libupnp: Multiple stack buffer overflow vulnerabilities

Debian Bug report logs - #699316
libupnp: Multiple stack buffer overflow vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libupnp: Multiple stack buffer overflow vulnerabilities

Date: Wed, 30 Jan 2013 08:11:44 +0100

Package: libupnp
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for libupnp.

CVE-2012-5958[0]: Stack buffer overflow of Tempbuf
CVE-2012-5959[1]: Stack buffer overflow of Event->UDN
CVE-2012-5960[2]: Stack buffer overflow of Event->UDN
CVE-2012-5961[3]: Stack buffer overflow of Evt->UDN
CVE-2012-5962[4]: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963[5]: Stack buffer overflow of Event->UDN
CVE-2012-5964[6]: Stack buffer overflow of Event->DeviceType
CVE-2012-5965[7]: Stack buffer overflow of Event->DeviceType

Upstream changelog for 1.6.18 states:

*******************************************************************************
Version 1.6.18
*******************************************************************************

2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>

	Security fix for CERT issue VU#922681

	This patch addresses three possible buffer overflows in function
	unique_service_name(). The three issues have the folowing CVE numbers:

	CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
	CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
	CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

	Notice that the following issues have already been dealt by previous
	work:

	CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
	CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
	CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
	CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
	CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958
    http://security-tracker.debian.org/tracker/CVE-2012-5958
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959
    http://security-tracker.debian.org/tracker/CVE-2012-5959
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960
    http://security-tracker.debian.org/tracker/CVE-2012-5960
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961
    http://security-tracker.debian.org/tracker/CVE-2012-5961
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962
    http://security-tracker.debian.org/tracker/CVE-2012-5962
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963
    http://security-tracker.debian.org/tracker/CVE-2012-5963
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964
    http://security-tracker.debian.org/tracker/CVE-2012-5964
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965
    http://security-tracker.debian.org/tracker/CVE-2012-5965

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 699316@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 699316@bugs.debian.org

Subject: Re: Bug#699316: libupnp: Multiple stack buffer overflow vulnerabilities

Date: Wed, 30 Jan 2013 08:28:05 +0100

Hi

And a small followup:

On Wed, Jan 30, 2013 at 08:11:44AM +0100, Salvatore Bonaccorso wrote:
> 	CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
> 	CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
> 	CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

Should really be affecting the current version.

> 	Notice that the following issues have already been dealt by previous
> 	work:
> 
> 	CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
> 	CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
> 	CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
> 	CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
> 	CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType

Needs checking in which libupnp Version these awhere fixed.

Regards,
Salvatore

Message #17 received at 699316@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 699316@bugs.debian.org

Subject: Patch for 1.6.x branch in RedHat Bugzilla

Date: Thu, 31 Jan 2013 00:11:48 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Hi

Attached is the debdiff created with the patch found in the RedHat
Bugtracker[1].

 [1]: https://bugzilla.redhat.com/show_bug.cgi?id=883790

But I have not tested the resulting package.

Regards,
Salvatore

[libupnp_1.6.17-1.2.debdiff (text/plain, attachment)]

Message #22 received at 699316-submitter@bugs.debian.org (full text, mbox, reply):

From: Scott Howard <showard314@gmail.com>

To: control@bugs.debian.org, 699316-submitter@bugs.debian.org

Subject: libupnp4: Multiple stack buffer overflow vulnerabilities

Date: Thu, 31 Jan 2013 09:04:39 -0500

clone 699316 -1
reassign -1 libupnp4
retitle -1 libupnp4: Multiple stack buffer overflow vulnerabilities
thanks

From [1], libupnp4 has the same vulnerabilities as described in Bug
#688316. Cloning so it's on someone's radar.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699351

Message #27 received at 699316@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: team@security.debian.org, nick@leverton.org, rt@rt.debian.org, 699316@bugs.debian.org

Subject: Re: [rt.debian.org #4133] Re: libupnp security update?

Date: Fri, 01 Feb 2013 14:42:32 +0100

[Message part 1 (text/plain, inline)]

On jeu., 2013-01-31 at 22:25 +0100, Salvatore Bonaccorso wrote:
> > Nick, sorry for not putting you in the loop sooner. Can you prepare
> an
> > update for stable or do you want us to handle it?
> 
> Okay thanks for the followup, and for adding Nick to the loop.
> 
> In case there is still open work until monday evening I can try to
> start helping there then again.

Here's a debdiff against stable, more or less backporting the function
and minimizing the diff.

I don't have a working UPnP setup so if someone can test it to make sure
it doesn't break anything, it'd be nice.

