Re: CVE Request: The minissdpd (v 1.2.20130907-3) is affected by an improper validation of array index weakness

[Salva Peiró <speirofr () gmail com>]

Is there a CVE for this? If not, could one be assigned, please?

The affected version is
minissdpd version: 1.2.20130907-3

The bug is reported at
https://bugs.debian.org/816759

The fixes are applied upstream at
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47#diff-00d21a1eaced371eee67e083a3ff866c

  DECODELENGTH_CHECKLIMIT(l, p, buf + n);
- if(p+l > buf+n) {
+ if(l > (unsigned)(buf+n-p)) {
  syslog(LOG_WARNING, "bad request (length encoding l=%u n=%u)",
         l, (unsigned)n);
  goto error;

https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a#diff-00d21a1eaced371eee67e083a3ff866c


+ memset(newserv, 0, sizeof(struct service)); /* set pointers to NULL */
  if(containsForbiddenChars(p, l)) {
  syslog(LOG_ERR, "bad request (st contains forbidden chars)");
  goto error;

Regards,
Salva Peiró
--
Salva Peiró @ https://speirofr.appspot.com
CS Researcher & Software Engineer
Universitat Politècnica de València, Spain.

On Mon, Mar 7, 2016 at 1:04 PM, Salva Peiró <speirofr () gmail com> wrote:

> Hi everyone,
>
> A vulnerability in the minissdpd daemon has been found that affects
> minissdpd version 1.2.20130907-3 available in Debian and Ubuntu.
> The vulnerability can be exploited by a local unprivileged user
> with write access to /var/run/minissdpd.sock to crash the minissdpd
> daemon that runs with superuser privileges.
>
> More details at:
> https://speirofr.appspot.com/files/advisory/SPADV-2016-02.md
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=minissdpd;dist=unstable.
>
> Is there a CVE for this? If not, could one be assigned, please?
>
> Regards,
> Salva Peiró
>
> --
> Salva Peiró @ https://speirofr.appspot.com
> CS Researcher & Software Engineer
> Universitat Politècnica de València, Spain.