Multiple stack-based buffer overflow flaws were found in the way SSDP server component of libupnp, the Universal Plug and Play (UPnP) software development kit (SDK), performed assigment of various fields (like DeviceType, DeviceUDN or Service Type) to the SSDP event structure based on service name string. A remote attacker could provide a specially-crafted SSDP request that, when processed in an application linked against libupnp would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application.
These issues affect the versions of the libupnp package, as shipped with Fedora release of 16 and 17. -- These issues affect the versions of the libupnp package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.
The mapping of particular CVE identifiers to libupnp code parts is as follows: ============================================================================== Security fix for CERT issue VU#922681 This patch addresses three possible buffer overflows in function unique_service_name(). The three issues have the folowing CVE numbers: CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN Notice that the following issues have already been dealt by previous work: CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
Created attachment 667153 [details] Patch for VU#922681 against libupnp 1.6 branch
Created attachment 667154 [details] Patch for VU#922681 against libupnp 1.8 branch
External References: http://www.kb.cert.org/vuls/id/922681
Created libupnp tracking bugs for this issue Affects: fedora-all [bug 905577] Affects: epel-all [bug 905578]
Statement: Not vulnerable. This issue did not affect GUPnP, which is an independent implementation of the UPnP standard, entirely different from libupnp. libupnp, while affected, is not provided by any version of Red Hat Enterprise Linux.
Looked for some embedded copies of libupnp and only found one in Fedora (mediatomb). Looks to be using an old 1.4.x-based version in tombupnp/, so while all of these CVEs may not be applicable, some will be. It should be made to use the system libupnp, like djmount and linux-igd do (so they're currently vulnerable but will be fixed when the system libupnp is fixed).
Created mediatomb tracking bugs for this issue Affects: fedora-all [bug 906044] Affects: epel-5 [bug 906045]
Working on unbundling mediatomb, if possible.
libupnp-1.6.18-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libupnp-1.6.18-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libupnp-1.6.18-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
mediatomb-0.12.1-23.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mediatomb-0.12.1-23.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.