:27:24PM +0200, Salvatore Bonaccorso wrote:
> the following vulnerability was published for libupnp. The issue is
> reproducible easily if libupnp compiled with ASAN and following the
> reproducing steps in the upstream bugreport.

I didn't try to reproduce, but I think the following patch (while not
being pretty) is easy and fixes the issue:

diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
index 58a3e55e8973..700f00b449db 100644
--- a/upnp/src/gena/gena_device.c
+++ b/upnp/src/gena/gena_device.c
@@ -1145,7 +1145,11 @@ static int create_url_list(
 
     if( URLcount > 0 ) {
         out->URLs = malloc(URLS->size + 1);
-        out->parsedURLs = malloc(sizeof(uri_type) * URLcount);
+	/*
+	 * You wonder why there is a +1? See
+	 * https://sourceforge.net/p/pupnp/bugs/133/
+	 */
+        out->parsedURLs = malloc(sizeof(uri_type) * (URLcount + 1));
         if (!out->URLs || !out->parsedURLs) {
             free(out->URLs);
             free(out->parsedURLs);

Best regards
Uwe

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>

Cc: 842093@bugs.debian.org

Subject: [uwe@kleine-koenig.org: Re: libupnp: CVE-2016-8863]

Date: Thu, 8 Dec 2016 14:36:02 +0100

[Message part 1 (text/plain, inline)]

Hello Marcelo,

I created a patch for CVE-2016-8863 but forgot to Cc: you. Do you care
to take a look?

Best regards
Uwe

----- Forwarded message from Uwe Kleine-König <uwe@kleine-koenig.org> -----

Date: Thu, 8 Dec 2016 14:20:32 +0100
From: Uwe Kleine-König <uwe@kleine-koenig.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 842093@bugs.debian.org
Subject: Re: libupnp: CVE-2016-8863
Message-ID: <20161208132027.idez435hu4jnaw26@perseus.defre.kleine-koenig.org>

Control: tag -1 + patch

Hello,

On Tue, Oct 25, 2016 at 10:27:24PM +0200, Salvatore Bonaccorso wrote:
> the following vulnerability was published for libupnp. The issue is
> reproducible easily if libupnp compiled with ASAN and following the
> reproducing steps in the upstream bugreport.

I didn't try to reproduce, but I think the following patch (while not
being pretty) is easy and fixes the issue:

diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
index 58a3e55e8973..700f00b449db 100644
--- a/upnp/src/gena/gena_device.c
+++ b/upnp/src/gena/gena_device.c
@@ -1145,7 +1145,11 @@ static int create_url_list(
 
     if( URLcount > 0 ) {
         out->URLs = malloc(URLS->size + 1);
-        out->parsedURLs = malloc(sizeof(uri_type) * URLcount);
+	/*
+	 * You wonder why there is a +1? See
+	 * https://sourceforge.net/p/pupnp/bugs/133/
+	 */
+        out->parsedURLs = malloc(sizeof(uri_type) * (URLcount + 1));
         if (!out->URLs || !out->parsedURLs) {
             free(out->URLs);
             free(out->parsedURLs);

Best regards
Uwe



----- End forwarded message -----

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>

Cc: 842093@bugs.debian.org

Subject: Re: [uwe@kleine-koenig.org: Re: libupnp: CVE-2016-8863]

Date: Thu, 8 Dec 2016 17:51:51 +0100

[Message part 1 (text/plain, inline)]

On Thu, Dec 08, 2016 at 02:36:01PM +0100, Uwe Kleine-König wrote:
> I created a patch for CVE-2016-8863 but forgot to Cc: you. Do you care
> to take a look?

I now created a more sophisticated patch and attached it to the original
bug report (https://sourceforge.net/p/pupnp/bugs/133/).

Feedback welcome.

Best regards
Uwe

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: 842093@bugs.debian.org

Cc: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>, Dario Minnucci <midget@debian.org>

Subject: embedded copies of libupnp

Date: Fri, 9 Dec 2016 10:27:20 +0100

[Message part 1 (text/plain, inline)]

Hello,

there are two source packages (in sid, found via codesearch.d.n) that
include embedded copies of libupnp: djmount and mediatomb (maintainers
on Cc:).

djmount build-depends on libupnp-dev and calls configure with
--with-external-libupnp, so fixing libupnp should be good enough here.

mediatomb doesn't build-depend on libupnp-dev and looking at
https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
it seems that the embedded copy is used, so mediatomb needs additional
handling to fix the bug. Also the copy is vulnerable.

Best regards
Uwe

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: 813249@bugs.debian.org, 842093@bugs.debian.org, Nick Leverton <nick@leverton.org>

Subject: announce NMU of libupnp to fix #813249 and #842093

Date: Fri, 9 Dec 2016 11:10:50 +0100

[Message part 1 (text/plain, inline)]

Hello,

as I didn't get any feedback from the maintainer of libupnp for #813249
since January and the package has an open grave bug which was reported
in October I intend to upload an NMU with the below debdiff.

I'd like to get an ack from Nick for the NMU, but will upload on Monday
if there is no reaction until then. There is another rc bug (#670562)
that needs handling (open since April 2012) where the fix isn't clear
and so is not fixed here.

