Debian Bug report logs -
#930050
miniupnpd: CVE-2019-12107 CVE-2019-12108 CVE-2019-12109 CVE-2019-12110 CVE-2019-12111
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 6 Jun 2019 07:42:02 UTC
Severity: grave
Tags: security, upstream
Found in versions miniupnpd/2.1-5, miniupnpd/1.8.20140523-4.1+deb9u1, miniupnpd/1.8.20140523-1
Fixed in version miniupnpd/2.1-6
Done: Thomas Goirand <zigo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#930050; Package src:miniupnpd.
(Thu, 06 Jun 2019 07:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Thomas Goirand <zigo@debian.org>.
(Thu, 06 Jun 2019 07:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: miniupnpd
Version: 2.1-5
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1.8.20140523-4.1+deb9u1
Control: found -1 1.8.20140523-1
Hi,
The following vulnerabilities were published for miniupnpd.
CVE-2019-12107[0]:
| The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd
| through 2.1 allows a remote attacker to leak information from the heap
| due to improper validation of an snprintf return value.
CVE-2019-12108[1]:
| A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
| exists due to a NULL pointer dereference in GetOutboundPinholeTimeout
| in upnpsoap.c for int_port.
CVE-2019-12109[2]:
| A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
| exists due to a NULL pointer dereference in GetOutboundPinholeTimeout
| in upnpsoap.c for rem_port.
CVE-2019-12110[3]:
| An AddPortMapping Denial Of Service vulnerability in MiniUPnP
| MiniUPnPd through 2.1 exists due to a NULL pointer dereference in
| upnpredirect.c.
CVE-2019-12111[4]:
| A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
| exists due to a NULL pointer dereference in copyIPv6IfDifferent in
| pcpserver.c.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12107
[1] https://security-tracker.debian.org/tracker/CVE-2019-12108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12108
[2] https://security-tracker.debian.org/tracker/CVE-2019-12109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12109
[3] https://security-tracker.debian.org/tracker/CVE-2019-12110
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12110
[4] https://security-tracker.debian.org/tracker/CVE-2019-12111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12111
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions miniupnpd/1.8.20140523-4.1+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 06 Jun 2019 07:42:05 GMT) (full text, mbox, link).
Marked as found in versions miniupnpd/1.8.20140523-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 06 Jun 2019 07:42:06 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Fri, 07 Jun 2019 00:12:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Jun 2019 00:12:05 GMT) (full text, mbox, link).
Message #14 received at 930050-close@bugs.debian.org (full text, mbox, reply):
Source: miniupnpd
Source-Version: 2.1-6
We believe that the bug you reported is fixed in the latest version of
miniupnpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 930050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated miniupnpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Jun 2019 00:37:36 +0200
Source: miniupnpd
Binary: miniupnpd miniupnpd-dbgsym
Architecture: source amd64
Version: 2.1-6
Distribution: unstable
Urgency: medium
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
miniupnpd - UPnP and NAT-PMP daemon for gateway routers
Closes: 930050
Changes:
miniupnpd (2.1-6) unstable; urgency=medium
.
* Add upstream patches for CVE-2019-12107 CVE-2019-12108 CVE-2019-12109
CVE-2019-12110 CVE-2019-12111 (Closes: #930050).
Checksums-Sha1:
e48f5b18dbe4c519a4e0092aec638fe27b619ce6 1964 miniupnpd_2.1-6.dsc
c8b4d3eee0a4e8c8138d69d40dbb7afb97a84fd2 25276 miniupnpd_2.1-6.debian.tar.xz
03ba4265be398a87fb434f2f2f083055b9112c71 205392 miniupnpd-dbgsym_2.1-6_amd64.deb
476cb485ce58d53e1cf1124d4d32eb789069638a 5784 miniupnpd_2.1-6_amd64.buildinfo
f2e1984634d37e18efa9cb08b920a5ee72674113 102976 miniupnpd_2.1-6_amd64.deb
Checksums-Sha256:
7f3671386fc45206b200580301e943a6525d3035e35463d96d57a7f198ca61c0 1964 miniupnpd_2.1-6.dsc
b5ee4ce6d719c866077ab771ed2180f96880fc16f432206f9f508890379fce7d 25276 miniupnpd_2.1-6.debian.tar.xz
f43d8c242915f1416c815c58f92038d35d326cba362a58a21813e05076fe249a 205392 miniupnpd-dbgsym_2.1-6_amd64.deb
638cae0eb6d5f2d278dcbcfe6e8a60988516fe5329e112b521b0309596325866 5784 miniupnpd_2.1-6_amd64.buildinfo
415512cb9db117ea4863299bf96627291d949c1d420b88bc5bb53e20a76a3091 102976 miniupnpd_2.1-6_amd64.deb
Files:
ee4f8e0bbf3edae25cec2f5999712d71 1964 net optional miniupnpd_2.1-6.dsc
8d3918acd49d860b908d970c1e48a42b 25276 net optional miniupnpd_2.1-6.debian.tar.xz
82704a32c1801345c06b8e10df8074ea 205392 debug optional miniupnpd-dbgsym_2.1-6_amd64.deb
b55cba3aa8f9707cb58996f522e9d40e 5784 net optional miniupnpd_2.1-6_amd64.buildinfo
