16985 – miniupnpc new security issue CVE-2015-6031

Bug 16985 - miniupnpc new security issue CVE-2015-6031

Summary: miniupnpc new security issue CVE-2015-6031

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/661346/
Whiteboard:	advisory MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-10-19 18:31 CEST by David Walser
Modified:	2015-10-30 21:12 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	miniupnpc-1.9.20141128-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-10-19 18:31:23 CEST

An advisory has been issued on September 15:
http://talosintel.com/reports/TALOS-2015-0035/

The issue was fixed upstream in 1.9.20151008 and in this commit:
https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78

Cauldron was already updated to the new version.

Patched package uploaded for Mageia 5.

This library is used by megaglest and 0ad, which you can use for testing.

Advisory:
========================

Updated miniupnpc packages fix security vulnerability:

An exploitable buffer overflow vulnerability exists in the XML parser
functionality of the MiniUPnP library. A specially crafted XML response can
lead to a buffer overflow on the stack resulting in remote code execution. An
attacker can set up a server on the local network to trigger this
vulnerability (CVE-2015-6031).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6031
http://talosintel.com/reports/TALOS-2015-0035/
========================

Updated packages in core/updates_testing:
========================
miniupnpc-1.9.20141128-1.1.mga5
libminiupnpc12-1.9.20141128-1.1.mga5
libminiupnpc-devel-1.9.20141128-1.1.mga5

from miniupnpc-1.9.20141128-1.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

Dave Hodgins 2015-10-25 23:29:27 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 William Kenney 2015-10-27 18:40:54 CET

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
miniupnpc libminiupnpc12 megaglest

default install of miniupnpc libminiupnpc12 & megaglest

[root@localhost wilcal]# urpmi miniupnpc
Package miniupnpc-1.9.20141128-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libminiupnpc12
Package libminiupnpc12-1.9.20141128-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi megaglest
Package megaglest-3.11.1-1.1.mga5.i586 is already installed

megaglest crashes on launch. Just like it did in 13374. libGL error.
Installed cleanly.

install miniupnpc & libminiupnpc12 from updates_testing

[root@localhost wilcal]# urpmi miniupnpc
Package miniupnpc-1.9.20141128-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libminiupnpc12
Package libminiupnpc12-1.9.20141128-1.1.mga5.i586 is already installed

Installs cleanly

CC: (none) => wilcal.int

Comment 2 William Kenney 2015-10-27 18:41:13 CET

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
miniupnpc lib64miniupnpc12 megaglest

default install of miniupnpc libminiupnpc12 & megaglest

[root@localhost wilcal]# urpmi miniupnpc
Package miniupnpc-1.9.20141128-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64miniupnpc12
Package lib64miniupnpc12-1.9.20141128-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi megaglest
Package megaglest-3.11.1-1.1.mga5.x86_64 is already installed

megaglest crashes on launch. Just like it did in 13374. libGL error.
Installed cleanly.

install miniupnpc & lib64miniupnpc12 from updates_testing

[root@localhost wilcal]# urpmi miniupnpc
Package miniupnpc-1.9.20141128-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64miniupnpc12
Package lib64miniupnpc12-1.9.20141128-1.1.mga5.x86_64 is already installed

Installs cleanly

Comment 3 William Kenney 2015-10-27 18:41:58 CET

Move it along just like we did last time?

Comment 4 claire robinson 2015-10-27 18:47:54 CET

$ urpmq --whatrequires lib64miniupnpc12
0ad
bitcoin-qt
bitcoind
dogecoin-qt
dogecoind
dolphin-emu
dolphin-emu
lib64eiskaltdcpp2.2
lib64miniupnpc-devel
lib64miniupnpc12
megaglest
megaglest
miniupnpc

Could try with 0ad, bitcoin or dogecoin. dolphin-emu is probably too involved to configure to use it but you could test with strace to see if the lib is loaded ok.

Comment 5 William Kenney 2015-10-28 17:09:28 CET

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
miniupnpc libminiupnpc12 0ad dolphin-emu bitcoin-qt

install miniupnpc & libminiupnpc12 from updates_testing

[root@localhost wilcal]# urpmi miniupnpc
Package miniupnpc-1.9.20141128-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libminiupnpc12
Package libminiupnpc12-1.9.20141128-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi 0ad
Package 0ad-0.0.18-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi dolphin-emu
Package dolphin-emu-4.0.2-8.5406.2.1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi bitcoin-qt
Package bitcoin-qt-0.9.3-1.mga5.i586 is already installed

0ad opened to a frozen full black screen.
Only way out was: ctrl-alt-backspace
dolphin-emu opened an error window:
The desktop entry file file:///home/wilcal/Desktop/dolphin-emu.desktop
has no Type=...entry.
bitcoin-qt seemed to operate properly. I donno if this is enough to
push this on? Or not?

Comment 6 William Kenney 2015-10-28 17:09:42 CET

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
miniupnpc lib64miniupnpc12 0ad dolphin-emu bitcoin-qt

install miniupnpc & lib64miniupnpc12 from updates_testing

[root@localhost wilcal]# urpmi miniupnpc
Package miniupnpc-1.9.20141128-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64miniupnpc12
Package lib64miniupnpc12-1.9.20141128-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi 0ad
Package 0ad-0.0.18-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi dolphin-emu
Package dolphin-emu-4.0.2-8.5406.2.1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi bitcoin-qt
Package bitcoin-qt-0.9.3-1.mga5.x86_64 is already installed

0ad opened to a frozen full pixeled screen mess.
Only way out was: ctrl-alt-backspace
dolphin-emu opened but "Dolphin could not find any GameCube/Wii ISOs or WADs"
bitcoin-qt seemed to operate properly. I donno if this is enough to
push this on? Or not?

Is there a maintainer for these games?

Comment 7 David Walser 2015-10-28 18:03:35 CET

Maybe Rémi knows more about those games.

CC: (none) => rverschelde

Comment 8 Rémi Verschelde 2015-10-28 18:32:47 CET

Note that bitcoin-qt is not a game :)

For 0ad I wouldn't expect it to be able to start in a VM unless you changed it since last time you had issues starting an OpenGL application in Vbox.

For dolphin-emu, as it's an emulator, you indeed need GameCube or Wii ISOs to be able to run game.

Megaglest could also be used to test the update candidate, but it also requires OpenGL.

Comment 9 Rémi Verschelde 2015-10-28 18:36:51 CET

I'll do some tests on real hw 64bit.

Comment 10 Rémi Verschelde 2015-10-28 19:16:31 CET

Testing on Mageia 5 x86_64.

Tested megaglest and 0ad, they work fine, including the multiplayer lobby (which is the part most likely to be impacted by an update to miniupnpc). dolphin-emu works fine too, but I did not try its networking features.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 11 Rémi Verschelde 2015-10-28 19:17:09 CET

Validating, please push to 5 core/updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2015-10-30 21:12:04 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0416.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.