Subject: minissdpd: multiple flaws Package: minissdpd Version: 1.0-2 Justification: root security hole Severity: critical Tags: upstream security
As originally reported at https://bugs.launchpad.net/bugs/813313 and http://www.openwall.com/lists/oss-security/2011/07/28/12 In Ubuntu, we lowered miniupnpc and libnatpmp's recommends on minissdpd to suggests. ===== Denial of Service: - off-by-one in packet parsing can trigger crashes on unluckily alignment minissdpd.c line ~290 - walk off end of memory without length check in "cache-control" packet minissdpd.c line ~314 - some unchecked malloc uses could lead to crash - does not clean up /var/run files on crash Corruption, possible manipulation of responses: - linefeed injection in service requests - unchecked write lengths (could get interrupted, lead to corruption) Memory corruption, with execution control likely: - multiple buffer overflows in processRequest - unchecked decoded lengths - unchecked buffer creation length - integer overflows in decoded lengths - write null byte arbitrarily in heap - could read stack memory out on requests (including canary if OS used stack protector canary that wasn't null-started). e.g.: - add bogus service with giant coded-length "location" entry - read back with type==1 and matching "st" General Safety: - does not drop privileges -- System Information: Debian Release: wheezy/sid APT prefers oneiric APT policy: (500, 'oneiric') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-7-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages minissdpd depends on: ii libc6 2.13-9ubuntu3 Embedded GNU C Library: Shared lib minissdpd recommends no packages. minissdpd suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
