Debian Bug report logs -
#699316
libupnp: Multiple stack buffer overflow vulnerabilities
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 30 Jan 2013 07:15:01 UTC
Severity: grave
Tags: patch, security
Merged with 699342
Found in version 1:1.6.6-5
Fixed in versions libupnp/1:1.6.17-1.2, libupnp/1:1.6.6-5+squeeze1
Done: Yves-Alexis Perez <corsac@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nick Leverton <nick@leverton.org>
:
Bug#699316
; Package libupnp
.
(Wed, 30 Jan 2013 07:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nick Leverton <nick@leverton.org>
.
(Wed, 30 Jan 2013 07:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libupnp
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for libupnp.
CVE-2012-5958[0]: Stack buffer overflow of Tempbuf
CVE-2012-5959[1]: Stack buffer overflow of Event->UDN
CVE-2012-5960[2]: Stack buffer overflow of Event->UDN
CVE-2012-5961[3]: Stack buffer overflow of Evt->UDN
CVE-2012-5962[4]: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963[5]: Stack buffer overflow of Event->UDN
CVE-2012-5964[6]: Stack buffer overflow of Event->DeviceType
CVE-2012-5965[7]: Stack buffer overflow of Event->DeviceType
Upstream changelog for 1.6.18 states:
*******************************************************************************
Version 1.6.18
*******************************************************************************
2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
Security fix for CERT issue VU#922681
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE numbers:
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Notice that the following issues have already been dealt by previous
work:
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958
http://security-tracker.debian.org/tracker/CVE-2012-5958
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959
http://security-tracker.debian.org/tracker/CVE-2012-5959
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960
http://security-tracker.debian.org/tracker/CVE-2012-5960
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961
http://security-tracker.debian.org/tracker/CVE-2012-5961
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962
http://security-tracker.debian.org/tracker/CVE-2012-5962
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963
http://security-tracker.debian.org/tracker/CVE-2012-5963
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964
http://security-tracker.debian.org/tracker/CVE-2012-5964
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965
http://security-tracker.debian.org/tracker/CVE-2012-5965
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>
:
Bug#699316
; Package libupnp
.
(Wed, 30 Jan 2013 07:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Nick Leverton <nick@leverton.org>
.
(Wed, 30 Jan 2013 07:30:08 GMT) (full text, mbox, link).
Message #10 received at 699316@bugs.debian.org (full text, mbox, reply):
Hi
And a small followup:
On Wed, Jan 30, 2013 at 08:11:44AM +0100, Salvatore Bonaccorso wrote:
> CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
> CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
> CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Should really be affecting the current version.
> Notice that the following issues have already been dealt by previous
> work:
>
> CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
> CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
> CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
> CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
> CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
Needs checking in which libupnp Version these awhere fixed.
Regards,
Salvatore
Merged 699316 699342
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 30 Jan 2013 14:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>
:
Bug#699316
; Package libupnp
.
(Wed, 30 Jan 2013 23:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Nick Leverton <nick@leverton.org>
.
(Wed, 30 Jan 2013 23:15:03 GMT) (full text, mbox, link).
Message #17 received at 699316@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi
Attached is the debdiff created with the patch found in the RedHat
Bugtracker[1].
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=883790
But I have not tested the resulting package.
Regards,
Salvatore
[libupnp_1.6.17-1.2.debdiff (text/plain, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 699316-submit@bugs.debian.org
.
(Wed, 30 Jan 2013 23:15:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#699316.
(Thu, 31 Jan 2013 14:09:10 GMT) (full text, mbox, link).
Message #22 received at 699316-submitter@bugs.debian.org (full text, mbox, reply):
clone 699316 -1
reassign -1 libupnp4
retitle -1 libupnp4: Multiple stack buffer overflow vulnerabilities
thanks
From [1], libupnp4 has the same vulnerabilities as described in Bug
#688316. Cloning so it's on someone's radar.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699351
Information forwarded
to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>
:
Bug#699316
; Package libupnp
.