e5c6581444b78d4e2dfc217ad5624619 102976 net optional miniupnpd_2.1-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlz5lkIACgkQq1PlA1ho
d6bzVw//dnQSuwUEjnKNzk45we3VaGL8Fq/mARCK4DL3pPmEjr4mqqbdpAi43zf8
ghceJSyD5vuALXJjK4ZHOG2UMFJnlm4sbSytAL/6DDyj+bYC5jMXOE4hflNea+/9
JCWTKv8G7sJvrGL2i5kfmHJmmSOI3uu4a3/8PRoYIDt6GjSHdte7Qc6eKPGQbyve
Q0scO6ZT8QHKwO0naxQC6nGCKeaUs4gEzdlG0KymPN2DfL+GkcEUo6WYY9SJqF2j
haIOf/miiLTwVs0AskODo45y/wvD2xtd93fKgzu+g5VMh4fejAocNfZZGlB89EvL
hBPq/UIZ6gtkfnuimSvC/W83TDaNxpEZncGtlVwEHtOWVFQmFe01MYtQFSFbEi9Q
j9XfT0NZw/GD3e3zymU3c/4Cxhjq/A3ue/BO0GKa1DlLm3fY2RVpbuMXwR/sbgYc
4P+PJPyHMAx5R4FfuvWcQCpoOCe6wbPwAtXiIUfycXv0yk2MTNaP4r2QxclosAnk
RsFsBHNDjCAJdWN0/DC4vR2ou/VqFUwHDFVr9aOImWh4F27IRF57Y1TV5rhzOSxV
hRPNyBnZ5v3VH4SmDFSfU6NFLh5xJszd8XJERXW1uiWt+N6DlzR974rOQwtO8WKD
t2Afo7vcsHwPWYCDRU0Uq1OudBBn9Ht0bujnD3Pibe/Kj3gbuYE=
=BdNK
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#930050; Package src:miniupnpd.
(Fri, 07 Jun 2019 07:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list.
(Fri, 07 Jun 2019 07:33:03 GMT) (full text, mbox, link).
Message #19 received at 930050@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 6/6/19 9:38 AM, Salvatore Bonaccorso wrote:
> Source: miniupnpd
> Version: 2.1-5
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 1.8.20140523-4.1+deb9u1
> Control: found -1 1.8.20140523-1
>
> Hi,
>
> The following vulnerabilities were published for miniupnpd.
>
> CVE-2019-12107[0]:
> | The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd
> | through 2.1 allows a remote attacker to leak information from the heap
> | due to improper validation of an snprintf return value.
>
>
> CVE-2019-12108[1]:
> | A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
> | exists due to a NULL pointer dereference in GetOutboundPinholeTimeout
> | in upnpsoap.c for int_port.
>
>
> CVE-2019-12109[2]:
> | A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
> | exists due to a NULL pointer dereference in GetOutboundPinholeTimeout
> | in upnpsoap.c for rem_port.
>
>
> CVE-2019-12110[3]:
> | An AddPortMapping Denial Of Service vulnerability in MiniUPnP
> | MiniUPnPd through 2.1 exists due to a NULL pointer dereference in
> | upnpredirect.c.
>
>
> CVE-2019-12111[4]:
> | A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
> | exists due to a NULL pointer dereference in copyIPv6IfDifferent in
> | pcpserver.c.
>
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-12107
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12107
> [1] https://security-tracker.debian.org/tracker/CVE-2019-12108
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12108
> [2] https://security-tracker.debian.org/tracker/CVE-2019-12109
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12109
> [3] https://security-tracker.debian.org/tracker/CVE-2019-12110
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12110
> [4] https://security-tracker.debian.org/tracker/CVE-2019-12111
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12111
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
Hi Salvatore and the rest of the security team,
I have prepared the Stretch update for the new Stretch update:
miniupnpd/1.8.20140523-4.1+deb9u2
The debdiff is attached to this mail. The resulting package is available
here on this site:
http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/
Please allow me to upload this Stretch update to security-master.
As the Jessie version is the same as the Stretch one, I guess the LTS
team can just pick-up what's in the git and rebuild. I'd prefer if
someone form the LTS team does it, as I'm not familiar with the procedures.
Cheers,
Thomas Goirand (zigo)
[miniupnpd_1.8.20140523-4.1+deb9u2.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#930050; Package src:miniupnpd.
(Mon, 10 Jun 2019 19:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Mon, 10 Jun 2019 19:09:02 GMT) (full text, mbox, link).
Message #24 received at 930050@bugs.debian.org (full text, mbox, reply):
hi Thomas,
On Fri, Jun 07, 2019 at 09:31:41AM +0200, Thomas Goirand wrote:
> Hi Salvatore and the rest of the security team,
>
> I have prepared the Stretch update for the new Stretch update:
> miniupnpd/1.8.20140523-4.1+deb9u2
>
> The debdiff is attached to this mail. The resulting package is available
> here on this site:
>
> http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/
>
> Please allow me to upload this Stretch update to security-master.
Thanks a lot for your time invested in preparing the package. On it's
own it was important to get the fixes into buster from the start, but
they do not warrant a DSA for stretch. Can you fix those please via an
upcoming point release?
Thanks a lot for your work!
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:01:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon