Debian Bug report logs - #699459
libupnp4: Multiple stack buffer overflow vulnerabilities

version graph

Package: libupnp4; Maintainer for libupnp4 is Nick Leverton <nick@leverton.org>; Source for libupnp4 is src:libupnp4.

Reported by: Scott Howard <showard@debian.org>

Date: Thu, 31 Jan 2013 16:03:02 UTC

Severity: grave

Tags: security

Found in version libupnp4/1.8.0~svn20100507-1

Fixed in versions libupnp4/1.8.0~svn20100507-1.2, libupnp4/1.8.0~svn20100507-1+squeeze1

Done: Yves-Alexis Perez <corsac@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>:
Bug#699459; Package libupnp4. (Thu, 31 Jan 2013 16:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Scott Howard <showard@debian.org>:
New Bug report received and forwarded. Copy sent to Nick Leverton <nick@leverton.org>. (Thu, 31 Jan 2013 16:03:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Scott Howard <showard@debian.org>
To: submit@bugs.debian.org
Subject: libupnp4: Multiple stack buffer overflow vulnerabilities
Date: Thu, 31 Jan 2013 11:02:06 -0500
Package: libupnp4
Severity: grave
Tags: security


More information is available at bug #699316 (including a patch).
According to bug #699351, these security problems are also found in
libupnp4.

Here's the original posting by Salvatore Bonaccorso <carnil@debian.org>


Hi,

the following vulnerabilities were published for libupnp.

CVE-2012-5958[0]: Stack buffer overflow of Tempbuf
CVE-2012-5959[1]: Stack buffer overflow of Event->UDN
CVE-2012-5960[2]: Stack buffer overflow of Event->UDN
CVE-2012-5961[3]: Stack buffer overflow of Evt->UDN
CVE-2012-5962[4]: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963[5]: Stack buffer overflow of Event->UDN
CVE-2012-5964[6]: Stack buffer overflow of Event->DeviceType
CVE-2012-5965[7]: Stack buffer overflow of Event->DeviceType

Upstream changelog for 1.6.18 states:

*******************************************************************************
Version 1.6.18
*******************************************************************************

2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>

	Security fix for CERT issue VU#922681

	This patch addresses three possible buffer overflows in function
	unique_service_name(). The three issues have the folowing CVE numbers:

	CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
	CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
	CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

	Notice that the following issues have already been dealt by previous
	work:

	CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
	CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
	CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
	CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
	CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958
    http://security-tracker.debian.org/tracker/CVE-2012-5958
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959
    http://security-tracker.debian.org/tracker/CVE-2012-5959
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960
    http://security-tracker.debian.org/tracker/CVE-2012-5960
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961
    http://security-tracker.debian.org/tracker/CVE-2012-5961
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962
    http://security-tracker.debian.org/tracker/CVE-2012-5962
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963
    http://security-tracker.debian.org/tracker/CVE-2012-5963
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964
    http://security-tracker.debian.org/tracker/CVE-2012-5964
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965
    http://security-tracker.debian.org/tracker/CVE-2012-5965

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>:
Bug#699459; Package libupnp4. (Fri, 01 Feb 2013 16:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Nick Leverton <nick@leverton.org>. (Fri, 01 Feb 2013 16:54:06 GMT) Full text and rfc822 format available.

Message #10 received at 699459@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 699459@bugs.debian.org
Cc: rt@rt.debian.org, team@security.debian.org, nick@leverton.org, carnil@debian.org
Subject: [rt.debian.org #4133] Patch for libupnp4
Date: Fri, 01 Feb 2013 17:51:00 +0100
[Message part 1 (text/plain, inline)]
And here's the intended debdiff against libupnp4. It's exactly the same
patch.

Regards,
-- 
Yves-Alexis
[libupnp4_1.8.0~svn20100507-1+squeeze1.debdiff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions libupnp4/1.8.0~svn20100507-1. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Fri, 01 Feb 2013 21:57:06 GMT) Full text and rfc822 format available.