(Fri, 01 Feb 2013 13:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>
:
Extra info received and forwarded to list. Copy sent to Nick Leverton <nick@leverton.org>
.
(Fri, 01 Feb 2013 13:45:03 GMT) (full text, mbox, link).
Message #27 received at 699316@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On jeu., 2013-01-31 at 22:25 +0100, Salvatore Bonaccorso wrote:
> > Nick, sorry for not putting you in the loop sooner. Can you prepare
> an
> > update for stable or do you want us to handle it?
>
> Okay thanks for the followup, and for adding Nick to the loop.
>
> In case there is still open work until monday evening I can try to
> start helping there then again.
Here's a debdiff against stable, more or less backporting the function
and minimizing the diff.
I don't have a working UPnP setup so if someone can test it to make sure
it doesn't break anything, it'd be nice.
Regards,
--
Yves-Alexis
[libupnp_1.6.6-5+squeeze1.debdiff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Yves-Alexis Perez <corsac@debian.org>
:
You have taken responsibility.
(Fri, 01 Feb 2013 21:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 01 Feb 2013 21:51:06 GMT) (full text, mbox, link).
Message #32 received at 699316-close@bugs.debian.org (full text, mbox, reply):
Source: libupnp
Source-Version: 1:1.6.17-1.2
We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 699316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated libupnp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Feb 2013 21:56:12 +0100
Source: libupnp
Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc
Architecture: source amd64 all
Version: 1:1.6.17-1.2
Distribution: unstable
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
libupnp-dev - Portable SDK for UPnP Devices (development files)
libupnp6 - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
libupnp6-dbg - debugging symbols for libupnp6
libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6
Closes: 699316
Changes:
libupnp (1:1.6.17-1.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
various stack-based buffer overflows in service_unique_name() function.
This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316
Checksums-Sha1:
ca9a154edcc4addfbcc73df97e7875a2ca47d422 1634 libupnp_1.6.17-1.2.dsc
c6f946b9c04a14b5bd2efb6aa7d4cd664ed66b90 26686 libupnp_1.6.17-1.2.debian.tar.gz
8168ae3de4ef529de93ed68286497f4ec6fe5584 181164 libupnp6_1.6.17-1.2_amd64.deb
de73a4afae7232bf6459cc7a208c9cb0b2c330ea 262286 libupnp6-dev_1.6.17-1.2_amd64.deb
99ca41f164f5c1e59af16ea3a44d0d52feb775c3 43042 libupnp-dev_1.6.17-1.2_all.deb
9b7dc6a7c6fac33765f33e6d29f07d0debcfa77e 393582 libupnp6-dbg_1.6.17-1.2_amd64.deb
c702603c8a34834aa82da144e3dcdb3179adb0b6 13694894 libupnp6-doc_1.6.17-1.2_all.deb
Checksums-Sha256:
599d9105883c3151fd8163c3a7349e492264dd14202682c8ce6ab7b5dcc9d32f 1634 libupnp_1.6.17-1.2.dsc
0f35fc257226a5bc84f48a0ac389eb6d397c6a34b4c6481115cf08a5041ba0c0 26686 libupnp_1.6.17-1.2.debian.tar.gz
db75a2d1a6e81cbef7b190c5a82cc26e327c268c3a164b80a379ed9ce7137a26 181164 libupnp6_1.6.17-1.2_amd64.deb
