Bug 883790 (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965) - CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)
Summary: CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-201...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 905577 905578 906044 906045
Blocks: 883793
TreeView+ depends on / blocked
 
Reported: 2012-12-05 10:37 UTC by Jan Lieskovsky
Modified: 2021-02-04 00:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 16:44:06 UTC
Embargoed:


Attachments (Terms of Use)
Patch for VU#922681 against libupnp 1.6 branch (4.54 KB, patch)
2012-12-21 10:14 UTC, Jan Lieskovsky
no flags Details | Diff
Patch for VU#922681 against libupnp 1.8 branch (4.62 KB, patch)
2012-12-21 10:15 UTC, Jan Lieskovsky
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 699459 0 None None None Never

Description Jan Lieskovsky 2012-12-05 10:37:56 UTC
Multiple stack-based buffer overflow flaws were found in the way SSDP server component of libupnp, the Universal Plug and Play (UPnP) software development kit (SDK), performed assigment of various fields (like DeviceType, DeviceUDN or Service Type) to the SSDP event structure based on service name string. A remote attacker could provide a specially-crafted SSDP request that, when processed in an application linked against libupnp would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application.

Comment 2 Jan Lieskovsky 2012-12-05 10:41:44 UTC
These issues affect the versions of the libupnp package, as shipped with Fedora release of 16 and 17.

--

These issues affect the versions of the libupnp package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.

Comment 3 Jan Lieskovsky 2012-12-21 10:13:15 UTC
The mapping of particular CVE identifiers to libupnp code parts is as follows:
==============================================================================

Security fix for CERT issue VU#922681

This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE numbers:

CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

Notice that the following issues have already been dealt by previous work:

CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType

Comment 4 Jan Lieskovsky 2012-12-21 10:14:31 UTC
Created attachment 667153 [details]
Patch for VU#922681 against libupnp 1.6 branch

Comment 5 Jan Lieskovsky 2012-12-21 10:15:17 UTC
Created attachment 667154 [details]
Patch for VU#922681 against libupnp 1.8 branch

Comment 6 Vincent Danen 2013-01-29 17:05:32 UTC
External References:

http://www.kb.cert.org/vuls/id/922681

Comment 7 Vincent Danen 2013-01-29 17:07:58 UTC
Created libupnp tracking bugs for this issue

Affects: fedora-all [bug 905577]
Affects: epel-all [bug 905578]

Comment 8 Vincent Danen 2013-01-30 16:21:29 UTC
Statement:

Not vulnerable.  This issue did not affect GUPnP, which is an independent implementation of the UPnP standard, entirely different from libupnp. libupnp, while affected, is not provided by any version of Red Hat Enterprise Linux.

Comment 9 Vincent Danen 2013-01-30 17:15:24 UTC
Looked for some embedded copies of libupnp and only found one in Fedora (mediatomb).  Looks to be using an old 1.4.x-based version in tombupnp/, so while all of these CVEs may not be applicable, some will be.  It should be made to use the system libupnp, like djmount and linux-igd do (so they're currently vulnerable but will be fixed when the system libupnp is fixed).

Comment 10 Vincent Danen 2013-01-30 17:17:11 UTC
Created mediatomb tracking bugs for this issue

Affects: fedora-all [bug 906044]
Affects: epel-5 [bug 906045]

Comment 11 Gwyn Ciesla 2013-01-30 19:57:32 UTC
Working on unbundling mediatomb, if possible.

Comment 12 Fedora Update System 2013-02-12 05:10:49 UTC
libupnp-1.6.18-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2013-02-12 05:32:52 UTC
libupnp-1.6.18-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2013-02-12 05:34:02 UTC
libupnp-1.6.18-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2013-02-21 05:31:59 UTC
mediatomb-0.12.1-23.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-02-21 05:48:10 UTC
mediatomb-0.12.1-23.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.