Best regards
Uwe

diff -Nru libupnp-1.6.19+git20160116/debian/changelog libupnp-1.6.19+git20160116/debian/changelog
--- libupnp-1.6.19+git20160116/debian/changelog	2016-10-19 22:03:51.000000000 +0200
+++ libupnp-1.6.19+git20160116/debian/changelog	2016-12-09 10:40:28.000000000 +0100
@@ -1,3 +1,11 @@
+libupnp (1:1.6.19+git20160116-1.2) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix out-of-bounds-access (CVE-2016-8863, Closes: #842093)
+  * Fix usage on ipv6 enabled hosts (Closes: #813249) 
+
+ -- Uwe Kleine-König <ukleinek@debian.org>  Fri, 09 Dec 2016 10:40:28 +0100
+
 libupnp (1:1.6.19+git20160116-1.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch
--- libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch	2016-12-09 10:38:40.000000000 +0100
@@ -0,0 +1,63 @@
+From 8d48f5cf63973c452cb4578a1fbe623ba95a8e65 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
+Date: Thu, 8 Dec 2016 17:11:53 +0100
+Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
+
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+
+Bug: https://sourceforge.net/p/pupnp/bugs/133/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+Bug-Debian: https://bugs.debian.org/842093
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+Applied-Upstream: 1.6.x, commit:a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b
+---
+ upnp/src/gena/gena_device.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
+index 58a3e55e8973..a49394ab1488 100644
+--- a/upnp/src/gena/gena_device.c
++++ b/upnp/src/gena/gena_device.c
+@@ -1113,7 +1113,7 @@ static int create_url_list(
+ 	/*! [out] . */
+ 	URL_list *out)
+ {
+-    size_t URLcount = 0;
++    size_t URLcount = 0, URLcount2 = 0;
+     size_t i;
+     int return_code = 0;
+     uri_type temp;
+@@ -1155,16 +1155,23 @@ static int create_url_list(
+         }
+         memcpy( out->URLs, URLS->buff, URLS->size );
+         out->URLs[URLS->size] = 0;
+-        URLcount = 0;
+         for( i = 0; i < URLS->size; i++ ) {
+             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+                 if( ( ( return_code =
+                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+-                                   &out->parsedURLs[URLcount] ) ) ==
++                                   &out->parsedURLs[URLcount2] ) ) ==
+                       HTTP_SUCCESS )
+-                    && ( out->parsedURLs[URLcount].hostport.text.size !=
++                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
+                          0 ) ) {
+-                    URLcount++;
++                    URLcount2++;
++                    if (URLcount2 >= URLcount)
++                        /*
++                         * break early here in case there is a bogus URL that
++                         * was skipped above. This prevents to access
++                         * out->parsedURLs[URLcount] which is beyond the
++                         * allocation.
++                         */
++                        break;
+                 } else {
+                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
+                         free( out->URLs );
+-- 
+2.10.2
+
diff -Nru libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch
--- libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch	2016-12-09 10:39:40.000000000 +0100
@@ -0,0 +1,32 @@
+From 480967ef2dd8a8e66035d878a716a3877439c7ed Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
+Date: Wed, 30 Nov 2016 22:04:04 +0100
+Subject: [PATCH] miniserver: fix binding to ipv6 link-local addresses
+
+Linux requires to have sin6_scope_id hold the interface id when binding to
+link-local addresses. This is already in use in other parts of upnp, so
+portability shouldn't be in the way here. Without this bind(2) fails with
+errno=EINVAL (although ipv6(7) from manpages 4.08 specifies ENODEV in this
+case).
+
+Bug-Debian: https://bugs.debian.org/813249
+Applied-Upstream: 1.6.x, commit:96bdeaca867d9eb61e6d6c3e2f751824b09c0358
+---
+ upnp/src/genlib/miniserver/miniserver.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/upnp/src/genlib/miniserver/miniserver.c b/upnp/src/genlib/miniserver/miniserver.c
+index 683c4b3d36cc..7cd1209d40e4 100644
+--- a/upnp/src/genlib/miniserver/miniserver.c
++++ b/upnp/src/genlib/miniserver/miniserver.c
+@@ -583,6 +583,7 @@ static int get_miniserver_sockets(
+ 	memset(&__ss_v6, 0, sizeof (__ss_v6));
+ 	serverAddr6->sin6_family = (sa_family_t)AF_INET6;
+ 	inet_pton(AF_INET6, gIF_IPV6, &serverAddr6->sin6_addr);
++	serverAddr6->sin6_scope_id = gIF_INDEX;
+ #endif
+ 	/* Getting away with implementation of re-using address:port and
+ 	 * instead choosing to increment port numbers.
+-- 
+2.10.2
+
diff -Nru libupnp-1.6.19+git20160116/debian/patches/series libupnp-1.6.19+git20160116/debian/patches/series
--- libupnp-1.6.19+git20160116/debian/patches/series	2016-10-18 22:07:32.000000000 +0200
+++ libupnp-1.6.19+git20160116/debian/patches/series	2016-12-09 10:40:06.000000000 +0100
@@ -9,3 +9,5 @@
 27-LFS-fix-32bit-large_files.patch
 28-fix-git-version.patch
 CVE-2016-6255.patch
+CVE-2016-8863.patch
+miniserver-fix-binding-to-ipv6-link-local-addresses.patch

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 842093@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: Uwe Kleine-König <uwe@kleine-koenig.org>

Cc: 842093@bugs.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>, Dario Minnucci <midget@debian.org>

Subject: Re: Bug#842093: embedded copies of libupnp

Date: Fri, 9 Dec 2016 10:16:25 +0000

[Message part 1 (text/plain, inline)]

Hi,

On 09/12/16 09:27, Uwe Kleine-König wrote:
> Hello,
> 
> there are two source packages (in sid, found via codesearch.d.n) that
> include embedded copies of libupnp: djmount and mediatomb (maintainers
> on Cc:).
> 
> djmount build-depends on libupnp-dev and calls configure with
> --with-external-libupnp, so fixing libupnp should be good enough here.
> 
> mediatomb doesn't build-depend on libupnp-dev and looking at
> https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
> it seems that the embedded copy is used, so mediatomb needs additional
> handling to fix the bug. Also the copy is vulnerable.