Regards,
-- 
Yves-Alexis

[libupnp_1.6.6-5+squeeze1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 699316-close@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 699316-close@bugs.debian.org

Subject: Bug#699316: fixed in libupnp 1:1.6.17-1.2

Date: Fri, 01 Feb 2013 21:47:34 +0000

Source: libupnp
Source-Version: 1:1.6.17-1.2

We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated libupnp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Feb 2013 21:56:12 +0100
Source: libupnp
Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc
Architecture: source amd64 all
Version: 1:1.6.17-1.2
Distribution: unstable
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description: 
 libupnp-dev - Portable SDK for UPnP Devices (development files)
 libupnp6   - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
 libupnp6-dbg - debugging symbols for libupnp6
 libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
 libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6
Closes: 699316
Changes: 
 libupnp (1:1.6.17-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
     various stack-based buffer overflows in service_unique_name() function.
     This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
     CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316
Checksums-Sha1: 
 ca9a154edcc4addfbcc73df97e7875a2ca47d422 1634 libupnp_1.6.17-1.2.dsc
 c6f946b9c04a14b5bd2efb6aa7d4cd664ed66b90 26686 libupnp_1.6.17-1.2.debian.tar.gz
 8168ae3de4ef529de93ed68286497f4ec6fe5584 181164 libupnp6_1.6.17-1.2_amd64.deb
 de73a4afae7232bf6459cc7a208c9cb0b2c330ea 262286 libupnp6-dev_1.6.17-1.2_amd64.deb
 99ca41f164f5c1e59af16ea3a44d0d52feb775c3 43042 libupnp-dev_1.6.17-1.2_all.deb
 9b7dc6a7c6fac33765f33e6d29f07d0debcfa77e 393582 libupnp6-dbg_1.6.17-1.2_amd64.deb
 c702603c8a34834aa82da144e3dcdb3179adb0b6 13694894 libupnp6-doc_1.6.17-1.2_all.deb
Checksums-Sha256: 
 599d9105883c3151fd8163c3a7349e492264dd14202682c8ce6ab7b5dcc9d32f 1634 libupnp_1.6.17-1.2.dsc
 0f35fc257226a5bc84f48a0ac389eb6d397c6a34b4c6481115cf08a5041ba0c0 26686 libupnp_1.6.17-1.2.debian.tar.gz
 db75a2d1a6e81cbef7b190c5a82cc26e327c268c3a164b80a379ed9ce7137a26 181164 libupnp6_1.6.17-1.2_amd64.deb
 62adf38507f9b9789cbbacb46b97f26b1413b7dd1503f5aee299846d3a439503 262286 libupnp6-dev_1.6.17-1.2_amd64.deb
 dcd68e41dfbcad93469314f2285d127c5954792aaa4747b766385e89529a1e42 43042 libupnp-dev_1.6.17-1.2_all.deb
 4a67947bfee7f8b4a584c667b173219a9abccf196b846ad64d60b1d6919b38d4 393582 libupnp6-dbg_1.6.17-1.2_amd64.deb
 317964711fcb5a0c98c3d629507a306de9e00abd9c041c041a5a7822225ada79 13694894 libupnp6-doc_1.6.17-1.2_all.deb
Files: 
 e1309ce825bb0dd470c9b08bada8b64a 1634 net extra libupnp_1.6.17-1.2.dsc
 1d899280eee3070f5a2ca5479760bad0 26686 net extra libupnp_1.6.17-1.2.debian.tar.gz
 e2a2c2038247fd02ba05a2513a13584e 181164 libs extra libupnp6_1.6.17-1.2_amd64.deb
 e4e3f6345350485ed4fcdff6fbe0da8f 262286 libdevel extra libupnp6-dev_1.6.17-1.2_amd64.deb
 0c4442fed70849a009452ebc488a0966 43042 libdevel extra libupnp-dev_1.6.17-1.2_all.deb
 baa27306006776a7a488252d1ef3fd75 393582 debug extra libupnp6-dbg_1.6.17-1.2_amd64.deb
 2c854d30bb220c196ad91eee99f05100 13694894 doc extra libupnp6-doc_1.6.17-1.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJRDDbWAAoJEG3bU/KmdcClt+AH/22yVIics4uNdrutYrRxiB9I
jEMaBaFb2Uvw3xmuMsq1U6f1ItGnbYVTreeo1u44sFEG/1Uj5bE4PmT1EJR6EBkQ
sg3loaegz17x0MYXLm5fpedSk8E6VPlvkJzkEDHTYGKaimc9lEGzM3+ag/DMWbKf
CwWWjbtOWj4z1e3ES1GKtVNbReSHIcbdCyMKkYR086Lm2RXC1LLW9LuegkCjiRKJ
XwF0QceTRU+A/wc2dmJkKG8HB914+SvL+CWJloXf/IL0bGlcFt2GPr9prKkJy0mr
FWzXcPxnc8jFwIqkSR7I0iWM/rZjoSa/lzoxaJOi5wTuzsY/Ka2u01s4EMO7rr8=
=fETd
-----END PGP SIGNATURE-----