62adf38507f9b9789cbbacb46b97f26b1413b7dd1503f5aee299846d3a439503 262286 libupnp6-dev_1.6.17-1.2_amd64.deb
dcd68e41dfbcad93469314f2285d127c5954792aaa4747b766385e89529a1e42 43042 libupnp-dev_1.6.17-1.2_all.deb
4a67947bfee7f8b4a584c667b173219a9abccf196b846ad64d60b1d6919b38d4 393582 libupnp6-dbg_1.6.17-1.2_amd64.deb
317964711fcb5a0c98c3d629507a306de9e00abd9c041c041a5a7822225ada79 13694894 libupnp6-doc_1.6.17-1.2_all.deb
Files:
e1309ce825bb0dd470c9b08bada8b64a 1634 net extra libupnp_1.6.17-1.2.dsc
1d899280eee3070f5a2ca5479760bad0 26686 net extra libupnp_1.6.17-1.2.debian.tar.gz
e2a2c2038247fd02ba05a2513a13584e 181164 libs extra libupnp6_1.6.17-1.2_amd64.deb
e4e3f6345350485ed4fcdff6fbe0da8f 262286 libdevel extra libupnp6-dev_1.6.17-1.2_amd64.deb
0c4442fed70849a009452ebc488a0966 43042 libdevel extra libupnp-dev_1.6.17-1.2_all.deb
baa27306006776a7a488252d1ef3fd75 393582 debug extra libupnp6-dbg_1.6.17-1.2_amd64.deb
2c854d30bb220c196ad91eee99f05100 13694894 doc extra libupnp6-doc_1.6.17-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJRDDbWAAoJEG3bU/KmdcClt+AH/22yVIics4uNdrutYrRxiB9I
jEMaBaFb2Uvw3xmuMsq1U6f1ItGnbYVTreeo1u44sFEG/1Uj5bE4PmT1EJR6EBkQ
sg3loaegz17x0MYXLm5fpedSk8E6VPlvkJzkEDHTYGKaimc9lEGzM3+ag/DMWbKf
CwWWjbtOWj4z1e3ES1GKtVNbReSHIcbdCyMKkYR086Lm2RXC1LLW9LuegkCjiRKJ
XwF0QceTRU+A/wc2dmJkKG8HB914+SvL+CWJloXf/IL0bGlcFt2GPr9prKkJy0mr
FWzXcPxnc8jFwIqkSR7I0iWM/rZjoSa/lzoxaJOi5wTuzsY/Ka2u01s4EMO7rr8=
=fETd
-----END PGP SIGNATURE-----
Reply sent
to Yves-Alexis Perez <corsac@debian.org>
:
You have taken responsibility.
(Fri, 01 Feb 2013 21:51:07 GMT) (full text, mbox, link).
Notification sent
to eric2.valette@orange.com
:
Bug acknowledged by developer.
(Fri, 01 Feb 2013 21:51:07 GMT) (full text, mbox, link).
Marked as found in versions 1:1.6.6-5.
Request was from Yves-Alexis Perez <corsac@debian.org>
to control@bugs.debian.org
.
(Fri, 01 Feb 2013 21:57:03 GMT) (full text, mbox, link).
Reply sent
to Yves-Alexis Perez <corsac@debian.org>
:
You have taken responsibility.
(Sun, 03 Feb 2013 23:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 03 Feb 2013 23:06:03 GMT) (full text, mbox, link).
Message #43 received at 699316-close@bugs.debian.org (full text, mbox, reply):
Source: libupnp
Source-Version: 1:1.6.6-5+squeeze1
We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 699316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated libupnp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Feb 2013 21:55:32 +0100
Source: libupnp
Binary: libupnp3 libupnp3-dev libupnp-dev libupnp3-dbg
Architecture: source amd64
Version: 1:1.6.6-5+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
libupnp-dev - Portable SDK for UPnP Devices (development files)
libupnp3 - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
libupnp3-dbg - debugging symbols for libupnp3
libupnp3-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
Closes: 699316
Changes:
libupnp (1:1.6.6-5+squeeze1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
various stack-based buffer overflows in service_unique_name() function.
