Your message dated Mon, 24 Oct 2016 23:01:32 +0000 with message-id <e1byofi-00054e...@franck.debian.org> and subject line Bug#816759: fixed in minissdpd 1.2.20130907-3.2 has caused the Debian Bug report #816759, regarding minissdpd: CVE-2016-3178 CVE-2016-3179 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 816759: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816759 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: minissdpd Version: 1.2.20130907-3 Justification: renders package unusable Severity: grave Tags: security patch Dear Maintainer, The following bug report provides the technical description and bug fixes and has been extracted from the detailed security advisory at http://speirofr.appspot.com/files/advisory/SPADV-2016-02.md Best, Vulnerability details ===================== The minissdpd daemon (version: 1.2.20130907-3) contains a improper validation of array index vulnerability (CWE-129) when processing requests sent to the Unix socket at /var/run/minissdpd.sock the Unix socket can be accessed by an unprivileged user to send invalid request causes an out-of-bounds memory access that crashes the minissdpd daemon. Technical Details ================= The vulnerability can be triggered by a local unprivileged user performs the following request: $ echo -en '\x04\x01\x60\x8f\xff\xff\xff\x7f\x0a' | nc.openbsd -U /var/run/minissdpd.sock The request is processed by the processRequest() function at minissdpd.c which identifies the request of type=4, and performs the parsing of the "new service" request, the decoding of the length of the usn field performed at line 663, sets l = 0xffffffff, with p = buf+4, and n = 9, the negative length l=-1 passes the check at line 664 with (buf+4-1) < (buf + 9), continuing with the allocation of the usn field at line 673, that initialises newserv->usn = malloc(0), where in the case of Linux malloc(3) the allocator returns a pointer that can be later passed to free(). The line 668 attempts to copy 0xffffffff bytes from the message pointer p to newserv->usn, that causes the daemon to perform an out-of-bound memory access writing outside the allocated buffer. ~~~ 663 DECODELENGTH_CHECKLIMIT(l, p, buf + n); 664 if(p+l > buf+n) { 665 syslog(LOG_WARNING, "bad request (length encoding)"); 666 goto error; 667 } ... 673 newserv->usn = malloc(l + 1); 674 if(!newserv->usn) { 675 syslog(LOG_ERR, "cannot allocate memory"); 676 goto error; 677 } 668 memcpy(newserv->usn, p, l); ~~~ The problem is the incorrect validation on the length returned by the DECODELENGTH_CHECKLIMIT macro at line 664, that does not consider negative length values. The fix of the length has already been applied to the upstream minissdpd repository see [2], the bug happens at multiple locations after the DECODELENGTH_CHECKLIMIT macro that also need to be fixed: ~~~ DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_ERR, "cannot allocate memory"); goto error; } ~~~ After performing the corrections of the length check the minissdpd daemon properly detects the invalid negative values and performs error handling. However, the error handling code at line 753 attempts to free the undefined memory contents that newserv = malloc() allocated at line 642. ~~~ 753 if(newserv) { 754 free(newserv->st); 755 free(newserv->usn); 756 free(newserv->server); 757 free(newserv->location); 758 free(newserv); 759 newserv = NULL; 760 } ~~~ The issue is corrected by applying initialising the contents of the newserv to zero [3]. That causes free() to correctly operate when freeing the uninitialised struct fields. ~~~ 642 newserv = malloc(sizeof(struct service)); 643 if(!newserv) { 644 syslog(LOG_ERR, "cannot allocate memory"); 645 goto error; 646 } + memset(newserv, 0, sizeof(struct service)); ~~~ Solution ======== Apply the proposed fixes, contained in the patch below. ~~~ >From 2f6746a0c00872b977cc81452d77463aa39609e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speir...@gmail.com> Date: Fri, 4 Mar 2016 12:38:18 +0100 Subject: [PATCH] Fix minissdpd.c handling of request with negative length --- minissdpd.