Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||limburgher, marc, security-response-team|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2015-08-22 12:44:06 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||905577, 905578, 906044, 906045|
Description Jan Lieskovsky 2012-12-05 05:37:56 EST
Multiple stack-based buffer overflow flaws were found in the way SSDP server component of libupnp, the Universal Plug and Play (UPnP) software development kit (SDK), performed assigment of various fields (like DeviceType, DeviceUDN or Service Type) to the SSDP event structure based on service name string. A remote attacker could provide a specially-crafted SSDP request that, when processed in an application linked against libupnp would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application.
Comment 2 Jan Lieskovsky 2012-12-05 05:41:44 EST
These issues affect the versions of the libupnp package, as shipped with Fedora release of 16 and 17. -- These issues affect the versions of the libupnp package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.
Comment 3 Jan Lieskovsky 2012-12-21 05:13:15 EST
The mapping of particular CVE identifiers to libupnp code parts is as follows: ============================================================================== Security fix for CERT issue VU#922681 This patch addresses three possible buffer overflows in function unique_service_name(). The three issues have the folowing CVE numbers: CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN Notice that the following issues have already been dealt by previous work: CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
Comment 4 Jan Lieskovsky 2012-12-21 05:14:31 EST
Created attachment 667153 [details] Patch for VU#922681 against libupnp 1.6 branch
Comment 5 Jan Lieskovsky 2012-12-21 05:15:17 EST
Created attachment 667154 [details] Patch for VU#922681 against libupnp 1.8 branch
Comment 6 Vincent Danen 2013-01-29 12:05:32 EST
External References: http://www.kb.cert.org/vuls/id/922681
Comment 7 Vincent Danen 2013-01-29 12:07:58 EST
Created libupnp tracking bugs for this issue Affects: fedora-all [bug 905577] Affects: epel-all [bug 905578]
Comment 8 Vincent Danen 2013-01-30 11:21:29 EST
Statement: Not vulnerable. This issue did not affect GUPnP, which is an independent implementation of the UPnP standard, entirely different from libupnp. libupnp, while affected, is not provided by any version of Red Hat Enterprise Linux.
Comment 9 Vincent Danen 2013-01-30 12:15:24 EST
Looked for some embedded copies of libupnp and only found one in Fedora (mediatomb). Looks to be using an old 1.4.x-based version in tombupnp/, so while all of these CVEs may not be applicable, some will be. It should be made to use the system libupnp, like djmount and linux-igd do (so they're currently vulnerable but will be fixed when the system libupnp is fixed).
Comment 10 Vincent Danen 2013-01-30 12:17:11 EST
Created mediatomb tracking bugs for this issue Affects: fedora-all [bug 906044] Affects: epel-5 [bug 906045]
Comment 11 Gwyn Ciesla 2013-01-30 14:57:32 EST
Working on unbundling mediatomb, if possible.
Comment 12 Fedora Update System 2013-02-12 00:10:49 EST
libupnp-1.6.18-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-02-12 00:32:52 EST
libupnp-1.6.18-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-02-12 00:34:02 EST
libupnp-1.6.18-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2013-02-21 00:31:59 EST
mediatomb-0.12.1-23.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2013-02-21 00:48:10 EST
mediatomb-0.12.1-23.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.