Re: CVE Request: MiniUPnPd: several issues

[Salvatore Bonaccorso <carnil () debian org>]

On Tue, Dec 09, 2014 at 09:32:59PM +0100, Salvatore Bonaccorso wrote:
> Hi
>
> Quoting from the Bug in the Debian bugtracker at
> https://bugs.debian.org/772644 several issues were found in in
> MiniUPnP:
>
> On Tue, Dec 09, 2014 at 10:20:32PM +0800, Thomas Goirand wrote:
> > Stephen Röttger from Google did a security audit of MiniUPnPd, and found a few
> > issues, all now fixed upstream.
> >
> > Extract from private messages who were forwarded to me (but which is fine to
> > disclose since there's already some public commits.
> >
> > > MiniUPnP is vulnerable to DNS rebinding attacks which allows an attacker to
> > > trigger upnp actions through a malicious website. Wikipedia describes the
> > > attack quite well: http://en.wikipedia.org/wiki/DNS_rebinding.
> > > To mitigate this attack, MiniUPnP should check if the request's host header
> > > either contains an IP address or the hostname of the device.
> > >
> > > Besides that, I found a few memory corruption vulnerabilities in the code.
> >
> > Fixes:
> >
> > https://github.com/miniupnp/miniupnp/commit/d00b75782e7d73e78d0b935cee6f4873bc48c9e8
> > https://github.com/miniupnp/miniupnp/commit/7c91c4e933e96b913b72685d093126d282b87db6
> >
> > Some memory corruption fix:
> >
> > https://github.com/miniupnp/miniupnp/commit/e6bc04aa06341fa4df3ccae87a167e9adf816911
> >
> > A buffer overrun in ParseHttpHeaders() fix:
> >
> > https://github.com/miniupnp/miniupnp/commit/dd39ecaa935a9c23176416b38a3b80d577f21048
> >
> > Added check if BuildHeader_upnphttp() failed to allocate memory:
> >
> > https://github.com/miniupnp/miniupnp/commit/ec94c5663fe80dd6ceea895c73e2be66b1ef6bf4
>
> Can CVEs be assigned for these issues?

Adding MITRE explicitly as CC, as I forgot in my first mail for the
CVE request.

Regards,
Salvatore