Bug 22560 - miniupnpc new security issue CVE-2017-1000494
Summary: miniupnpc new security issue CVE-2017-1000494
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-10 21:21 CET by David Walser
Modified: 2018-05-19 22:57 CEST (History)
4 users (show)

See Also:
Source RPM: miniupnpc-2.0.20170509-1.mga6.src.rpm
CVE:
Status comment: Upstream patches are available


Attachments

Description David Walser 2018-02-10 21:21:56 CET
Ubuntu has issued an advisory on February 7:
https://usn.ubuntu.com/usn/usn-3562-1/

Despite the description saying only < 2.0 is affected, our 2.0 snapshot from last year was too old to include the fix (which was committed in December):
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000494.html

Note that the page above also references two other non-CVE security fixes in addition to the CVE fix.

Mageia 6 is also affected.
Comment 1 David Walser 2018-02-10 21:23:32 CET
Mageia 5 is also affected (but we don't need to push a fix there).

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-10 22:11:13 CET

Status comment: (none) => Upstream patches are available

David Walser 2018-02-10 23:11:34 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=22455

Comment 2 Mike Rambo 2018-05-11 21:57:08 CEST
Cauldron has been recently updated to a version which is not vulnerable. Two of the patches are already applied and 9fcc0a72f09e6e1aa46ddcc997d3dcae87d4b416 does not apply. That patch also did not apply to mga6. I did not do anything with mga#22455 as I do not know if the suggested changes are valid. Leaving that for the maintainer. This update fixes the security issue.

Updated package uploaded for Mageia 6.

Advisory:
========================

Updated miniupnpc package fixes security vulnerability:

It was discovered that miniupnpc contained a heap buffer overflow in
parseelt (minixml.c - no CVE assigned).

It was discovered that miniupnpc also contained a memory corruption
(invalid read, SIGSEGV) in NameValueParserEndElt (upnpreplyparse.c)
while handling two consecutive malformed SOAP requests (CVE-2017-1000494).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000494
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000494.html
https://github.com/miniupnp/miniupnp/issues/268
========================

Updated packages in core/updates_testing:
========================
lib64miniupnpc16-2.0.20170509-1.1.mga6
lib64miniupnpc-devel-2.0.20170509-1.1.mga6
miniupnpc-2.0.20170509-1.1.mga6

from miniupnpc-2.0.20170509-1.1.mga6.src.rpm


Testing procedure https://bugs.mageia.org/show_bug.cgi?id=20851#c8

Version: Cauldron => 6
Assignee: mageia => qa-bugs
Keywords: (none) => has_procedure
CC: (none) => mrambo
Whiteboard: MGA6TOO => (none)

Comment 3 Len Lawrence 2018-05-12 21:44:03 CEST
Mageia 6, x86_64
Had a look at this, encouraged by the report from PC LX of previous testing.
Searched for PoCs and found tests athttps://github.com/miniupnp/miniupnp/issues/268 which involved a daemon by the looks of it, called miniupnpd.  The tests included a couple of message blocks to be sent via a specified port to another IP address, piping through xxd and netcat.  I could not find xxd or miniupnpd so gave up on that.

$ upnpc -l
upnpc : miniupnpc library test client, version 2.0.
 (c) 2005-2016 Thomas Bernard.
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
No IGD UPnP Device found on the network !

That looks like a full stop to me so I shall have to hand this over to PC LX.

CC: (none) => tarazed25

Comment 4 Herman Viaene 2018-05-14 16:26:36 CEST
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues
Got no further than Len. I guessed that the IP address in the testcase of bug 20851 would be the address of the router ??? But of course port 2555 or 2222 is blocked and I'm not very eager to open up ports for testing.

CC: (none) => herman.viaene

Comment 5 Lewis Smith 2018-05-17 20:57:44 CEST
Quick preparatory word.
 https://bugs.mageia.org/show_bug.cgi?id=13374#c11
describes possible use of megaglest game to use miniupnpc.
 https://bugs.mageia.org/show_bug.cgi?id=20851#c8
describes PC_LX's expert real test - if you can!
Comment 6 claire robinson 2018-05-18 15:59:11 CEST
Testing complete mga6 64

Temporarily enabled uPnP on the router (forwarding settings) for testing..

$ upnpc -l
upnpc : miniupnpc library test client, version 2.0.
 (c) 2005-2016 Thomas Bernard.
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.10.1:1900/igd.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.10.1:1900/ipc
Local LAN ip address : 192.168.10.66
Connection Type : IP_Routed
Status : Connected, uptime=35s, LastConnectionError : ERROR_NONE
  Time started : Fri May 18 14:54:32 2018
...etc


Validating.

Whiteboard: (none) => mga6-64-ok
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Lewis Smith 2018-05-19 08:28:05 CEST
Thank you Claire for your expert intervention.

Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-05-19 22:57:50 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0250.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.