The Fedora maintainer asked upstream about it a while back:
https://sourceforge.net/p/mediatomb/bugs/114/

I have not checked how extensive the patching is, but I expect
unbundling libupnp from mediatomb would be a lot of work which noone
has volunteered to do.

Upstream appears to be dead which is why they haven't fixed it.

Thanks,
James

[signature.asc (application/pgp-signature, attachment)]

Message #44 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: James Cowgill <jcowgill@debian.org>

Cc: Uwe Kleine-König <uwe@kleine-koenig.org>, 842093@bugs.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>

Subject: Re: Bug#842093: embedded copies of libupnp

Date: Fri, 9 Dec 2016 11:28:53 +0100

On 2016-12-09 10:16:25, James Cowgill wrote:
> Hi,
> 
> On 09/12/16 09:27, Uwe Kleine-König wrote:
> > Hello,
> > 
> > there are two source packages (in sid, found via codesearch.d.n) that
> > include embedded copies of libupnp: djmount and mediatomb (maintainers
> > on Cc:).
> > 
> > djmount build-depends on libupnp-dev and calls configure with
> > --with-external-libupnp, so fixing libupnp should be good enough here.
> > 
> > mediatomb doesn't build-depend on libupnp-dev and looking at
> > https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
> > it seems that the embedded copy is used, so mediatomb needs additional
> > handling to fix the bug. Also the copy is vulnerable.
> 
> The Fedora maintainer asked upstream about it a while back:
> https://sourceforge.net/p/mediatomb/bugs/114/
> 
> I have not checked how extensive the patching is, but I expect
> unbundling libupnp from mediatomb would be a lot of work which noone
> has volunteered to do.
> 
> Upstream appears to be dead which is why they haven't fixed it.

Maybe it's time to get mediatomb removed. It was not part of jessie and in its
current state it will not be part of stretch.

Cheers
-- 
Sebastian Ramacher

Message #49 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: 813249@bugs.debian.org, 842093@bugs.debian.org, Nick Leverton <nick@leverton.org>

Subject: Re: announce NMU of libupnp to fix #813249 and #842093

Date: Fri, 9 Dec 2016 11:51:03 +0100

[Message part 1 (text/plain, inline)]

On Fri, Dec 09, 2016 at 11:10:50AM +0100, Uwe Kleine-König wrote:
> Hello,
> 
> as I didn't get any feedback from the maintainer of libupnp for #813249
> since January and the package has an open grave bug which was reported
> in October I intend to upload an NMU with the below debdiff.
> 
> I'd like to get an ack from Nick for the NMU, but will upload on Monday
> if there is no reaction until then. There is another rc bug (#670562)
> that needs handling (open since April 2012) where the fix isn't clear
> and so is not fixed here.
> 
> Best regards
> Uwe
> 
> diff -Nru libupnp-1.6.19+git20160116/debian/changelog libupnp-1.6.19+git20160116/debian/changelog
> --- libupnp-1.6.19+git20160116/debian/changelog	2016-10-19 22:03:51.000000000 +0200
> +++ libupnp-1.6.19+git20160116/debian/changelog	2016-12-09 10:40:28.000000000 +0100
> @@ -1,3 +1,11 @@
> +libupnp (1:1.6.19+git20160116-1.2) UNRELEASED; urgency=medium

I uploaded to DELAYED 3 now with unstable; urgency=high

Best regards
Uwe

[signature.asc (application/pgp-signature, inline)]

Message #54 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: James Cowgill <jcowgill@debian.org>, 842093@bugs.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>

Subject: Re: Bug#842093: embedded copies of libupnp

Date: Fri, 9 Dec 2016 14:55:52 +0100

[Message part 1 (text/plain, inline)]

Hello,

On 12/09/2016 11:28 AM, Sebastian Ramacher wrote:
> On 2016-12-09 10:16:25, James Cowgill wrote:
>> On 09/12/16 09:27, Uwe Kleine-König wrote:
>>> there are two source packages (in sid, found via codesearch.d.n) that
>>> include embedded copies of libupnp: djmount and mediatomb (maintainers
>>> on Cc:).
>>>
>>> djmount build-depends on libupnp-dev and calls configure with
>>> --with-external-libupnp, so fixing libupnp should be good enough here.
>>>
>>> mediatomb doesn't build-depend on libupnp-dev and looking at
>>> https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
>>> it seems that the embedded copy is used, so mediatomb needs additional
>>> handling to fix the bug. Also the copy is vulnerable.
>>
>> The Fedora maintainer asked upstream about it a while back:
>> https://sourceforge.net/p/mediatomb/bugs/114/
>>
>> I have not checked how extensive the patching is, but I expect
>> unbundling libupnp from mediatomb would be a lot of work which noone
>> has volunteered to do.
>>
>> Upstream appears to be dead which is why they haven't fixed it.
> 
> Maybe it's time to get mediatomb removed. It was not part of jessie and in its
> current state it will not be part of stretch.

mediatomb already has a grave bug that lists a number of CVEs that
affect the embedded copy of libupnp (#841224). It already mentions
CVE-2016-8863. Also mediatomb isn't in testing as of now.

