oss-sec mailing list archives
CVE Request: MiniUPnPd: several issues
From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 9 Dec 2014 21:32:59 +0100
Hi Quoting from the Bug in the Debian bugtracker at https://bugs.debian.org/772644 several issues were found in in MiniUPnP: On Tue, Dec 09, 2014 at 10:20:32PM +0800, Thomas Goirand wrote:
Stephen Röttger from Google did a security audit of MiniUPnPd, and found a few issues, all now fixed upstream. Extract from private messages who were forwarded to me (but which is fine to disclose since there's already some public commits.MiniUPnP is vulnerable to DNS rebinding attacks which allows an attacker to trigger upnp actions through a malicious website. Wikipedia describes the attack quite well: http://en.wikipedia.org/wiki/DNS_rebinding. To mitigate this attack, MiniUPnP should check if the request's host header either contains an IP address or the hostname of the device. Besides that, I found a few memory corruption vulnerabilities in the code.Fixes: https://github.com/miniupnp/miniupnp/commit/d00b75782e7d73e78d0b935cee6f4873bc48c9e8 https://github.com/miniupnp/miniupnp/commit/7c91c4e933e96b913b72685d093126d282b87db6 Some memory corruption fix: https://github.com/miniupnp/miniupnp/commit/e6bc04aa06341fa4df3ccae87a167e9adf816911 A buffer overrun in ParseHttpHeaders() fix: https://github.com/miniupnp/miniupnp/commit/dd39ecaa935a9c23176416b38a3b80d577f21048 Added check if BuildHeader_upnphttp() failed to allocate memory: https://github.com/miniupnp/miniupnp/commit/ec94c5663fe80dd6ceea895c73e2be66b1ef6bf4
Can CVEs be assigned for these issues? Regards, Salvatore
Current thread:
- CVE Request: MiniUPnPd: several issues Salvatore Bonaccorso (Dec 09)
- Re: CVE Request: MiniUPnPd: several issues Salvatore Bonaccorso (Dec 29)