Reply sent to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility. (Fri, 01 Feb 2013 22:21:03 GMT) Full text and rfc822 format available.

Notification sent to Scott Howard <showard@debian.org>:
Bug acknowledged by developer. (Fri, 01 Feb 2013 22:21:03 GMT) Full text and rfc822 format available.

Message #17 received at 699459-close@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 699459-close@bugs.debian.org
Subject: Bug#699459: fixed in libupnp4 1.8.0~svn20100507-1.2
Date: Fri, 01 Feb 2013 22:17:45 +0000
Source: libupnp4
Source-Version: 1.8.0~svn20100507-1.2

We believe that the bug you reported is fixed in the latest version of
libupnp4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699459@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated libupnp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Feb 2013 22:53:13 +0100
Source: libupnp4
Binary: libupnp4 libupnp4-dev libupnp4-dbg libupnp4-doc
Architecture: source amd64 all
Version: 1.8.0~svn20100507-1.2
Distribution: unstable
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description: 
 libupnp4   - Portable SDK for UPnP Devices, version 1.8 (shared libraries)
 libupnp4-dbg - debugging symbols for libupnp4
 libupnp4-dev - Portable SDK for UPnP Devices, version 1.8 (development files)
 libupnp4-doc - Documentation for the Portable SDK for UPnP Devices, version 1.8
Closes: 699459
Changes: 
 libupnp4 (1.8.0~svn20100507-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
     various stack-based buffer overflows in service_unique_name() function.
     This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
     CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699459
   * debian/rules:
     - enable hardening flags.
   * debian/control:
     - add build-dep on dpkg-dev (>= 1.16.1~)
Checksums-Sha1: 
 b3eaf9b3af47d7ac1938c1b28487e2a2144d708b 1687 libupnp4_1.8.0~svn20100507-1.2.dsc
 3dcb23cbf319448110069bcda364ffdd673f1498 28111 libupnp4_1.8.0~svn20100507-1.2.diff.gz
 8b3a668c3aaaefad1f92cedca2e9ba516ea53f62 170846 libupnp4_1.8.0~svn20100507-1.2_amd64.deb
 07455f21b5ffb248f1445fb413d1bad0adbcac5f 246880 libupnp4-dev_1.8.0~svn20100507-1.2_amd64.deb
 c9327679aecb2cda721e598ca7adc59128f35b53 197106 libupnp4-dbg_1.8.0~svn20100507-1.2_amd64.deb
 cfcb176dfcdb0167f67b0fbbe6d07906182be953 11582038 libupnp4-doc_1.8.0~svn20100507-1.2_all.deb
Checksums-Sha256: 
 ab5edb2634063806a23ad0c342f6db7e3de82a937e4e5eb259fcc6631d4c0010 1687 libupnp4_1.8.0~svn20100507-1.2.dsc
 83c3976e08eaf101e81f24dc4878b392d7faf09367cc3036bcf6f515a37f2e74 28111 libupnp4_1.8.0~svn20100507-1.2.diff.gz
 34f9d4a41c966b174e29ae0cd006c026b115dc31e2eff79ae27f2510443c9756 170846 libupnp4_1.8.0~svn20100507-1.2_amd64.deb
 fcf9a98fc4cedb1fa64ab995b96c6898c5ff65883caccb8447d1370c90b14312 246880 libupnp4-dev_1.8.0~svn20100507-1.2_amd64.deb
 c248f0ef4d912dab7954a48845cd06546dff22dfcd13d1908ce50a827f13d2f5 197106 libupnp4-dbg_1.8.0~svn20100507-1.2_amd64.deb
 4f485f62ad8cf1ccdf9efc37a2aff1b2462c92572a0a1bee5e3bef8155a58ef9 11582038 libupnp4-doc_1.8.0~svn20100507-1.2_all.deb
Files: 
 4ea450979f718d7c32ba85c243635e9d 1687 net extra libupnp4_1.8.0~svn20100507-1.2.dsc
 b50fc57b0c56b3f98208b465ca97e8b5 28111 net extra libupnp4_1.8.0~svn20100507-1.2.diff.gz
 1cddd057a22cad15177aeaa796223532 170846 libs extra libupnp4_1.8.0~svn20100507-1.2_amd64.deb
 d0862dc8748c327bd04f7795050664d3 246880 libdevel extra libupnp4-dev_1.8.0~svn20100507-1.2_amd64.deb
 9158d735f0e36fbdc6edd02092bc8cb1 197106 debug extra libupnp4-dbg_1.8.0~svn20100507-1.2_amd64.deb
 ecc32475a9f376757cf392e615f0cb7e 11582038 doc extra libupnp4-doc_1.8.0~svn20100507-1.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJRDDzwAAoJEG3bU/KmdcCldk8H/j4fTaxVsuwM3OjLMSRqEaUX
Iw4YZUZOYbgoGNnT6HbSLHqUP2vQMquEfr8jw6k6Iof1wxfl7lN8iJn1Lxo4omwX
PGgSlA82Z4UIbIvTdLNMs1bumGrkgnCvZY7KApO0v+WZnrUUyElciD4ls4Nbs9lh
VEeROxfng/BQI9Ax+42XHnvmjLRihfLdnedytm/ub4HMSzyk5wayxIzdVpffzHuE
PI5/olRPjGnfDJNkOiHKBebcWXj/eQWMAN8sNsWSjPldosEfJNnx9XjtQKblMe0v
ptGW+iLhDvl4Tr8uCYdukwE61V+X8q4QabAf8HyA2CZrwSv0hLy/nL3jxXPhCGk=
=8SH0
-----END PGP SIGNATURE-----