Best regards
Uwe

[signature.asc (application/pgp-signature, attachment)]

Message #59 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: James Cowgill <jcowgill@debian.org>, Uwe Kleine-König <uwe@kleine-koenig.org>, 842093@bugs.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>

Subject: Re: Bug#842093: embedded copies of libupnp

Date: Sat, 10 Dec 2016 10:43:53 +0100

Hi Sebastian,

On Fri, Dec 09, 2016 at 11:28:53AM +0100, Sebastian Ramacher wrote:
> On 2016-12-09 10:16:25, James Cowgill wrote:
> > Hi,
> > 
> > On 09/12/16 09:27, Uwe Kleine-König wrote:
> > > Hello,
> > > 
> > > there are two source packages (in sid, found via codesearch.d.n) that
> > > include embedded copies of libupnp: djmount and mediatomb (maintainers
> > > on Cc:).
> > > 
> > > djmount build-depends on libupnp-dev and calls configure with
> > > --with-external-libupnp, so fixing libupnp should be good enough here.
> > > 
> > > mediatomb doesn't build-depend on libupnp-dev and looking at
> > > https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
> > > it seems that the embedded copy is used, so mediatomb needs additional
> > > handling to fix the bug. Also the copy is vulnerable.
> > 
> > The Fedora maintainer asked upstream about it a while back:
> > https://sourceforge.net/p/mediatomb/bugs/114/
> > 
> > I have not checked how extensive the patching is, but I expect
> > unbundling libupnp from mediatomb would be a lot of work which noone
> > has volunteered to do.
> > 
> > Upstream appears to be dead which is why they haven't fixed it.
> 
> Maybe it's time to get mediatomb removed. It was not part of jessie and in its
> current state it will not be part of stretch.

I think this makes sense. Can you request the removal from unstable?

Regards,
Salvatore

Message #64 received at 842093-close@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <ukleinek@debian.org>

To: 842093-close@bugs.debian.org

Subject: Bug#842093: fixed in libupnp 1:1.6.19+git20160116-1.2

Date: Mon, 12 Dec 2016 11:34:13 +0000

Source: libupnp
Source-Version: 1:1.6.19+git20160116-1.2

We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 842093@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Uwe Kleine-König <ukleinek@debian.org> (supplier of updated libupnp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Dec 2016 10:40:28 +0100
Source: libupnp
Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc
Architecture: source
Version: 1:1.6.19+git20160116-1.2
Distribution: unstable
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Uwe Kleine-König <ukleinek@debian.org>
Description:
 libupnp-dev - Portable SDK for UPnP Devices (development files)
 libupnp6   - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
 libupnp6-dbg - debugging symbols for libupnp6
 libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
 libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6
Closes: 813249 842093
Changes:
 libupnp (1:1.6.19+git20160116-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix out-of-bounds-access (CVE-2016-8863, Closes: #842093)
   * Fix usage on ipv6 enabled hosts (Closes: #813249)
Checksums-Sha1:
 0b0a9d8f5b3ba6072e87fe9d964d86cbe8733d0d 1778 libupnp_1.6.19+git20160116-1.2.dsc
 efd3b9204cedf42a7037267e0921ccc02793385b 28772 libupnp_1.6.19+git20160116-1.2.debian.tar.xz
Checksums-Sha256:
 4ce1899ad10a869c6b6beac185a5e8b9a8e862f8855ab4ef062121fa933616c8 1778 libupnp_1.6.19+git20160116-1.2.dsc
 f53968bf18ea75aed2c3c3bfa609e7ac051a7151c78ea95092c131d2d0f09be8 28772 libupnp_1.6.19+git20160116-1.2.debian.tar.xz
Files:
 6c4a96b86f7f23523b8375963c4bb330 1778 net optional libupnp_1.6.19+git20160116-1.2.dsc
 6785d8b04b20e128f2875320d1ba0948 28772 net optional libupnp_1.6.19+git20160116-1.2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQFIBAEBCgAyFiEEfnIqFpAYrP8+dKQLwfwUeK3K7AkFAlhKi+AUHHVrbGVpbmVr
QGRlYmlhbi5vcmcACgkQwfwUeK3K7AnU/gf/WeU/sDULtoZCSFnfGWT307bki/3C
nxHPASKzJsZpLbEkQAx5Y1HeEobiZOrBwb1VzKS+FYElREK5C9+eqHcJJ9Awe4j6
OIAonFO2xlaTp2UlM66jzzxOz20GecgmubvX5igPtefBMhF/XiqGqMyDEHxHyME9
VUhnpgDPgYVs9RuAqnUzZVsQKcsBcBC8UZpgFDwR3NMWWyW+ymqBl861pBb0wnKd
+QEGXW1CNCuIDbzt7/XJ7imLqUMZCX36PxWGSS7VWmdRyDAUVOxFvVxVIsNpkaxi
QDDWiPSfaFbFLU5TaXHnLA5/9+PsXRFWxAgTtKw4XqnXrA7wnyDHfGyYzg==
=lLRu
-----END PGP SIGNATURE-----

Message #69 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: team@security.debian.org

Cc: 831857@bugs.debian.org, 842093@bugs.debian.org

Subject: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

Date: Tue, 13 Dec 2016 13:43:22 +0100

[Message part 1 (text/plain, inline)]

Hello,

Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a
security update for it? If so, I suggest the following debdiff.

