Bug 1085618 (CVE-2014-3985)

Summary: CVE-2014-3985 miniupnpc buffer overrun - network facing DoS crash
Product: [Fedora] Fedora Reporter: Warren Togami <wtogami>
Component: miniupnpcAssignee: Paulo Andrade <paulo.cesar.pereira.de.andrade>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 19CC: domingobecker, mmcallis, paulo.cesar.pereira.de.andrade
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: miniupnpc-1.9-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-13 05:02:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Warren Togami 2014-04-09 02:25:15 UTC 
miniupnpc-1.8-1.fc20
miniupnpc-1.8-1.fc19

http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-1.9.20140401.tar.gz
2013/10/07:
  fixed potential buffer overrun in miniwget.c
  Modified UPNP_GetValidIGD() to check for ExternalIpAddress

https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9

Appears to be a DoS crash vector that can be triggered by something on the network.
Comment 1 Murray McAllister 2014-04-30 06:36:13 UTC 
Thanks Warren. Apologies for the delay looking at this. I am not familiar with the code but it may just be a crash, with an invalid read here (on line 131):

129                         /* parse header lines */
130                         for(i = 0; i < endofheaders - 1; i++) {
131                                 if(colon <= linestart && header_buf[i]==':')

I'll request a CVE on the oss-security list.
Comment 2 Murray McAllister 2014-04-30 06:48:20 UTC 
CVE request: http://www.openwall.com/lists/oss-security/2014/04/30/3
Comment 3 Fedora Update System 2014-05-01 15:46:56 UTC 
miniupnpc-1.9-1.fc19,megaglest-3.9.1-2.fc19,0ad-0.0.15-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/miniupnpc-1.9-1.fc19,megaglest-3.9.1-2.fc19,0ad-0.0.15-4.fc19
Comment 4 Fedora Update System 2014-05-01 22:30:10 UTC 
Package miniupnpc-1.9-1.fc19, megaglest-3.9.1-2.fc19, 0ad-0.0.15-4.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing miniupnpc-1.9-1.fc19 megaglest-3.9.1-2.fc19 0ad-0.0.15-4.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-5903/miniupnpc-1.9-1.fc19,megaglest-3.9.1-2.fc19,0ad-0.0.15-4.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-05-13 05:02:38 UTC 
miniupnpc-1.9-1.fc19, megaglest-3.9.1-2.fc19, 0ad-0.0.15-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Martin Prpič 2014-06-11 07:26:17 UTC 
MITRE assigned CVE-2014-3985 to this issue:

http://seclists.org/oss-sec/2014/q2/496