--- miniupnpc-1.6.orig/debian/changelog +++ miniupnpc-1.6/debian/changelog @@ -0,0 +1,112 @@ +miniupnpc (1.6-3ubuntu2.14.04.4) trusty-security; urgency=medium + + * SECURITY UPDATE: multiple overflows + - upnpreplyparse.c: properly initialize data structure for SOAP + parsing. + - minixml.c: fix heap buffer overflow. + - CVE-2017-1000494 + + -- Marc Deslauriers Wed, 31 Jan 2018 13:49:17 -0500 + +miniupnpc (1.6-3ubuntu2.14.04.3) trusty-security; urgency=medium + + * SECURITY UPDATE: integer signedness error + - miniwget.c: fix comparisons. + - https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229 + - CVE-2017-8798 + * SECURITY UPDATE: buffer overflow in simpleUPnPcommand2 + - miniupnpc.c: perform better checking while writing buffer. + - https://github.com/miniupnp/miniupnp/commit/fb02299fffd62fe8584f26aa69547266488e002e + - No CVE number + + -- Marc Deslauriers Fri, 19 May 2017 11:38:20 -0400 + +miniupnpc (1.6-3ubuntu2.14.04.2) trusty-security; urgency=medium + + * SECURITY UPDATE: buffer overflow in XML parser (LP: #1506017) + - igd_desc_parse.c: fix buffer overflow in + - https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78 + - CVE-2015-6031 + + -- Steve Beattie Thu, 15 Oct 2015 17:41:05 -0700 + +miniupnpc (1.6-3ubuntu2.14.04.1) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via buffer overflow + - miniwget.c: properly check length + - https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9 + - CVE-2014-3985 + + -- Marc Deslauriers Thu, 26 Jun 2014 16:24:09 -0400 + +miniupnpc (1.6-3ubuntu2) quantal; urgency=low + + * Rebuild for new armel compiler default of ARMv5t. + + -- Colin Watson Fri, 05 Oct 2012 13:56:24 +0100 + +miniupnpc (1.6-3ubuntu1) precise; urgency=low + + * Resynchronized on Debian using their git version, remaining difference: + * control: suggests minissdpd rather than recommends, it's in universe + + -- Sebastien Bacher Tue, 06 Dec 2011 15:39:46 +0100 + +miniupnpc (1.6-3) experimental; urgency=low + + [Laurent Bigonville ] + * debian/libminiupnpc8.symbols: Add symbols file (Closes: #635531) + * Drop debian/libminiupnpc8.shlibs, let dh_makeshlibs generate it. + * debian/rules: + - Call dh_makeshlibs with "-V -- -c4" parameters + - Call dh_fixperms during build (Closes: #650202) + + -- Thomas Goirand Mon, 28 Nov 2011 13:26:38 +0800 + +miniupnpc (1.6-2) experimental; urgency=low + + * Moved libminiupnpc.a in the -dev package as it should. + * Added Replaces: libminiupnpc5, libminiupnpc8 (<= 1.6-1) because of above. + + -- Thomas Goirand Fri, 11 Nov 2011 16:48:35 +0800 + +miniupnpc (1.6-1) experimental; urgency=low + + [Thomas Goirand ] + * New upstream version (Closes: #647679). + * Rewrapped debian/copyrigh. + * Uploading to experimental since there's an soname transition. + [Leo 'costela' Antunes ] + * Fixes watch file. + * Update soname and binary lib package name. + * Adds debian/rules build-arch and build-indep targets. + * remove unneeded libminiupnpc.substvars. + * policy bump to 3.9.2 (no changes). + * fix debian/copyright syntax (empty lines). + + -- Thomas Goirand Fri, 11 Nov 2011 16:21:41 +0800 + +miniupnpc (1.5-3) unstable; urgency=low + + * debian/copyright is now in correct DEP5 format. + + -- Thomas Goirand Thu, 04 Aug 2011 18:52:03 +0800 + +miniupnpc (1.5-2) unstable; urgency=low + + * libminiupnpc-dev now depends on libminiupnpc5 (Closes: #617774). + + -- Thomas Goirand Fri, 11 Mar 2011 18:59:58 +0800 + +miniupnpc (1.5-1) unstable; urgency=low + + * New upstream version. + * Moving from experimental to unstable (Closes: #616632). + + -- Thomas Goirand Thu, 10 Mar 2011 00:22:40 +0800 + +miniupnpc (1.4.20101221-1) experimental; urgency=low + + * Initial release. (Closes: #444392) + + -- Thomas Goirand Wed, 29 Dec 2010 16:49:20 +0800 --- miniupnpc-1.6.orig/debian/compat +++ miniupnpc-1.6/debian/compat @@ -0,0 +1 @@ +7 --- miniupnpc-1.6.orig/debian/control +++ miniupnpc-1.6/debian/control @@ -0,0 +1,69 @@ +Source: miniupnpc +Section: net +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Thomas Goirand +Build-Depends: debhelper (>= 7), python +Standards-Version: 3.9.2 +Vcs-Browser: http://git.debian.org/?p=users/zigo/miniupnpc.git +Vcs-Git: http://git.debian.org/git/users/zigo/miniupnpc.git +Homepage: http://miniupnp.free.fr/ + +Package: miniupnpc +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Suggests: minissdpd +Description: UPnP IGD client lightweight library client + The UPnP protocol is supported by most home adsl/cable routers and Microsoft + Windows 2K/XP. The aim of the MiniUPnP