Best regards
Uwe

diff -Nru libupnp-1.6.19+git20141001/debian/changelog libupnp-1.6.19+git20141001/debian/changelog
--- libupnp-1.6.19+git20141001/debian/changelog	2014-10-23 22:48:01.000000000 +0200
+++ libupnp-1.6.19+git20141001/debian/changelog	2016-12-13 11:46:31.000000000 +0100
@@ -1,3 +1,11 @@
+libupnp (1:1.6.19+git20141001-1.1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * backport fixes for CVE-2016-6255 and CVE-2016-8863
+    (Closes: #831857, #842093)
+
+ -- Uwe Kleine-König <ukleinek@debian.org>  Tue, 13 Dec 2016 11:46:31 +0100
+
 libupnp (1:1.6.19+git20141001-1) unstable; urgency=low
 
   * Ack both NMUs, thankyou for your care of this package.
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch	2016-12-13 11:46:31.000000000 +0100
@@ -0,0 +1,63 @@
+From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+
+Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
+Bug: https://sourceforge.net/p/pupnp/bugs/132/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
+Bug-Debian: https://bugs.debian.org/831857
+---
+ configure.ac                         |    4 ++++
+ upnp/inc/upnpconfig.h.in             |    4 ++++
+ upnp/src/genlib/net/http/webserver.c |    4 ++++
+ 3 files changed, 12 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -495,6 +495,10 @@
+         AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
+ fi
+ 
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++	AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+ 
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+ 
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -131,5 +131,9 @@
+  * header (i.e. configure --enable-unspecified_server) */
+ #undef UPNP_ENABLE_UNSPECIFIED_SERVER
+ 
++/** Defined to 1 if the library has been compiled to support filesystem writes on POST
++ * (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
+ #endif /* UPNP_CONFIG_H */
+ 
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1366,9 +1366,13 @@
+ 		if (Fp == NULL)
+ 			return HTTP_INTERNAL_SERVER_ERROR;
+ 	} else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ 		Fp = fopen(filename, "wb");
+ 		if (Fp == NULL)
+ 			return HTTP_UNAUTHORIZED;
++#else
++		return HTTP_NOT_FOUND;
++#endif
+ 	}
+ 	parser->position = POS_ENTITY;
+ 	do {
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch	2016-12-13 11:46:31.000000000 +0100
@@ -0,0 +1,59 @@
+From 8d48f5cf63973c452cb4578a1fbe623ba95a8e65 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
+Date: Thu, 8 Dec 2016 17:11:53 +0100
+Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
+
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+
+Bug: https://sourceforge.net/p/pupnp/bugs/133/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+Bug-Debian: https://bugs.debian.org/842093
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+Applied-Upstream: 1.6.x, commit:a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b
+
+---
+ upnp/src/gena/gena_device.c |   17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/upnp/src/gena/gena_device.c
++++ b/upnp/src/gena/gena_device.c
+@@ -1113,7 +1113,7 @@
+ 	/*! [out] . */
+ 	URL_list *out)
+ {
+-    size_t URLcount = 0;
++    size_t URLcount = 0, URLcount2 = 0;
+     size_t i;
+     int return_code = 0;
+     uri_type temp;
+@@ -1155,16 +1155,23 @@
+         }
+         memcpy( out->URLs, URLS->buff, URLS->size );
+         out->URLs[URLS->size] = 0;
+-        URLcount = 0;
+         for( i = 0; i < URLS->size; i++ ) {
+             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+                 if( ( ( return_code =
+                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+-                                   &out->parsedURLs[URLcount] ) ) ==
++                                   &out->parsedURLs[URLcount2] ) ) ==
+                       HTTP_SUCCESS )
+-                    && ( out->parsedURLs[URLcount].hostport.text.size !=
++                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
+                          0 ) ) {
+-                    URLcount++;
++                    URLcount2++;
++		    if (URLcount2 >= URLcount)
++			    /*
++			     * break early here in case there is a bogus URL that
++			     * was skipped above. This prevents to access
++			     * out->parsedURLs[URLcount] which is beyond the
++			     * allocation.
++			     */
++			    break;
+                 } else {
+                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
+                         free( out->URLs );
diff -Nru libupnp-1.6.19+git20141001/debian/patches/series libupnp-1.6.19+git20141001/debian/patches/series
--- libupnp-1.6.19+git20141001/debian/patches/series	2014-10-04 06:26:29.000000000 +0200
+++ libupnp-1.6.19+git20141001/debian/patches/series	2016-12-13 11:46:31.000000000 +0100
@@ -5,3 +5,5 @@
 18-url-upnpstrings.patch
 19_fix_tests.patch
 21_fix-1.6.19+git.patch
+CVE-2016-6255.patch
+CVE-2016-8863.patch

[signature.asc (application/pgp-signature, inline)]

Message #74 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Uwe Kleine-König <uwe@kleine-koenig.org>

Cc: team@security.debian.org, 831857@bugs.debian.org, 842093@bugs.debian.org

Subject: Re: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

Date: Tue, 13 Dec 2016 14:03:50 +0100

On Dec/13, Uwe Kleine-König wrote:
> Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a
> security update for it? If so, I suggest the following debdiff.

Yes, the first one is bad, so let's fix both via a DSA.

Could you please provide a debdiff with 1:1.6.19+git20141001-1+deb8u1 as
a version, instead of 1.1 ?

