Ubuntu
minissdpd package

[mir] minissdpd

Bug #813313 reported by Jeremy Bícha
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
minissdpd (Debian)
Fix Released
Unknown
minissdpd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

1. Availability - already packaged & builds in Ubuntu universe & Debian testing

2. Rationale - The MiniSSDP daemon improves miniupnpc's functionality. Without minissdpd, only one instance of miniupnpc can run at one time since the UPNP protocol specifies that clients must listen in on port 1900. Minissdpd also can speed up device discovery. We need this program in main because it is recommended by miniupnpc which Transmission now depends on. (See bug 813308.)

3. Security - There are no known security bugs: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=minissdpd

4. QA -
https://bugs.launchpad.net/ubuntu/+source/minissdpd
http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=minissdpd
http://miniupnp.tuxfamily.org/forum/viewforum.php?f=5

5. UI - N/A

6. Dependencies: None, https://bazaar.launchpad.net/+branch/ubuntu/minissdpd/view/head:/debian/control

7. Standards compliant 3.9.1

8. Maintenance - We are currently in sync with Debian

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: minissdpd 1.0-2
ProcVersionSignature: Ubuntu 3.0.0-5.6-generic 3.0.0-rc7
Uname: Linux 3.0.0-5-generic x86_64
Architecture: amd64
Date: Wed Jul 20 01:35:04 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
SourcePackage: minissdpd
UpgradeStatus: Upgraded to oneiric on 2011-06-17 (32 days ago)

Revision history for this message
Jeremy Bícha (jbicha) wrote :
Michael Terry (mterry)
Changed in minissdpd (Ubuntu):
assignee: nobody → Michael Terry (mterry)
Revision history for this message
Michael Terry (mterry) wrote :

Approved from a packaging/maintenance perspective, but I'd like the security team to look at this, since it runs a daemon.

Changed in minissdpd (Ubuntu):
assignee: Michael Terry (mterry) → Ubuntu Security Team (ubuntu-security)
status: New → Confirmed
Revision history for this message
Michael Terry (mterry) wrote :

I almost forgot to mention that it would also be nice to see a bug subscriber.

Revision history for this message
Kees Cook (kees) wrote :

This software should not be in main. It seems to be very buggy and dangerous.

- auto-starts a network-listening port on all interfaces
- needlessly runs as root
- off-by-one in packet parsing can trigger crashes on unluckily alignment
    minissdpd.c line ~290
- walk off end of memory without length check in "cache-control" packet
    minissdpd.c line ~314
- spews DEBUG and INFO level syslog lines on device updates/discovery
- unchecked malloc uses
- linefeed injection in service requests
- multiple buffer overflows in processRequest
    - unchecked decoded lengths
    - unchecked buffer creation length
    - integer overflows in decoded lengths
    - write null byte arbitrarily in heap
    - could read stack memory out on requests (including canary if our canary wasn't null-started)
        add bogus service with giant "location" entry
        read back with type==1 and matching "st"
- unchecked write lengths (could get interrupted)
- does not clean up /var/run files correctly

Changed in minissdpd (Ubuntu):
status: Confirmed → Incomplete
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Kees, ok, I'll just tell miniupnpc not to recommend this package then.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Are you going to report this to Debian & the upstream developer?

Revision history for this message
Michael Terry (mterry) wrote :

miniupnpc no longer Recommends but merely Suggests minissdpd, so a MIR isn't needed. Thanks for the review, Kees!

Changed in minissdpd (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Kees Cook (kees) wrote :

Yes, I've emailed upstream with the non-packaging bits of my audit.

Revision history for this message
Kees Cook (kees) wrote :

http://www.openwall.com/lists/oss-security/2011/07/28/12

Revision history for this message
Thomas Goirand (thomas-goirand) wrote :

Hi,

I have uploaded version 1.0.20110729, which upstream is claiming to fix the above issues. Please sync from SID if you want the latest version.

Cheers,

Thomas Goirand (zigo)

P.S: Thanks for sending a bug to my package, I wouldn't have spot it otherwise. I'll register to this package bugs right away.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package minissdpd - 1.0.20110729-1

---------------
minissdpd (1.0.20110729-1) unstable; urgency=high

  * New upstream release 1.0.20110729, fixing root exploit issue reported on
  launchpad (Closes: #635836) (LP: #813313), thanks to Moritz Muehlenhoff
  <email address hidden> for the bug report, and to falks at Ubuntu for the
  investigation of the issue.
  * Added build-arch: and build-indep: targets in debian/rules.
  * Bumped standard-version to 3.9.2.
 -- Micah Gersten <email address hidden> Mon, 08 Aug 2011 23:42:37 +0000

Changed in minissdpd (Ubuntu):
status: Invalid → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in minissdpd (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.