Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 Mar 2016 12:09:42 +0100
From: Salva Peiró <speirofr@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: The minissdpd (v 1.2.20130907-3) is affected by an
 improper validation of array index weakness

Is there a CVE for this? If not, could one be assigned, please?

The affected version is
minissdpd version: 1.2.20130907-3

The bug is reported at
https://bugs.debian.org/816759

The fixes are applied upstream at
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47#diff-00d21a1eaced371eee67e083a3ff866c

  DECODELENGTH_CHECKLIMIT(l, p, buf + n);
- if(p+l > buf+n) {
+ if(l > (unsigned)(buf+n-p)) {
  syslog(LOG_WARNING, "bad request (length encoding l=%u n=%u)",
         l, (unsigned)n);
  goto error;

https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a#diff-00d21a1eaced371eee67e083a3ff866c


+ memset(newserv, 0, sizeof(struct service)); /* set pointers to NULL */
  if(containsForbiddenChars(p, l)) {
  syslog(LOG_ERR, "bad request (st contains forbidden chars)");
  goto error;

Regards,
Salva Peiró
--
Salva Peiró @ https://speirofr.appspot.com
CS Researcher & Software Engineer
Universitat Politècnica de València, Spain.

On Mon, Mar 7, 2016 at 1:04 PM, Salva Peiró <speirofr@...il.com> wrote:

> Hi everyone,
>
> A vulnerability in the minissdpd daemon has been found that affects
> minissdpd version 1.2.20130907-3 available in Debian and Ubuntu.
> The vulnerability can be exploited by a local unprivileged user
> with write access to /var/run/minissdpd.sock to crash the minissdpd
> daemon that runs with superuser privileges.
>
> More details at:
> https://speirofr.appspot.com/files/advisory/SPADV-2016-02.md
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=minissdpd;dist=unstable.
>
> Is there a CVE for this? If not, could one be assigned, please?
>
> Regards,
> Salva Peiró
>
> --
> Salva Peiró @ https://speirofr.appspot.com
> CS Researcher & Software Engineer
> Universitat Politècnica de València, Spain.
>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