Cheers,

--Seb

Message #79 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <uwe@kleine-koenig.org>

To: Sébastien Delafond <seb@debian.org>

Cc: team@security.debian.org, 831857@bugs.debian.org, 842093@bugs.debian.org

Subject: Re: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

Date: Tue, 13 Dec 2016 20:06:57 +0100

[Message part 1 (text/plain, inline)]

On Tue, Dec 13, 2016 at 02:03:50PM +0100, Sébastien Delafond wrote:
> On Dec/13, Uwe Kleine-König wrote:
> > Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a
> > security update for it? If so, I suggest the following debdiff.
> 
> Yes, the first one is bad, so let's fix both via a DSA.

I had the impression that the 2nd might be bad, too. There is no public
exploit available, but AFAIK writing to unallocated memory is dangerous?

> Could you please provide a debdiff with 1:1.6.19+git20141001-1+deb8u1 as
> a version, instead of 1.1 ?

Yeah, I wondered if the version is right and trusted dch --security to
do the right thing. Find below a debdiff using +deb8u1

Best regards
Uwe

dpkg-source: warning: extracting unsigned source package (/home/uwe/tm/libupnp_1.6.19+git20141001-1+deb8u1.dsc)
diff -Nru libupnp-1.6.19+git20141001/debian/changelog libupnp-1.6.19+git20141001/debian/changelog
--- libupnp-1.6.19+git20141001/debian/changelog	2014-10-23 22:48:01.000000000 +0200
+++ libupnp-1.6.19+git20141001/debian/changelog	2016-12-13 11:46:31.000000000 +0100
@@ -1,3 +1,11 @@
+libupnp (1:1.6.19+git20141001-1+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * backport fixes for CVE-2016-6255 and CVE-2016-8863
+    (Closes: #831857, #842093)
+
+ -- Uwe Kleine-König <ukleinek@debian.org>  Tue, 13 Dec 2016 11:46:31 +0100
+
 libupnp (1:1.6.19+git20141001-1) unstable; urgency=low
 
   * Ack both NMUs, thankyou for your care of this package.
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-6255.patch	2016-12-13 11:46:31.000000000 +0100
@@ -0,0 +1,63 @@
+From c91a8a3903367e1163765b73eb4d43be7d7927fa Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@srcf.ucam.org>
+Date: Tue, 23 Feb 2016 13:53:20 -0800
+Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
+ default
+
+If there's no registered handler for a POST request, the default behaviour
+is to write it to the filesystem. Several million deployed devices appear
+to have this behaviour, making it possible to (at least) store arbitrary
+data on them. Add a configure option that enables this behaviour, and change
+the default to just drop POSTs that aren't directly handled.
+
+Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
+Bug: https://sourceforge.net/p/pupnp/bugs/132/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
+Bug-Debian: https://bugs.debian.org/831857
+---
+ configure.ac                         |    4 ++++
+ upnp/inc/upnpconfig.h.in             |    4 ++++
+ upnp/src/genlib/net/http/webserver.c |    4 ++++
+ 3 files changed, 12 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -495,6 +495,10 @@
+         AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
+ fi
+ 
++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
++if test "x$enable_postwrite" = xyes ; then
++	AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
++fi
+ 
+ RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
+ 
+--- a/upnp/inc/upnpconfig.h.in
++++ b/upnp/inc/upnpconfig.h.in
+@@ -131,5 +131,9 @@
+  * header (i.e. configure --enable-unspecified_server) */
+ #undef UPNP_ENABLE_UNSPECIFIED_SERVER
+ 
++/** Defined to 1 if the library has been compiled to support filesystem writes on POST
++ * (i.e. configure --enable-postwrite) */
++#undef UPNP_ENABLE_POST_WRITE
++
+ #endif /* UPNP_CONFIG_H */
+ 
+--- a/upnp/src/genlib/net/http/webserver.c
++++ b/upnp/src/genlib/net/http/webserver.c
+@@ -1366,9 +1366,13 @@
+ 		if (Fp == NULL)
+ 			return HTTP_INTERNAL_SERVER_ERROR;
+ 	} else {
++#ifdef UPNP_ENABLE_POST_WRITE
+ 		Fp = fopen(filename, "wb");
+ 		if (Fp == NULL)
+ 			return HTTP_UNAUTHORIZED;
++#else
++		return HTTP_NOT_FOUND;
++#endif
+ 	}
+ 	parser->position = POS_ENTITY;
+ 	do {
diff -Nru libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch
--- libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch	1970-01-01 01:00:00.000000000 +0100
+++ libupnp-1.6.19+git20141001/debian/patches/CVE-2016-8863.patch	2016-12-13 11:46:31.000000000 +0100
@@ -0,0 +1,59 @@
+From 8d48f5cf63973c452cb4578a1fbe623ba95a8e65 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
+Date: Thu, 8 Dec 2016 17:11:53 +0100
+Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
+
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+
+Bug: https://sourceforge.net/p/pupnp/bugs/133/
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
+Bug-Debian: https://bugs.debian.org/842093
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+Applied-Upstream: 1.6.x, commit:a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b
+
+---
+ upnp/src/gena/gena_device.c |   17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/upnp/src/gena/gena_device.c
++++ b/upnp/src/gena/gena_device.c
+@@ -1113,7 +1113,7 @@
+ 	/*! [out] . */
+ 	URL_list *out)
+ {
+-    size_t URLcount = 0;
++    size_t URLcount = 0, URLcount2 = 0;
+     size_t i;
+     int return_code = 0;
+     uri_type temp;
+@@ -1155,16 +1155,23 @@
+         }
+         memcpy( out->URLs, URLS->buff, URLS->size );
+         out->URLs[URLS->size] = 0;
+-        URLcount = 0;
+         for( i = 0; i < URLS->size; i++ ) {
+             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+                 if( ( ( return_code =
+                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+-                                   &out->parsedURLs[URLcount] ) ) ==
++                                   &out->parsedURLs[URLcount2] ) ) ==
+                       HTTP_SUCCESS )
+-                    && ( out->parsedURLs[URLcount].hostport.text.size !=
++                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
+                          0 ) ) {
+-                    URLcount++;
++                    URLcount2++;
++		    if (URLcount2 >= URLcount)
++			    /*
++			     * break early here in case there is a bogus URL that
++			     * was skipped above. This prevents to access
++			     * out->parsedURLs[URLcount] which is beyond the
++			     * allocation.
++			     */
++			    break;
+                 } else {
+                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
+                         free( out->URLs );
diff -Nru libupnp-1.6.19+git20141001/debian/patches/series libupnp-1.6.19+git20141001/debian/patches/series
--- libupnp-1.6.19+git20141001/debian/patches/series	2014-10-04 06:26:29.000000000 +0200
+++ libupnp-1.6.19+git20141001/debian/patches/series	2016-12-13 11:46:31.000000000 +0100
@@ -5,3 +5,5 @@
 18-url-upnpstrings.patch
 19_fix_tests.patch
 21_fix-1.6.19+git.patch
+CVE-2016-6255.patch
+CVE-2016-8863.patch