Reply sent to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility. (Sun, 03 Feb 2013 23:06:06 GMT) Full text and rfc822 format available.

Notification sent to Scott Howard <showard@debian.org>:
Bug acknowledged by developer. (Sun, 03 Feb 2013 23:06:06 GMT) Full text and rfc822 format available.

Message #22 received at 699459-close@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 699459-close@bugs.debian.org
Subject: Bug#699459: fixed in libupnp4 1.8.0~svn20100507-1+squeeze1
Date: Sun, 03 Feb 2013 23:02:05 +0000
Source: libupnp4
Source-Version: 1.8.0~svn20100507-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libupnp4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699459@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated libupnp4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Feb 2013 21:55:51 +0100
Source: libupnp4
Binary: libupnp4 libupnp4-dev libupnp4-dbg libupnp4-doc
Architecture: source amd64 all
Version: 1.8.0~svn20100507-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description: 
 libupnp4   - Portable SDK for UPnP Devices, version 1.8 (shared libraries)
 libupnp4-dbg - debugging symbols for libupnp4
 libupnp4-dev - Portable SDK for UPnP Devices, version 1.8 (development files)
 libupnp4-doc - Documentation for the Portable SDK for UPnP Devices, version 1.8
Closes: 699459
Changes: 
 libupnp4 (1.8.0~svn20100507-1+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
     various stack-based buffer overflows in service_unique_name() function.
     This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
     CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699459
Checksums-Sha1: 
 c9d636a8dd417e354c6132bb4bde63ab99401c94 1557 libupnp4_1.8.0~svn20100507-1+squeeze1.dsc
 3391bf13f2947a87fcc2995d473d77317b909679 1387405 libupnp4_1.8.0~svn20100507.orig.tar.gz
 f4f406717d702f7a843bd180fd93ad7c9b37311d 28270 libupnp4_1.8.0~svn20100507-1+squeeze1.diff.gz
 d70849aec43942d2fd6a2c1c81f61b8bab6c3c7f 167212 libupnp4_1.8.0~svn20100507-1+squeeze1_amd64.deb
 7e3f9e3482bfc9e9bb683b71573960f29e3b6f52 242890 libupnp4-dev_1.8.0~svn20100507-1+squeeze1_amd64.deb
 1c93d50fbcc5be5fb919f795a795e263b0c0c912 196762 libupnp4-dbg_1.8.0~svn20100507-1+squeeze1_amd64.deb
