Bug 883790 – CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 883790 - (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965) CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)

Summary:	CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-201...

Status:	CLOSED ERRATA

Aliases:	CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20130129,repo...
Keywords:	Security

Depends On:	905577 905578 906044 906045
Blocks:	883793
	Show dependency tree / graph

Reported:	2012-12-05 05:37 EST by Jan Lieskovsky
Modified:	2018-03-01 15:17 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-08-22 12:44:06 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Patch for VU#922681 against libupnp 1.6 branch (4.54 KB, patch) 2012-12-21 05:14 EST, Jan Lieskovsky	no flags	Details \| Diff
Patch for VU#922681 against libupnp 1.8 branch (4.62 KB, patch) 2012-12-21 05:15 EST, Jan Lieskovsky	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Debian BTS	699459	None	None	None	Never

Groups: None (edit)

Description Jan Lieskovsky 2012-12-05 05:37:56 EST

Multiple stack-based buffer overflow flaws were found in the way SSDP server component of libupnp, the Universal Plug and Play (UPnP) software development kit (SDK), performed assigment of various fields (like DeviceType, DeviceUDN or Service Type) to the SSDP event structure based on service name string. A remote attacker could provide a specially-crafted SSDP request that, when processed in an application linked against libupnp would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application.

Comment 2 Jan Lieskovsky 2012-12-05 05:41:44 EST

These issues affect the versions of the libupnp package, as shipped with Fedora release of 16 and 17.

--

These issues affect the versions of the libupnp package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.

Comment 3 Jan Lieskovsky 2012-12-21 05:13:15 EST

The mapping of particular CVE identifiers to libupnp code parts is as follows:
==============================================================================

Security fix for CERT issue VU#922681

This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE numbers:

CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

Notice that the following issues have already been dealt by previous work:

CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType

Comment 4 Jan Lieskovsky 2012-12-21 05:14:31 EST

Created attachment 667153 [details]
Patch for VU#922681 against libupnp 1.6 branch

Comment 5 Jan Lieskovsky 2012-12-21 05:15:17 EST

Created attachment 667154 [details]
Patch for VU#922681 against libupnp 1.8 branch

Comment 6 Vincent Danen 2013-01-29 12:05:32 EST

External References:

http://www.kb.cert.org/vuls/id/922681

Comment 7 Vincent Danen 2013-01-29 12:07:58 EST

Created libupnp tracking bugs for this issue

Affects: fedora-all [bug 905577]
Affects: epel-all [bug 905578]

Comment 8 Vincent Danen 2013-01-30 11:21:29 EST

Statement:

Not vulnerable.  This issue did not affect GUPnP, which is an independent implementation of the UPnP standard, entirely different from libupnp. libupnp, while affected, is not provided by any version of Red Hat Enterprise Linux.

Comment 9 Vincent Danen 2013-01-30 12:15:24 EST

Looked for some embedded copies of libupnp and only found one in Fedora (mediatomb).  Looks to be using an old 1.4.x-based version in tombupnp/, so while all of these CVEs may not be applicable, some will be.  It should be made to use the system libupnp, like djmount and linux-igd do (so they're currently vulnerable but will be fixed when the system libupnp is fixed).

Comment 10 Vincent Danen 2013-01-30 12:17:11 EST

Created mediatomb tracking bugs for this issue

Affects: fedora-all [bug 906044]
Affects: epel-5 [bug 906045]

Comment 11 Gwyn Ciesla 2013-01-30 14:57:32 EST

Working on unbundling mediatomb, if possible.

Comment 12 Fedora Update System 2013-02-12 00:10:49 EST

libupnp-1.6.18-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2013-02-12 00:32:52 EST

libupnp-1.6.18-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2013-02-12 00:34:02 EST

libupnp-1.6.18-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2013-02-21 00:31:59 EST

mediatomb-0.12.1-23.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-02-21 00:48:10 EST

mediatomb-0.12.1-23.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.