Bug 14143 - Security and critical bug fixes for libupnp (pupnp)
Summary: Security and critical bug fixes for libupnp (pupnp)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-23 14:21 CEST by Stuart Morgan
Modified: 2014-10-07 11:23 CEST (History)
5 users (show)

See Also:
Source RPM: libupnp
CVE:
Status comment:


Attachments

Description Stuart Morgan 2014-09-23 14:21:21 CEST
Description of problem:

libupnp (aka Portable UPnP SDK) has received some security fixes involving string handling and additionally some fixes for bugs created by a previous botched attempt to fix insecure string handling. The previous fixes actually broke UPnP clients using libupnp (most notably VideoLan's VLC).

http://sourceforge.net/p/pupnp/bugs/122/
https://sourceforge.net/p/pupnp/mailman/message/32290824/

http://sourceforge.net/p/pupnp/code/commit_browser

The commits [0398b1] [814d15] are specifically security related and should be considered for immediate inclusion in packages.

There are three other new commits, [11f05d] [ef6a6d] [bf0a3d] which fix bugs and you may also wish to include.




Reproducible: 

Steps to Reproduce:
David Walser 2014-09-23 17:52:56 CEST

Component: RPM Packages => Security
Version: 4 => Cauldron
QA Contact: (none) => security
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-09-24 07:52:30 CEST
fixed with nginx-1.2.9-1.3.mga3 & nginx-1.4.7-1.1.mga4

CC: (none) => oe

Comment 2 Oden Eriksson 2014-09-24 07:52:48 CEST
Argh. Wrong bug.
Comment 3 David Walser 2014-09-24 17:26:32 CEST
CVE request:
http://openwall.com/lists/oss-security/2014/09/24/7

CC: (none) => luigiwalser

Comment 4 David Walser 2014-10-03 22:58:50 CEST
Thanks for the report!  It sounds like upstream needs to release 1.6.20...

I've added all five patches in Mageia 3, Mageia 4, and Cauldron.

There's no response to the CVE request yet.  It looks like really only [814d15] is security-relevant, and it sounds like it's protecting against buffer overflows.

Advisory:
----------------------------------------

Upstream patches have been added to libupnp to fix bugs that causes issues
with UPnP clients using libupnp, such as VLC.  The patches fix issues with
DNS look-ups, URI handling, internal string handling (including protection
against possible buffer overflows), and RFC 3986 compliance.

References:
http://sourceforge.net/p/pupnp/mailman/message/32290824/
----------------------------------------

Updates packages in core/updates_testing:
----------------------------------------
libupnp6-1.6.18-1.1.mga3
libthreadutil6-1.6.18-1.1.mga3
libixml2-1.6.18-1.1.mga3
libupnp-devel-1.6.18-1.1.mga3
libupnp6-1.6.18-2.1.mga4
libthreadutil6-1.6.18-2.1.mga4
libixml2-1.6.18-2.1.mga4
libupnp-devel-1.6.18-2.1.mga4

from SRPMS:
libupnp-1.6.18-1.1.mga3.src.rpm
libupnp-1.6.18-2.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Severity: major => normal

Rémi Verschelde 2014-10-04 19:51:50 CEST

CC: (none) => remi
Source RPM: (none) => libupnp

Comment 5 Rémi Verschelde 2014-10-05 00:31:40 CEST
Testing a lib is always a bit tricky.
Here is a list of packages that make use of libupnp6 (at least that's what I can gather on cauldron, removing openclonk and retroshare-nogui that are new in cauldron).

$ urpmq --whatrequires lib64upnp6
amule
amule-commandline
amule-webserver
lib64mediastreamer3
lib64upnp-devel
retroshare
ushare
vlc-plugin-upnp
Comment 6 David Walser 2014-10-05 00:35:33 CEST
Since the report specifically mentioned VLC and noted that UPNP functionality was noticeably broken there, if you can figure out how to test that, it sounds like a good way to go.
Comment 7 Stuart Morgan 2014-10-05 13:58:03 CEST
The breakage affected all UPnP servers with service description urls shorter than the device description url as libupnp failed to account for the two character null termination of strings when performing a strcpy. Hence you ended up with urls containing two characters of junk from the previous string held in that variable.

e.g. [0x7f62d06092f8] upnp services discovery error: UPNP_E_BAD_RESPONSE when trying the send() action with URL: http://192.168.159.2:6544/CDS_Controlsc

which should be http://192.168.159.2:6544/CDS_Control

Therefore in testing VLC you need to use a UPnP server which triggers this bug. I know MythTV was affected, but if you don't already have it setup then it's a bit much to do so for the purpose of testing these patches.
Comment 8 claire robinson 2014-10-06 10:11:46 CEST
Mythtv is tricky to configure. Confirmed the patches were applied with madb rpmdiffs of the srpms.

Testing mga4 64 - Using ushare to serve files to vlc (with vlc-plugin-upnp)
Comment 9 claire robinson 2014-10-06 12:49:46 CEST
Ushare is a simple upnp/dlna server. Configure /etc/ushare.conf to add your interface and port (USHARE_IFACE & USHARE_PORT) and directory with some content to share (USHARE_DIR) then start the ushare service.

# service ushare start

Install vlc-plugin-upnp if it isn't already and in vlc menu show the playlist (View => Playlist). You should see the Universal Plug'n'Play options on the left hand side.


Testing complete mga4 32 & 64

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 10 claire robinson 2014-10-06 14:02:35 CEST
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

Comment 11 William Kenney 2014-10-06 17:06:00 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
lib64upnp6 ushare vlc-plugin-upnp

default install of lib64upnp6 & ushare & vlc-plugin-upnp

[root@localhost wilcal]# urpmi lib64upnp6
Package lib64upnp6-1.6.18-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi ushare
Package ushare-1.1a-10.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-upnp
Package vlc-plugin-upnp-2.0.10-1.mga3.tainted.x86_64 is already installed

VLC plays media files as outlined in procedure in Comment 9

install lib64upnp6 from updates_testing

[root@localhost wilcal]# urpmi lib64upnp6
Package lib64upnp6-1.6.18-1.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi ushare
Package ushare-1.1a-10.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-upnp
Package vlc-plugin-upnp-2.0.10-1.mga3.tainted.x86_64 is already installed

VLC plays media files as outlined in procedure in Comment 9

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

William Kenney 2014-10-06 17:07:10 CEST

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 12 William Kenney 2014-10-06 17:09:24 CEST
This update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
I'm happy if Claire's happy plus I learned how to use a new toy.
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 claire robinson 2014-10-06 19:13:37 CEST
Bugfix advisory uploaded.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 14 Mageia Robot 2014-10-07 11:23:25 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2014-0178.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.