Bug 20851 - miniupnpc new security issue CVE-2017-8798
Summary: miniupnpc new security issue CVE-2017-8798
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-13 21:22 CEST by David Walser
Modified: 2017-07-09 19:58 CEST (History)
3 users (show)

See Also:
Source RPM: miniupnpc-1.9.20151008-3.mga6.src.rpm
CVE: CVE-2017-8798
Status comment:


Attachments
A possible PoC for this issue (12.47 KB, text/plain)
2017-07-09 19:58 CEST, Len Lawrence
Details

Description David Walser 2017-05-13 21:22:31 CEST
A security issue fixed upstream in miniupnpc has been announced:
http://openwall.com/lists/oss-security/2017/05/11/2

The upstream commit to fix the issue is linked at the end of the message above (see [6]).

Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-05-13 21:40:20 CEST
(In reply to David Walser from comment #0)
> A security issue fixed upstream in miniupnpc has been announced:
> http://openwall.com/lists/oss-security/2017/05/11/2
> 
> The upstream commit to fix the issue is linked at the end of the message
> above (see [6]).
> 
> Mageia 5 is also affected.

Also, so this should be filed against cauldron & MGA5TOO instead of to 
5 & MGA5TOO  ;-)

Assigning to all packagers collectively, since there is no registered maintainer for this package.
Comment 2 Nicolas Lécureuil 2017-05-15 01:18:24 CEST
Fixed in cauldron
Comment 3 David Walser 2017-05-25 01:59:18 CEST
Ubuntu has issued advisories for this today (May 24):
https://www.ubuntu.com/usn/usn-3298-1/
https://www.ubuntu.com/usn/usn-3298-2/
Comment 4 David Walser 2017-06-01 12:19:36 CEST
openSUSE has issued an advisory for this on May 31:
https://lists.opensuse.org/opensuse-updates/2017-05/msg00110.html
Comment 5 David Walser 2017-07-09 01:17:50 CEST
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated miniupnpc packages fix security vulnerabilities:

It was discovered that MiniUPnP incorrectly handled memory. A remote attacker
could use this issue to cause a denial of service or possibly execute arbitrary
code with privileges of the user running an application that uses the MiniUPnP
library (CVE-2017-8798).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8798
https://www.ubuntu.com/usn/usn-3298-1/
========================

Updated packages in core/updates_testing:
========================
miniupnpc-1.9.20141128-1.2.mga5
libminiupnpc12-1.9.20141128-1.2.mga5
libminiupnpc-devel-1.9.20141128-1.2.mga5

from miniupnpc-1.9.20141128-1.2.mga5.src.rpm
Comment 6 Len Lawrence 2017-07-09 19:56:16 CEST
Had a look but it is not for me.

x86_64  Mate

$ urpmq --whatrequires lib64miniupnpc12 | sort |uniq
0ad
bitcoind
bitcoin-qt
dogecoind
dogecoin-qt
dolphin-emu
lib64eiskaltdcpp2.2
lib64miniupnpc12
lib64miniupnpc-devel
megaglest
miniupnpc

Could not make anything of that except possibly 0ad, which is a multi-player network game.  Installed that and started it under another user with the intention of playing it across the LAN but without knowing anything about games culture there was little chance of understanding how to set it up properly let alone play it.  Presumably it would need a server daemon of some kind attached to some port and then a couple of month's attention to the manual.  The local router has upnp enabled.    

$ urpmq --requires 0ad | sort | uniq | grep mini

0ad: libminiupnpc.so.12()(64bit)

There is a PoC (attached) which is just as opaque; there is no indication how to run it to show the vulnerability (CVE-2017-8798).
The following command generated a continuous stream of network monitoring data:
$ ./poc.py --listen <ip of user machine>:65000 --havoc

This is all very negative but might be of some assistance to whomsoever attempts this one.  megaglest is another game - maybe somebody knows it?
Comment 7 Len Lawrence 2017-07-09 19:58:27 CEST
Created attachment 9478 [details]
A possible PoC for this issue

Cannot comment on this.

Note You need to log in before you can comment on or make changes to this bug.