Security vulnerabilities and postinst generating garbage
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
miniupnpd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Triaged
|
High
|
Unassigned |
Bug Description
Security Update and/or SRU request for 14.04.
There are security fixes to this package in Debian (1.8.20140523-4, in 15.04+) that fix several CVEs and postinst failures (1.8.20130730-3, in 14.10+) . Unfortunately it is not clear precisely which CVEs the Debian security updates resolve.
I found these issues when a user reported they couldn't start the daemon. I initially fixed the postinst issue locally then discovered Debian had updated the package already, and then discovered the additional fixes for security vulnerabilities.
Due to the Debian packages also including some unrelated fixes I'm unclear as to what the best approach is.
I've asked for guidance in #ubuntu-devel and rbasak gave useful input but it comes down to whether a security update would take the Debian package as-is or want to split out the various specific fixes.
That looks like quite a lot of involved work to me. I only worked on the postinst issue to solve it for a user who reported it in #ubuntu.
-----
[Impact]
* MiniUPnPd is vulnerable to DNS rebinding attacks
* DoS: typos in the postinst script that cause garbage to be written to "/etc/default/
[Test Case]
Install the package and try to start it. It will fail. "/etc/default/
A valid example file exists in the package at
/usr/share/
Installing the package from 15.04 or 15.10 resolve the issues.
[Regression Potential]
Small to Non. postinst changes ensure a valid 'default' file is written and permit the daemon to start. Fixes from upstream prevent DNS rebinding attacks.
These were fixed in Debian and are available in 15.04+.
[References]
security: CVEs http://
security: see Debian bug #772644
postinst: see Debian bug #726915
see also Debian changelog: http://
description: | updated |
description: | updated |
description: | updated |
Changed in miniupnpd (Ubuntu): | |
status: | Confirmed → Triaged |
description: | updated |
summary: |
- postinst script writes garbage to /etc/default/miniupnpd + Security vulnerabilities and postinst generating garbage |
Changed in miniupnpd (Ubuntu Trusty): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in miniupnpd (Ubuntu Trusty): | |
milestone: | none → ubuntu-14.04.3 |
Changed in miniupnpd (Ubuntu): | |
milestone: | ubuntu-14.04.3 → none |
tags: | added: trusty |
information type: | Public → Public Security |
Changed in miniupnpd (Ubuntu Trusty): | |
milestone: | ubuntu-14.04.3 → none |
I've encountered this issue as well.