Ubuntu
miniupnpd package

Security vulnerabilities and postinst generating garbage

Bug #1468938 reported by TJ
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
miniupnpd (Ubuntu)
Fix Released
High
Unassigned
Trusty
Triaged
High
Unassigned

Bug Description

Security Update and/or SRU request for 14.04.

There are security fixes to this package in Debian (1.8.20140523-4, in 15.04+) that fix several CVEs and postinst failures (1.8.20130730-3, in 14.10+) . Unfortunately it is not clear precisely which CVEs the Debian security updates resolve.

I found these issues when a user reported they couldn't start the daemon. I initially fixed the postinst issue locally then discovered Debian had updated the package already, and then discovered the additional fixes for security vulnerabilities.

Due to the Debian packages also including some unrelated fixes I'm unclear as to what the best approach is.
I've asked for guidance in #ubuntu-devel and rbasak gave useful input but it comes down to whether a security update would take the Debian package as-is or want to split out the various specific fixes.

That looks like quite a lot of involved work to me. I only worked on the postinst issue to solve it for a user who reported it in #ubuntu.

-----

[Impact]

  * MiniUPnPd is vulnerable to DNS rebinding attacks

  * DoS: typos in the postinst script that cause garbage to be written to "/etc/default/miniupnpd" resulting in the service failing to start.

[Test Case]

Install the package and try to start it. It will fail. "/etc/default/miniupnpd" will contain garbled content due to the bug.

A valid example file exists in the package at

/usr/share/doc/miniupnpd/examples/miniupnpd.default

Installing the package from 15.04 or 15.10 resolve the issues.

[Regression Potential]

Small to Non. postinst changes ensure a valid 'default' file is written and permit the daemon to start. Fixes from upstream prevent DNS rebinding attacks.

These were fixed in Debian and are available in 15.04+.

[References]

  security: CVEs http://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-24263/Miniupnp-Project-Miniupnpd.html

  security: see Debian bug #772644

  postinst: see Debian bug #726915

  see also Debian changelog: http://metadata.ftp-master.debian.org/changelogs//main/m/miniupnpd/miniupnpd_1.8.20140523-4_changelog

See original description
Tags: patch trusty
Revision history for this message
TJ (tj) wrote :
Revision history for this message
xamber (xamber) wrote :

I've encountered this issue as well.

TJ (tj)
description: updated
TJ (tj)
description: updated
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Fix to postinst script" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
TJ (tj) wrote :

This bug was fixed in Debian some time ago and the working package is carried in 14.10, 15.04 and 15.10.

Can it be backported to 14.04?

description: updated
TJ (tj)
description: updated
Changed in miniupnpd (Ubuntu):
status: Confirmed → Triaged
TJ (tj)
description: updated
summary: - postinst script writes garbage to /etc/default/miniupnpd
+ Security vulnerabilities and postinst generating garbage
Changed in miniupnpd (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Backporting the whole package from Vivid to Trusty wouldn't be acceptable as a security update or as an SRU.

The security team will sponsor this package as a security update if a debdiff is attached that does the following to the trusty package:

1- adds the security patches from the vivid package
2- adds the postinst fix from 1.8.20130730-3
3- adds a changelog entry documenting those changes

Thanks!

Mathew Hodson (mhodson)
Changed in miniupnpd (Ubuntu Trusty):
milestone: none → ubuntu-14.04.3
Changed in miniupnpd (Ubuntu):
milestone: ubuntu-14.04.3 → none
tags: added: trusty
information type: Public → Public Security
Mathew Hodson (mhodson)
Changed in miniupnpd (Ubuntu Trusty):
milestone: ubuntu-14.04.3 → none
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

This seems to be fixed in cosmic and later

Changed in miniupnpd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.