Description of problem: libupnp (aka Portable UPnP SDK) has received some security fixes involving string handling and additionally some fixes for bugs created by a previous botched attempt to fix insecure string handling. The previous fixes actually broke UPnP clients using libupnp (most notably VideoLan's VLC). http://sourceforge.net/p/pupnp/bugs/122/ https://sourceforge.net/p/pupnp/mailman/message/32290824/ http://sourceforge.net/p/pupnp/code/commit_browser The commits [0398b1] [814d15] are specifically security related and should be considered for immediate inclusion in packages. There are three other new commits, [11f05d] [ef6a6d] [bf0a3d] which fix bugs and you may also wish to include. Reproducible: Steps to Reproduce:
Component: RPM Packages => SecurityVersion: 4 => CauldronQA Contact: (none) => securityWhiteboard: (none) => MGA4TOO, MGA3TOO
fixed with nginx-1.2.9-1.3.mga3 & nginx-1.4.7-1.1.mga4
CC: (none) => oe
Argh. Wrong bug.
CVE request: http://openwall.com/lists/oss-security/2014/09/24/7
CC: (none) => luigiwalser
Thanks for the report! It sounds like upstream needs to release 1.6.20... I've added all five patches in Mageia 3, Mageia 4, and Cauldron. There's no response to the CVE request yet. It looks like really only [814d15] is security-relevant, and it sounds like it's protecting against buffer overflows. Advisory: ---------------------------------------- Upstream patches have been added to libupnp to fix bugs that causes issues with UPnP clients using libupnp, such as VLC. The patches fix issues with DNS look-ups, URI handling, internal string handling (including protection against possible buffer overflows), and RFC 3986 compliance. References: http://sourceforge.net/p/pupnp/mailman/message/32290824/ ---------------------------------------- Updates packages in core/updates_testing: ---------------------------------------- libupnp6-1.6.18-1.1.mga3 libthreadutil6-1.6.18-1.1.mga3 libixml2-1.6.18-1.1.mga3 libupnp-devel-1.6.18-1.1.mga3 libupnp6-1.6.18-2.1.mga4 libthreadutil6-1.6.18-2.1.mga4 libixml2-1.6.18-2.1.mga4 libupnp-devel-1.6.18-2.1.mga4 from SRPMS: libupnp-1.6.18-1.1.mga3.src.rpm libupnp-1.6.18-2.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOOSeverity: major => normal
CC: (none) => remiSource RPM: (none) => libupnp
Testing a lib is always a bit tricky. Here is a list of packages that make use of libupnp6 (at least that's what I can gather on cauldron, removing openclonk and retroshare-nogui that are new in cauldron). $ urpmq --whatrequires lib64upnp6 amule amule-commandline amule-webserver lib64mediastreamer3 lib64upnp-devel retroshare ushare vlc-plugin-upnp
Since the report specifically mentioned VLC and noted that UPNP functionality was noticeably broken there, if you can figure out how to test that, it sounds like a good way to go.
The breakage affected all UPnP servers with service description urls shorter than the device description url as libupnp failed to account for the two character null termination of strings when performing a strcpy. Hence you ended up with urls containing two characters of junk from the previous string held in that variable. e.g. [0x7f62d06092f8] upnp services discovery error: UPNP_E_BAD_RESPONSE when trying the send() action with URL: http://192.168.159.2:6544/CDS_Controlsc which should be http://192.168.159.2:6544/CDS_Control Therefore in testing VLC you need to use a UPnP server which triggers this bug. I know MythTV was affected, but if you don't already have it setup then it's a bit much to do so for the purpose of testing these patches.
Mythtv is tricky to configure. Confirmed the patches were applied with madb rpmdiffs of the srpms. Testing mga4 64 - Using ushare to serve files to vlc (with vlc-plugin-upnp)
Ushare is a simple upnp/dlna server. Configure /etc/ushare.conf to add your interface and port (USHARE_IFACE & USHARE_PORT) and directory with some content to share (USHARE_DIR) then start the ushare service. # service ushare start Install vlc-plugin-upnp if it isn't already and in vlc menu show the playlist (View => Playlist). You should see the Universal Plug'n'Play options on the left hand side. Testing complete mga4 32 & 64
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
In VirtualBox, M3, KDE, 64-bit Package(s) under test: lib64upnp6 ushare vlc-plugin-upnp default install of lib64upnp6 & ushare & vlc-plugin-upnp [root@localhost wilcal]# urpmi lib64upnp6 Package lib64upnp6-1.6.18-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi ushare Package ushare-1.1a-10.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-upnp Package vlc-plugin-upnp-2.0.10-1.mga3.tainted.x86_64 is already installed VLC plays media files as outlined in procedure in Comment 9 install lib64upnp6 from updates_testing [root@localhost wilcal]# urpmi lib64upnp6 Package lib64upnp6-1.6.18-1.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi ushare Package ushare-1.1a-10.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-upnp Package vlc-plugin-upnp-2.0.10-1.mga3.tainted.x86_64 is already installed VLC plays media files as outlined in procedure in Comment 9 Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
This update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit I'm happy if Claire's happy plus I learned how to use a new toy. Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Bugfix advisory uploaded.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGAA-2014-0178.html
Status: NEW => RESOLVEDResolution: (none) => FIXED