454570 – <net-libs/libupnp-1.6.18: various buffer overflows (CVE-2012-{5958,5959,5960})

Bug 454570 - <net-libs/libupnp-1.6.18: various buffer overflows (CVE-2012-{5958,5959,5960})

Summary: <net-libs/libupnp-1.6.18: various buffer overflows (CVE-2012-{5958,5959,5960})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	http://www.kb.cert.org/vuls/id/922681
Whiteboard:	B1 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-01-29 19:02 UTC by Hanno Böck
Modified:	2014-03-26 10:46 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2013-01-29 19:02:34 UTC

Three buffer overflows have been fixed with the release of libupnp 1.6.18:
http://pupnp.sourceforge.net/ChangeLog

This fix is a reaction to research of the security company rapid7 about vulnerable upnp devices. Further infos: http://www.kb.cert.org/vuls/id/922681

Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev

2013-01-30 09:58:56 UTC

I have bumped libupnp to 1.6.18 - it just needs stabilization.

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2013-02-05 13:52:26 UTC

Thanks, Hanno and Bjarke. 

Arches, please test and mark stable:
=net-libs/libupnp-1.6.18
Target KEYWORDS: "alpha amd64 arm hppa ppc ppc64 sparc x86"

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2013-02-05 13:53:28 UTC

CVE-2012-5960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5960):
  Stack-based buffer overflow in the unique_service_name function in
  ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices
  (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows
  remote attackers to execute arbitrary code via a long UDN (aka
  upnp:rootdevice) field in a UDP packet.

CVE-2012-5959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5959):
  Stack-based buffer overflow in the unique_service_name function in
  ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices
  (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows
  remote attackers to execute arbitrary code via a long UDN (aka uuid) field
  within a string that contains a :: (colon colon) in a UDP packet.

CVE-2012-5958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5958):
  Stack-based buffer overflow in the unique_service_name function in
  ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices
  (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows
  remote attackers to execute arbitrary code via a UDP packet with a crafted
  string that is not properly handled after a certain pointer subtraction.

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2013-02-09 15:23:08 UTC

Stable for HPPA.

Comment 5 Agostino Sarubbo gentoo-dev

2013-02-20 14:23:20 UTC

455784 is not anymore a blocker

Comment 6 Agostino Sarubbo gentoo-dev

2013-02-20 15:55:10 UTC

amd64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2013-02-20 15:56:58 UTC

x86 stable

Comment 8 Agostino Sarubbo gentoo-dev

2013-02-21 16:10:49 UTC

sparc stable

Comment 9 Agostino Sarubbo gentoo-dev

2013-02-22 17:28:30 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2013-02-22 18:07:00 UTC

arm stable

Comment 11 Agostino Sarubbo gentoo-dev

2013-02-23 15:03:00 UTC

alpha stable

Comment 12 Agostino Sarubbo gentoo-dev

2013-02-23 21:59:44 UTC

ppc64 stable

Comment 13 Sean Amoss (RETIRED) gentoo-dev

2013-03-17 15:44:34 UTC

New GLSA request filed.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2014-03-26 10:46:59 UTC

This issue was resolved and addressed in
 GLSA 201403-06 at http://security.gentoo.org/glsa/glsa-201403-06.xml
by GLSA coordinator Mikle Kolyada (Zlogene).