Bug 883790 - (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965) CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-201...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130129,repo...
: Security
Depends On: 905578 906045 905577 906044
Blocks: 883793
  Show dependency treegraph
 
Reported: 2012-12-05 05:37 EST by Jan Lieskovsky
Modified: 2016-03-04 06:28 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 12:44:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch for VU#922681 against libupnp 1.6 branch (4.54 KB, patch)
2012-12-21 05:14 EST, Jan Lieskovsky
no flags Details | Diff
Patch for VU#922681 against libupnp 1.8 branch (4.62 KB, patch)
2012-12-21 05:15 EST, Jan Lieskovsky
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 699459 None None None Never

  None (edit)
Description Jan Lieskovsky 2012-12-05 05:37:56 EST
Multiple stack-based buffer overflow flaws were found in the way SSDP server component of libupnp, the Universal Plug and Play (UPnP) software development kit (SDK), performed assigment of various fields (like DeviceType, DeviceUDN or Service Type) to the SSDP event structure based on service name string. A remote attacker could provide a specially-crafted SSDP request that, when processed in an application linked against libupnp would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application.
Comment 2 Jan Lieskovsky 2012-12-05 05:41:44 EST
These issues affect the versions of the libupnp package, as shipped with Fedora release of 16 and 17.

--

These issues affect the versions of the libupnp package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.
Comment 3 Jan Lieskovsky 2012-12-21 05:13:15 EST
The mapping of particular CVE identifiers to libupnp code parts is as follows:
==============================================================================

Security fix for CERT issue VU#922681

This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE numbers:

CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN

Notice that the following issues have already been dealt by previous work:

CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
Comment 4 Jan Lieskovsky 2012-12-21 05:14:31 EST
Created attachment 667153 [details]
Patch for VU#922681 against libupnp 1.6 branch
Comment 5 Jan Lieskovsky 2012-12-21 05:15:17 EST
Created attachment 667154 [details]
Patch for VU#922681 against libupnp 1.8 branch
Comment 6 Vincent Danen 2013-01-29 12:05:32 EST
External References:

http://www.kb.cert.org/vuls/id/922681
Comment 7 Vincent Danen 2013-01-29 12:07:58 EST
Created libupnp tracking bugs for this issue

Affects: fedora-all [bug 905577]
Affects: epel-all [bug 905578]
Comment 8 Vincent Danen 2013-01-30 11:21:29 EST
Statement:

Not vulnerable.  This issue did not affect GUPnP, which is an independent implementation of the UPnP standard, entirely different from libupnp. libupnp, while affected, is not provided by any version of Red Hat Enterprise Linux.
Comment 9 Vincent Danen 2013-01-30 12:15:24 EST
Looked for some embedded copies of libupnp and only found one in Fedora (mediatomb).  Looks to be using an old 1.4.x-based version in tombupnp/, so while all of these CVEs may not be applicable, some will be.  It should be made to use the system libupnp, like djmount and linux-igd do (so they're currently vulnerable but will be fixed when the system libupnp is fixed).
Comment 10 Vincent Danen 2013-01-30 12:17:11 EST
Created mediatomb tracking bugs for this issue

Affects: fedora-all [bug 906044]
Affects: epel-5 [bug 906045]
Comment 11 Jon Ciesla 2013-01-30 14:57:32 EST
Working on unbundling mediatomb, if possible.
Comment 12 Fedora Update System 2013-02-12 00:10:49 EST
libupnp-1.6.18-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-02-12 00:32:52 EST
libupnp-1.6.18-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-02-12 00:34:02 EST
libupnp-1.6.18-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2013-02-21 00:31:59 EST
mediatomb-0.12.1-23.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2013-02-21 00:48:10 EST
mediatomb-0.12.1-23.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.