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/minissdpd.c b/minissdpd.c index 520a6c5..1cd079e 100644 --- a/minissdpd.c +++ b/minissdpd.c @@ -555,7 +555,7 @@ void processRequest(struct reqelem * req) type = buf[0]; p = buf + 1; DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding)"); goto error; } @@ -644,6 +644,7 @@ void processRequest(struct reqelem * req) syslog(LOG_ERR, "cannot allocate memory"); goto error; } + memset(newserv, 0, sizeof(struct service)); if(containsForbiddenChars(p, l)) { syslog(LOG_ERR, "bad request (st contains forbidden chars)"); goto error; @@ -661,7 +662,7 @@ void processRequest(struct reqelem * req) goto error; } DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding)"); goto error; } @@ -679,7 +680,7 @@ void processRequest(struct reqelem * req) newserv->usn[l] = '\0'; p += l; DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding)"); goto error; } @@ -697,7 +698,7 @@ void processRequest(struct reqelem * req) newserv->server[l] = '\0'; p += l; DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding)"); goto error; } -- 2.1.4 ~~~ Affected versions ================= Debian: https://packages.debian.org/jessie/minissdpd minissdpd version 1.2.20130907-3 Ubuntu: https://launchpad.net/ubuntu/+source/minissdpd minissdpd version 1.2.20130907-3 History ======= 2016/03/04 - Vendor notified Credits ======= Vulnerability found and advisory written by Salva Peiró. References ========== [1] https://speirofr.appspot.com/files/advisory/SPADV-2016-02.md [2] https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47 [3] https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages minissdpd depends on: ii libc6 2.19-18+deb8u1 minissdpd recommends no packages. minissdpd suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: minissdpd Source-Version: 1.2.20130907-3.2 We believe that the bug you reported is fixed in the latest version of minissdpd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 816...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated minissdpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 24 Oct 2016 08:54:59 +0100 Source: minissdpd Binary: minissdpd Architecture: source Version: 1.2.20130907-3.2 Distribution: unstable Urgency: high Maintainer: Thomas Goirand <z...@debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: minissdpd - keep memory of all UPnP devices that announced themselves Closes: 816759 Changes: minissdpd (1.2.20130907-3.2) unstable; urgency=high . * Non-maintainer upload. * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759) The minissdpd daemon contains a improper validation of array index vulnerability (CWE-129) when processing requests sent to the Unix socket at /var/run/minissdpd.sock the Unix socket can be accessed by an unprivileged user to send invalid request causes an out-of-bounds memory access that crashes the minissdpd daemon. Checksums-Sha1: 9faacd5cfd6b605f095608acdf190ae5aaff15cd 1901 minissdpd_1.2.20130907-3.2.dsc 238e91135a0b6902087220567550aaf5ee1b3538 6612 minissdpd_1.2.20130907-3.2.debian.tar.xz Checksums-Sha256: 38985689119f7463b9f0715efc14e2a04752be7c34ecf0af0974f7b172cbc619 1901 minissdpd_1.2.20130907-3.2.dsc 95a6d6c9265d0b67acd5dc97d4512195a846ec93da58de2ad66f0bb429bf3ab9 6612 minissdpd_1.2.20130907-3.2.debian.tar.xz Files: fdba319ce4396886e263c5523a24c239 1901 net optional minissdpd_1.2.20130907-3.2.dsc 4b3a6c7ee7ce6b9f740de05014cdc642 6612 net optional minissdpd_1.2.20130907-3.2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYDn7lAAoJEMfxZ23qLQHvX/wQAKpXbyzD2ywgl5ZeAarEwJYx y2WHvChFhdAypNqQ11o4FS3WsIyxAYTg0fVKoAcQ44JEbBDSpAPitUIWf7u9nyow X6KhKF4/msdD/RiwpLePAxmOFL+spsy7nBdFwbXUe2fjCv56hsZcK+dD+pbUtzmj vXeAtYc3JZ711li6HRno2lZcA/fZkOg9jDIJ60ncz87LlR0TeQpOwmKhbsHa0egf 21uHZoBZvTxIFGe3CVIC74r3eKW1vbAznF7uvQyy3QjXK1HM/yqverE+F35HYywi ii4rSE2FbTTSJYkFoZI1N3u1x4fVFB3Qpkp8Ti//YoARUZsCOBORHdyiW7VFIyRV AIrGVUTU3bCGm66bYMYXa/4lsBNmkv7zp05S8kpRgDs/BkoXmehNUwuueDhFCNR7 LVHAIcF8mai3N3sg/2i7vVBDsl+GczvA+sCR2f3YkF53gcFQDC0mLsxO86K74DmV qeZ/LXJFIWhHqFab+5vvYRE9kwdMtQmMUfxEn5SKX4uvjFnDGtBODgeM5gFL89pm p2n7JfpAgRFgb3JoZqhBXCn4DC+/aOF1tW27whzqPdjjX836BMcL01IqTNRTgfzU yaKSMPHy9zPzzh2JN6hhXwURouk5HRLNlMujTwu0Dww3P79NcPH4pgwo5HADT4/c Bi3tCA9555QTKtm092Js =pda3 -----END PGP SIGNATURE-----
--- End Message ---