[signature.asc (application/pgp-signature, inline)]

Message #84 received at 842093@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Uwe Kleine-König <uwe@kleine-koenig.org>

Cc: team@security.debian.org, 831857@bugs.debian.org, 842093@bugs.debian.org

Subject: Re: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

Date: Tue, 13 Dec 2016 20:34:56 +0100

On Dec/13, Uwe Kleine-König wrote:
> I had the impression that the 2nd might be bad, too. There is no
> public exploit available, but AFAIK writing to unallocated memory is
> dangerous?

Yes, it is, you're right. But the first one is such an obvious flaw,
that it doesn't require any sort of creativity to exploit :) Anyway, we
want them both fixed.

> Yeah, I wondered if the version is right and trusted dch --security to
> do the right thing. Find below a debdiff using +deb8u1

Perfect, you can upload to security-master (no source-only
though). Also, make sure you build with -sa, as it will be new on that
host.

Cheers,

--Seb

Message #89 received at 842093-close@bugs.debian.org (full text, mbox, reply):

From: Uwe Kleine-König <ukleinek@debian.org>

To: 842093-close@bugs.debian.org

Subject: Bug#842093: fixed in libupnp 1:1.6.19+git20141001-1+deb8u1

Date: Sat, 17 Dec 2016 22:02:13 +0000

Source: libupnp
Source-Version: 1:1.6.19+git20141001-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 842093@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Uwe Kleine-König <ukleinek@debian.org> (supplier of updated libupnp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Dec 2016 11:46:31 +0100
Source: libupnp
Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc
Architecture: source arm64 all
Version: 1:1.6.19+git20141001-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Uwe Kleine-König <ukleinek@debian.org>
Description:
 libupnp-dev - Portable SDK for UPnP Devices (development files)
 libupnp6   - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
 libupnp6-dbg - debugging symbols for libupnp6
 libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
 libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6
Closes: 831857 842093
Changes:
 libupnp (1:1.6.19+git20141001-1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * backport fixes for CVE-2016-6255 and CVE-2016-8863
     (Closes: #831857, #842093)
Checksums-Sha1:
 ca174468c229f9b8393926bb89d2b6bbd53c514a 1770 libupnp_1.6.19+git20141001-1+deb8u1.dsc
 be20a689154f052600a08862a0153b6c52f1ce02 1228484 libupnp_1.6.19+git20141001.orig.tar.bz2
 89bb3566cb115793c6953c2f92816eaa52fe113f 26280 libupnp_1.6.19+git20141001-1+deb8u1.debian.tar.xz
 d8b5c5d573915e799a2169572c23ee351a65ef05 141658 libupnp6_1.6.19+git20141001-1+deb8u1_arm64.deb
 7aa2cedf512eef28e2fe4abbda81544290edf75e 201432 libupnp6-dev_1.6.19+git20141001-1+deb8u1_arm64.deb
 d340ca4daf8f00bc315f80b9dd06f11399fe39ce 47394 libupnp-dev_1.6.19+git20141001-1+deb8u1_all.deb
 c29229b4aa9842ce445281fb3f40d95e9e103977 393430 libupnp6-dbg_1.6.19+git20141001-1+deb8u1_arm64.deb
 cc9754e014d7c725d4d4f24ead45c0408c95f39f 12751656 libupnp6-doc_1.6.19+git20141001-1+deb8u1_all.deb
Checksums-Sha256:
 30a8b2d7885fc667bc05916a7d47c28bb8f00feb9715ffbc54e51e2e7f591a4e 1770 libupnp_1.6.19+git20141001-1+deb8u1.dsc
 d2a0713285f8a1d1a633def7498e24d1341bc086c0c53d92fdda71c431386919 1228484 libupnp_1.6.19+git20141001.orig.tar.bz2
 23392ebd3bf2b6697cddb163cf24c8f40af88eff1820024bbd43c9ba800a2c02 26280 libupnp_1.6.19+git20141001-1+deb8u1.debian.tar.xz
 f15bfe29344e85370cb8fc2d557af6b68a7159787779f865fe0cf1a013c081e5 141658 libupnp6_1.6.19+git20141001-1+deb8u1_arm64.deb
 ac605bb3f0cb494f5ac55ac413e4e2568e815195cef23b05d45eb51ff5b71c41 201432 libupnp6-dev_1.6.19+git20141001-1+deb8u1_arm64.deb
