[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: MiniUPnPd: several issues
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2014-12-30 4:27:27
Message-ID: 20141230042727.GB26543 () eldamar ! local
[Download RAW message or body]

On Tue, Dec 09, 2014 at 09:32:59PM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> Quoting from the Bug in the Debian bugtracker at
> https://bugs.debian.org/772644 several issues were found in in
> MiniUPnP:
> 
> On Tue, Dec 09, 2014 at 10:20:32PM +0800, Thomas Goirand wrote:
> > Stephen Röttger from Google did a security audit of MiniUPnPd, and found a few
> > issues, all now fixed upstream.
> > 
> > Extract from private messages who were forwarded to me (but which is fine to
> > disclose since there's already some public commits.
> > 
> > > MiniUPnP is vulnerable to DNS rebinding attacks which allows an attacker to
> > > trigger upnp actions through a malicious website. Wikipedia describes the
> > > attack quite well: http://en.wikipedia.org/wiki/DNS_rebinding.
> > > To mitigate this attack, MiniUPnP should check if the request's host header
> > > either contains an IP address or the hostname of the device.
> > > 
> > > Besides that, I found a few memory corruption vulnerabilities in the code.
> > 
> > Fixes:
> > 
> > https://github.com/miniupnp/miniupnp/commit/d00b75782e7d73e78d0b935cee6f4873bc48c9e8
> > https://github.com/miniupnp/miniupnp/commit/7c91c4e933e96b913b72685d093126d282b87db6
> > 
> > Some memory corruption fix:
> > 
> > https://github.com/miniupnp/miniupnp/commit/e6bc04aa06341fa4df3ccae87a167e9adf816911
> > 
> > A buffer overrun in ParseHttpHeaders() fix:
> > 
> > https://github.com/miniupnp/miniupnp/commit/dd39ecaa935a9c23176416b38a3b80d577f21048
> > 
> > Added check if BuildHeader_upnphttp() failed to allocate memory:
> > 
> > https://github.com/miniupnp/miniupnp/commit/ec94c5663fe80dd6ceea895c73e2be66b1ef6bf4
> 
> Can CVEs be assigned for these issues?

Adding MITRE explicitly as CC, as I forgot in my first mail for the
CVE request.

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]