Message #43 received at 699316-close@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 699316-close@bugs.debian.org

Subject: Bug#699316: fixed in libupnp 1:1.6.6-5+squeeze1

Date: Sun, 03 Feb 2013 23:02:10 +0000

Source: libupnp
Source-Version: 1:1.6.6-5+squeeze1

We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated libupnp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Feb 2013 21:55:32 +0100
Source: libupnp
Binary: libupnp3 libupnp3-dev libupnp-dev libupnp3-dbg
Architecture: source amd64
Version: 1:1.6.6-5+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description: 
 libupnp-dev - Portable SDK for UPnP Devices (development files)
 libupnp3   - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
 libupnp3-dbg - debugging symbols for libupnp3
 libupnp3-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
Closes: 699316
Changes: 
 libupnp (1:1.6.6-5+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
     various stack-based buffer overflows in service_unique_name() function.
     This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
     CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316
Checksums-Sha1: 
 6c3737bb3f8a7c10feaaa29e7fb056fd9526af41 1448 libupnp_1.6.6-5+squeeze1.dsc
 ac7094be846a34f8e1ad316ab2fe4988050fd07a 1354224 libupnp_1.6.6.orig.tar.gz
 06304f4af0834e0a8a24b188c3e045284f7ada6a 33552 libupnp_1.6.6-5+squeeze1.diff.gz
 e29c865e8bd1bac508ff07a5d5aca57591525236 140420 libupnp3_1.6.6-5+squeeze1_amd64.deb
 9e10872913b48038c6dd72a087150714530e8a43 854936 libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
 ae1eebb478331bd96fc39dc6f41ef84cb017352c 18724 libupnp-dev_1.6.6-5+squeeze1_amd64.deb
 127a5e7e5ace031f41377ef761e91814a1286630 163138 libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb
Checksums-Sha256: 
 889dee6d3b3977071df6b533278088cffc14b106e4f134fc03a13c8e2fa41e3d 1448 libupnp_1.6.6-5+squeeze1.dsc
 c6b26357c99658171da1aeb4b9260d0078e3e16de837e39620a26f85d16b48fc 1354224 libupnp_1.6.6.orig.tar.gz
 600bb4d7d531de923b13cd061ae1250404decc92f73eb2842ef872f2954ad18a 33552 libupnp_1.6.6-5+squeeze1.diff.gz
 10997a6480856dd908f021841bd7544d537182b166cd4c508cbdbc4b49b9a21e 140420 libupnp3_1.6.6-5+squeeze1_amd64.deb
 b23d159c51d6ecc627bcd9a19bad3ba570299045c1c77d38c8e5225ff5d9ba51 854936 libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
 321d38e00cbd6ca227ae6db2bbb79b7cb260925ebac6687194ff58541f4b6b16 18724 libupnp-dev_1.6.6-5+squeeze1_amd64.deb
 eace16a5fb10cc59128d3d01ae14a76dd9c862a31b741afb264b9164b96b65fe 163138 libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb
Files: 
 832e50490291c43b0f6f7d0f200ac910 1448 net extra libupnp_1.6.6-5+squeeze1.dsc
 533d09459db59552fed7f25c752bf7f9 1354224 net extra libupnp_1.6.6.orig.tar.gz
 71cd98c26960e95d7b4bcb9b03cab38a 33552 net extra libupnp_1.6.6-5+squeeze1.diff.gz
 92d1c41dc8188c553799cc03e18d0cd6 140420 libs extra libupnp3_1.6.6-5+squeeze1_amd64.deb
 84ebf5050c6423673fac193d8a840f8b 854936 libdevel extra libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
 b00a2442224a9477faa013092104ab06 18724 libdevel extra libupnp-dev_1.6.6-5+squeeze1_amd64.deb
 ad59ad11b9c237a060ce8945d51f0860 163138 debug extra libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJRDCzqAAoJEG3bU/KmdcCldiMH/0d1JMtqigsNNvAkX4Aa2tag
E4bOPLKNFC6Yf5pp4lz9VyLa4cOhUA/JLj5CDzObBJrDMxPOpeEWyV/uFJVRSIaq
SWKhDojyc3SWZ2GpYerG6q2HtnnDx9C01XNQqK+F1rwNxBU1mlujpR5pJ92/aF+r
2c87bK8z369XUrgb2lmbl5CO0c7wUiECEn+a2V/5SHMPX9+Rh/8B8UOFWcOPxxeW
pyH1QIGk8yPPxSrQohZQBWx/MDQq2cZEKJbj9IWvORcRJpSHG89iskiRyfo1skTo
QeYi/9AW2q0P3n9uv8Zsqt61Ke5Jwz0z0n76FVg7lhCosvwAVcM2s00+WasqBTw=
=gUEo
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.