 fec72b2b58e04650e8e39856f796bbb5bf6946006ec0d863938804f13c9901a6 47394 libupnp-dev_1.6.19+git20141001-1+deb8u1_all.deb
 595dfc062fe7bf72ca7b6822dd9a7f5058c463e355aa40b2eeca855ed071c985 393430 libupnp6-dbg_1.6.19+git20141001-1+deb8u1_arm64.deb
 5733e488d8b00115312dfa971b8825bf990897895e246c7fd700576f8161135b 12751656 libupnp6-doc_1.6.19+git20141001-1+deb8u1_all.deb
Files:
 d46eee8441b71d9e77c2eb9a80a0480a 1770 net optional libupnp_1.6.19+git20141001-1+deb8u1.dsc
 eeac640f9cc420c8b4ed2e17094704c7 1228484 net optional libupnp_1.6.19+git20141001.orig.tar.bz2
 f744c68d36208b53a3cbc8949ae78e98 26280 net optional libupnp_1.6.19+git20141001-1+deb8u1.debian.tar.xz
 849a6b8fe54ea453e829d1ed808906c3 141658 libs optional libupnp6_1.6.19+git20141001-1+deb8u1_arm64.deb
 16fc2c9d6f473d4a11e560400f8724be 201432 libdevel optional libupnp6-dev_1.6.19+git20141001-1+deb8u1_arm64.deb
 ceb3975efb6e03b8d0d9aeb34a99b60f 47394 libdevel optional libupnp-dev_1.6.19+git20141001-1+deb8u1_all.deb
 eee152b7437892edf32888d47d82fb2a 393430 debug extra libupnp6-dbg_1.6.19+git20141001-1+deb8u1_arm64.deb
 59ddb88cc435d7b714754fb065bb05ad 12751656 doc optional libupnp6-doc_1.6.19+git20141001-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEfnIqFpAYrP8+dKQLwfwUeK3K7AkFAlhQUP4ACgkQwfwUeK3K
7AmqaAf/fRRTkiH2MosrPYH0Is8DqNWvpTB5S+yAAFTylzUH6CxET7G2lb2Z3V3T
yaRHaHanJNAFW2S26dlhcfbEhqD4b0wqUzl+Ypiu7S/5GP7gkZ20f0pKWxAPgpvS
tGbUsGl+BHscSS/pcUB/10GpSNmbyczppaXlGeUe9SK4hTL18l2U8ha9HFw2V43C
nDOMjl/BR/b4JugXvgNF1S1FSty3EkU3zh4nXU5vfLgl9iaItoOgD13MjpQbbEIe
wBoSxMMRTf+UOe3PVLOPSyhI0QkdzPN5H3XEHMfgfHWE5J+mw6JDxJ4p2qUBkchA
WdfvTn8ZAn4LQnigovZVPUMC28xYZQ==
=u/Xp
-----END PGP SIGNATURE-----

Message #94 received at 842093@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, Uwe Kleine-König <uwe@kleine-koenig.org>, 842093@bugs.debian.org

Subject: Re: Bug#842093: embedded copies of libupnp

Date: Thu, 29 Dec 2016 15:36:29 +0000

[Message part 1 (text/plain, inline)]

Hi,

On 10/12/16 09:43, Salvatore Bonaccorso wrote:
> On Fri, Dec 09, 2016 at 11:28:53AM +0100, Sebastian Ramacher wrote:
>> On 2016-12-09 10:16:25, James Cowgill wrote:
>>> On 09/12/16 09:27, Uwe Kleine-König wrote:
>>>> there are two source packages (in sid, found via codesearch.d.n) that
>>>> include embedded copies of libupnp: djmount and mediatomb (maintainers
>>>> on Cc:).
>>>>
>>>> djmount build-depends on libupnp-dev and calls configure with
>>>> --with-external-libupnp, so fixing libupnp should be good enough here.
>>>>
>>>> mediatomb doesn't build-depend on libupnp-dev and looking at
>>>> https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
>>>> it seems that the embedded copy is used, so mediatomb needs additional
>>>> handling to fix the bug. Also the copy is vulnerable.
>>>
>>> The Fedora maintainer asked upstream about it a while back:
>>> https://sourceforge.net/p/mediatomb/bugs/114/
>>>
>>> I have not checked how extensive the patching is, but I expect
>>> unbundling libupnp from mediatomb would be a lot of work which noone
>>> has volunteered to do.
>>>
>>> Upstream appears to be dead which is why they haven't fixed it.
>>
>> Maybe it's time to get mediatomb removed. It was not part of jessie and in its
>> current state it will not be part of stretch.
> 
> I think this makes sense. Can you request the removal from unstable?

I've just discovered this fork of mediatomb:
https://github.com/v00d00/mediatomb

It seems to be quite active and they've already removed the embedded
copy of libupnp (although it requires the unreleased 1.8 version). Maybe
we could switch to that instead or removing it? I can have a look.

James

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.