oss-sec mailing list archives
Re: CVE Request: The minissdpd (v 1.2.20130907-3) is affected by an improper validation of array index weakness
From: Salva Peiró <speirofr () gmail com>
Date: Tue, 15 Mar 2016 12:09:42 +0100
Is there a CVE for this? If not, could one be assigned, please? The affected version is minissdpd version: 1.2.20130907-3 The bug is reported at https://bugs.debian.org/816759 The fixes are applied upstream at https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47#diff-00d21a1eaced371eee67e083a3ff866c DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding l=%u n=%u)", l, (unsigned)n); goto error; https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a#diff-00d21a1eaced371eee67e083a3ff866c + memset(newserv, 0, sizeof(struct service)); /* set pointers to NULL */ if(containsForbiddenChars(p, l)) { syslog(LOG_ERR, "bad request (st contains forbidden chars)"); goto error; Regards, Salva Peiró -- Salva Peiró @ https://speirofr.appspot.com CS Researcher & Software Engineer Universitat Politècnica de València, Spain. On Mon, Mar 7, 2016 at 1:04 PM, Salva Peiró <speirofr () gmail com> wrote:
Hi everyone, A vulnerability in the minissdpd daemon has been found that affects minissdpd version 1.2.20130907-3 available in Debian and Ubuntu. The vulnerability can be exploited by a local unprivileged user with write access to /var/run/minissdpd.sock to crash the minissdpd daemon that runs with superuser privileges. More details at: https://speirofr.appspot.com/files/advisory/SPADV-2016-02.md https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=minissdpd;dist=unstable. Is there a CVE for this? If not, could one be assigned, please? Regards, Salva Peiró -- Salva Peiró @ https://speirofr.appspot.com CS Researcher & Software Engineer Universitat Politècnica de València, Spain.
Current thread:
- CVE Request: The minissdpd (v 1.2.20130907-3) is affected by an improper validation of array index weakness Salva Peiró (Mar 07)
- Re: CVE Request: The minissdpd (v 1.2.20130907-3) is affected by an improper validation of array index weakness Salva Peiró (Mar 15)