This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316
Checksums-Sha1:
6c3737bb3f8a7c10feaaa29e7fb056fd9526af41 1448 libupnp_1.6.6-5+squeeze1.dsc
ac7094be846a34f8e1ad316ab2fe4988050fd07a 1354224 libupnp_1.6.6.orig.tar.gz
06304f4af0834e0a8a24b188c3e045284f7ada6a 33552 libupnp_1.6.6-5+squeeze1.diff.gz
e29c865e8bd1bac508ff07a5d5aca57591525236 140420 libupnp3_1.6.6-5+squeeze1_amd64.deb
9e10872913b48038c6dd72a087150714530e8a43 854936 libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
ae1eebb478331bd96fc39dc6f41ef84cb017352c 18724 libupnp-dev_1.6.6-5+squeeze1_amd64.deb
127a5e7e5ace031f41377ef761e91814a1286630 163138 libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb
Checksums-Sha256:
889dee6d3b3977071df6b533278088cffc14b106e4f134fc03a13c8e2fa41e3d 1448 libupnp_1.6.6-5+squeeze1.dsc
c6b26357c99658171da1aeb4b9260d0078e3e16de837e39620a26f85d16b48fc 1354224 libupnp_1.6.6.orig.tar.gz
600bb4d7d531de923b13cd061ae1250404decc92f73eb2842ef872f2954ad18a 33552 libupnp_1.6.6-5+squeeze1.diff.gz
10997a6480856dd908f021841bd7544d537182b166cd4c508cbdbc4b49b9a21e 140420 libupnp3_1.6.6-5+squeeze1_amd64.deb
b23d159c51d6ecc627bcd9a19bad3ba570299045c1c77d38c8e5225ff5d9ba51 854936 libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
321d38e00cbd6ca227ae6db2bbb79b7cb260925ebac6687194ff58541f4b6b16 18724 libupnp-dev_1.6.6-5+squeeze1_amd64.deb
eace16a5fb10cc59128d3d01ae14a76dd9c862a31b741afb264b9164b96b65fe 163138 libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb
Files:
832e50490291c43b0f6f7d0f200ac910 1448 net extra libupnp_1.6.6-5+squeeze1.dsc
533d09459db59552fed7f25c752bf7f9 1354224 net extra libupnp_1.6.6.orig.tar.gz
71cd98c26960e95d7b4bcb9b03cab38a 33552 net extra libupnp_1.6.6-5+squeeze1.diff.gz
92d1c41dc8188c553799cc03e18d0cd6 140420 libs extra libupnp3_1.6.6-5+squeeze1_amd64.deb
84ebf5050c6423673fac193d8a840f8b 854936 libdevel extra libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
b00a2442224a9477faa013092104ab06 18724 libdevel extra libupnp-dev_1.6.6-5+squeeze1_amd64.deb
ad59ad11b9c237a060ce8945d51f0860 163138 debug extra libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJRDCzqAAoJEG3bU/KmdcCldiMH/0d1JMtqigsNNvAkX4Aa2tag
E4bOPLKNFC6Yf5pp4lz9VyLa4cOhUA/JLj5CDzObBJrDMxPOpeEWyV/uFJVRSIaq
SWKhDojyc3SWZ2GpYerG6q2HtnnDx9C01XNQqK+F1rwNxBU1mlujpR5pJ92/aF+r
2c87bK8z369XUrgb2lmbl5CO0c7wUiECEn+a2V/5SHMPX9+Rh/8B8UOFWcOPxxeW
pyH1QIGk8yPPxSrQohZQBWx/MDQq2cZEKJbj9IWvORcRJpSHG89iskiRyfo1skTo
QeYi/9AW2q0P3n9uv8Zsqt61Ke5Jwz0z0n76FVg7lhCosvwAVcM2s00+WasqBTw=
=gUEo
-----END PGP SIGNATURE-----
Reply sent
to Yves-Alexis Perez <corsac@debian.org>
:
You have taken responsibility.
(Sun, 03 Feb 2013 23:06:04 GMT) (full text, mbox, link).
Notification sent
to eric2.valette@orange.com
:
Bug acknowledged by developer.
(Sun, 03 Feb 2013 23:06:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 06 Mar 2013 07:26:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:10:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.