 1d94996708be8682a16225fba77ba1ab5079d87c 12388496 libupnp4-doc_1.8.0~svn20100507-1+squeeze1_all.deb
Checksums-Sha256: 
 c00d826afdcb2c5f7b6900af80a70f22827a190463da185395328a8372d6c3cb 1557 libupnp4_1.8.0~svn20100507-1+squeeze1.dsc
 02a27bb68c5e6b30fec9a0eb69d73b3c667637c7156f7aa641cdbc244ed156ab 1387405 libupnp4_1.8.0~svn20100507.orig.tar.gz
 deb61fe6df39fd91c123f72e8673d04e5f25d3f2495a58b3d48e32aa9d83f654 28270 libupnp4_1.8.0~svn20100507-1+squeeze1.diff.gz
 9e5d9eb9f42f81fe2b57f319db39abd8996ede1b81c2a130940ed8e823720a21 167212 libupnp4_1.8.0~svn20100507-1+squeeze1_amd64.deb
 e14a3b3757af7634a527320ab7f8ceed312572ed5805de98399ce2f88cbca04d 242890 libupnp4-dev_1.8.0~svn20100507-1+squeeze1_amd64.deb
 09cc44a46e64c71e803af41180c2ee709d320e05e58021dc57b90fe9e332382c 196762 libupnp4-dbg_1.8.0~svn20100507-1+squeeze1_amd64.deb
 ba481891e4364934b6664ca5bc738bfa8a0c7781c5de59e873cce2b4b9cdb8e5 12388496 libupnp4-doc_1.8.0~svn20100507-1+squeeze1_all.deb
Files: 
 3112aa993d3d4c16a3961c12773b65e8 1557 net extra libupnp4_1.8.0~svn20100507-1+squeeze1.dsc
 ff32bd8d39668a0ffe659274c0273f45 1387405 net extra libupnp4_1.8.0~svn20100507.orig.tar.gz
 706e1fbb87e9aae9e857fed54acaaed8 28270 net extra libupnp4_1.8.0~svn20100507-1+squeeze1.diff.gz
 f4b2018918fafc304cfe177c8adff33e 167212 libs extra libupnp4_1.8.0~svn20100507-1+squeeze1_amd64.deb
 2c970458862b17f941a26aaec379090f 242890 libdevel extra libupnp4-dev_1.8.0~svn20100507-1+squeeze1_amd64.deb
 cc2d4ad0244df8613ea7a03702d21686 196762 debug extra libupnp4-dbg_1.8.0~svn20100507-1+squeeze1_amd64.deb
 124c30a27ee2f9332beee02a89e24835 12388496 doc extra libupnp4-doc_1.8.0~svn20100507-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJRDC0qAAoJEG3bU/KmdcClmFMIAJV3289Js4F1tGZkzv8RVyvO
5Gt8Mw93M/qeuoqvneg8JfkUEz5ZowpDVwSCiDuzQ/bOUuY8rgjuusUJzqZJRBAC
N2GMUhRXOc8ig0ak2StI+eJAcBTrzP30m2mazhQvWlgg/cn+eir5TMlEjUoDHbqM
0sFLnslJk26FZJS9DsmdcK7Jb2wgSccZnJuCW/LIuEmB8VeamoRP5CabF9e1TcY1
sOG5jpnxhk2LQJBsHE/CStB993KI2uj+FpvPvawnR8FUiCg//BxlWUhPwXhoJ4g/
Wqhrzuy7VSMZuzCb3w2Z1Si+2ZARfvWDCL9DRt7jEoIx041GmHuqk/fyvExvTQY=
=DnUO
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:13:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.