diff -Nru libupnp-1.6.19+git20160116/debian/changelog libupnp-1.6.19+git20160116/debian/changelog --- libupnp-1.6.19+git20160116/debian/changelog 2016-10-19 20:03:51.000000000 +0000 +++ libupnp-1.6.19+git20160116/debian/changelog 2016-12-09 09:40:28.000000000 +0000 @@ -1,3 +1,11 @@ +libupnp (1:1.6.19+git20160116-1.2) unstable; urgency=high + + * Non-maintainer upload. + * Fix out-of-bounds-access (CVE-2016-8863, Closes: #842093) + * Fix usage on ipv6 enabled hosts (Closes: #813249) + + -- Uwe Kleine-König Fri, 09 Dec 2016 10:40:28 +0100 + libupnp (1:1.6.19+git20160116-1.1) unstable; urgency=high * Non-maintainer upload. diff -Nru libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch --- libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch 1970-01-01 00:00:00.000000000 +0000 +++ libupnp-1.6.19+git20160116/debian/patches/CVE-2016-8863.patch 2016-12-09 09:38:40.000000000 +0000 @@ -0,0 +1,63 @@ +From 8d48f5cf63973c452cb4578a1fbe623ba95a8e65 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Thu, 8 Dec 2016 17:11:53 +0100 +Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863) + +If there is an invalid URL in URLS->buf after a valid one, uri_parse is +called with out pointing after the allocated memory. As uri_parse writes +to *out before returning an error the loop in create_url_list must be +stopped early to prevent an out-of-bound access + +Bug: https://sourceforge.net/p/pupnp/bugs/133/ +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863 +Bug-Debian: https://bugs.debian.org/842093 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771 +Applied-Upstream: 1.6.x, commit:a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b +--- + upnp/src/gena/gena_device.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c +index 58a3e55e8973..a49394ab1488 100644 +--- a/upnp/src/gena/gena_device.c ++++ b/upnp/src/gena/gena_device.c +@@ -1113,7 +1113,7 @@ static int create_url_list( + /*! [out] . */ + URL_list *out) + { +- size_t URLcount = 0; ++ size_t URLcount = 0, URLcount2 = 0; + size_t i; + int return_code = 0; + uri_type temp; +@@ -1155,16 +1155,23 @@ static int create_url_list( + } + memcpy( out->URLs, URLS->buff, URLS->size ); + out->URLs[URLS->size] = 0; +- URLcount = 0; + for( i = 0; i < URLS->size; i++ ) { + if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { + if( ( ( return_code = + parse_uri( &out->URLs[i + 1], URLS->size - i + 1, +- &out->parsedURLs[URLcount] ) ) == ++ &out->parsedURLs[URLcount2] ) ) == + HTTP_SUCCESS ) +- && ( out->parsedURLs[URLcount].hostport.text.size != ++ && ( out->parsedURLs[URLcount2].hostport.text.size != + 0 ) ) { +- URLcount++; ++ URLcount2++; ++ if (URLcount2 >= URLcount) ++ /* ++ * break early here in case there is a bogus URL that ++ * was skipped above. This prevents to access ++ * out->parsedURLs[URLcount] which is beyond the ++ * allocation. ++ */ ++ break; + } else { + if( return_code == UPNP_E_OUTOF_MEMORY ) { + free( out->URLs ); +-- +2.10.2 + diff -Nru libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch --- libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch 1970-01-01 00:00:00.000000000 +0000 +++ libupnp-1.6.19+git20160116/debian/patches/miniserver-fix-binding-to-ipv6-link-local-addresses.patch 2016-12-09 09:39:40.000000000 +0000 @@ -0,0 +1,32 @@ +From 480967ef2dd8a8e66035d878a716a3877439c7ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Wed, 30 Nov 2016 22:04:04 +0100 +Subject: [PATCH] miniserver: fix binding to ipv6 link-local addresses + +Linux requires to have sin6_scope_id hold the interface id when binding to +link-local addresses. This is already in use in other parts of upnp, so +portability shouldn't be in the way here. Without this bind(2) fails with +errno=EINVAL (although ipv6(7) from manpages 4.08 specifies ENODEV in this +case). + +Bug-Debian: https://bugs.debian.org/813249 +Applied-Upstream: 1.6.x, commit:96bdeaca867d9eb61e6d6c3e2f751824b09c0358 +--- + upnp/src/genlib/miniserver/miniserver.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/upnp/src/genlib/miniserver/miniserver.c b/upnp/src/genlib/miniserver/miniserver.c +index 683c4b3d36cc..7cd1209d40e4 100644 +--- a/upnp/src/genlib/miniserver/miniserver.c ++++ b/upnp/src/genlib/miniserver/miniserver.c +@@ -583,6 +583,7 @@ static int get_miniserver_sockets( + memset(&__ss_v6, 0, sizeof (__ss_v6)); + serverAddr6->sin6_family = (sa_family_t)AF_INET6; + inet_pton(AF_INET6, gIF_IPV6, &serverAddr6->sin6_addr); ++ serverAddr6->sin6_scope_id = gIF_INDEX; + #endif + /* Getting away with implementation of re-using address:port and + * instead choosing to increment port numbers. +-- +2.10.2 + diff -Nru libupnp-1.6.19+git20160116/debian/patches/series libupnp-1.6.19+git20160116/debian/patches/series --- libupnp-1.6.19+git20160116/debian/patches/series 2016-10-18 20:07:32.000000000 +0000 +++ libupnp-1.6.19+git20160116/debian/patches/series 2016-12-09 09:40:06.000000000 +0000 @@ -9,3 +9,5 @@ 27-LFS-fix-32bit-large_files.patch 28-fix-git-version.patch CVE-2016-6255.patch +CVE-2016-8863.patch +miniserver-fix-binding-to-ipv6-link-local-addresses.patch