project is to bring a free software + solution to support the "Internet Gateway Device" part of the protocol. The + MediaServer/MediaRenderer UPnP protocol is also becoming very popular. + . + Miniupnpc aims at the simplest library possible, with the smallest footprint + and no dependencies to other libraries such as XML parsers or HTTP + implementations. All the code is pure ANSI C. Compiled on a x86 PC, the + miniupnp client library have less than 15KB code size. For instance, the upnpc + sample program is around 20KB. The miniupnp daemon is much smaller than any + other IGD daemon and is ideal for using on low memory device for this reason. + . + This package is an example client for the library. + +Package: libminiupnpc8 +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Suggests: minissdpd +Description: UPnP IGD client lightweight library + The UPnP protocol is supported by most home adsl/cable routers and Microsoft + Windows 2K/XP. The aim of the MiniUPnP project is to bring a free software + solution to support the "Internet Gateway Device" part of the protocol. The + MediaServer/MediaRenderer UPnP protocol is also becoming very popular. + . + Miniupnpc aims at the simplest library possible, with the smallest footprint + and no dependencies to other libraries such as XML parsers or HTTP + implementations. All the code is pure ANSI C. Compiled on a x86 PC, the + miniupnp client library have less than 15KB code size. For instance, the upnpc + sample program is around 20KB. The miniupnp daemon is much smaller than any + other IGD daemon and is ideal for using on low memory device for this reason. + . + This package contains the shared library. + +Package: libminiupnpc-dev +Architecture: any +Section: libdevel +Depends: ${misc:Depends}, ${shlibs:Depends}, libminiupnpc8 (= ${binary:Version}) +Suggests: minissdpd +Replaces: libminiupnpc5, libminiupnpc8 (<= 1.6-1) +Description: UPnP IGD client lightweight library development files + The UPnP protocol is supported by most home adsl/cable routers and Microsoft + Windows 2K/XP. The aim of the MiniUPnP project is to bring a free software + solution to support the "Internet Gateway Device" part of the protocol. The + MediaServer/MediaRenderer UPnP protocol is also becoming very popular. + . + Miniupnpc aims at the simplest library possible, with the smallest footprint + and no dependencies to other libraries such as XML parsers or HTTP + implementations. All the code is pure ANSI C. Compiled on a x86 PC, the + miniupnp client library have less than 15KB code size. For instance, the upnpc + sample program is around 20KB. The miniupnp daemon is much smaller than any + other IGD daemon and is ideal for using on low memory device for this reason. + . + This package contains development files needed to build using libminiupnpc --- miniupnpc-1.6.orig/debian/copyright +++ miniupnpc-1.6/debian/copyright @@ -0,0 +1,40 @@ +Format: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=173 +Upstream-Name: miniupnpc +Upstream-Contact: Thomas Bernard +Source: http://miniupnp.free.fr/files/ + +Files: debian/* +Copyright: (c) 2007-2010, Thomas Goirand +License: 3 clauses BSD + +Files: bsdqueue.h +Copyright: (c) 1991, 1993 The Regents of the University of California. +License: 3 clauses BSD + +Files: * +Copyright: (c) 2005-2010, Thomas Bernard +License: 3 clauses BSD + +License: 3 clauses BSD + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. --- miniupnpc-1.6.orig/debian/docs +++ miniupnpc-1.6/debian/docs @@ -0,0 +1 @@ +README --- miniupnpc-1.6.orig/debian/libminiupnpc8.symbols +++ miniupnpc-1.6/debian/libminiupnpc8.symbols @@ -0,0 +1,51 @@ +libminiupnpc.so.8 libminiupnpc8 #MINVER# + ClearNameValueList@Base 1.6 + FreePortListing@Base 1.6 + FreeUPNPUrls@Base 1.6 + GetUPNPUrls@Base 1.6 + GetValueFromNameValueList@Base 1.6 + IGDdata@Base 1.6 + IGDendelt@Base 1.6 + IGDstartelt@Base 1.6 + ParseNameValue@Base 1.6 + ParsePortListing@Base 1.6 + UPNPIGD_IsConnected@Base 1.6 + UPNP_AddPinhole@Base 1.6 + UPNP_AddPortMapping@Base 1.6 + UPNP_CheckPinholeWorking@Base 1.6 + UPNP_DeletePinhole@Base 1.6 + UPNP_DeletePortMapping@Base 1.6 + UPNP_GetConnectionTypeInfo@Base 1.6 + UPNP_GetExternalIPAddress@Base 1.6 + UPNP_GetFirewallStatus@Base 1.6 + UPNP_GetGenericPortMappingEntry@Base 1.6 + UPNP_GetIGDFromUrl@Base 1.6 + UPNP_GetLinkLayerMaxBitRates@Base 1.6 + UPNP_GetListOfPortMappings@Base 1.6 + UPNP_GetOutboundPinholeTimeout@Base 1.6 + UPNP_GetPinholePackets@Base 1.6 + UPNP_GetPortMappingNumberOfEntries@Base 1.6 + UPNP_GetSpecificPortMappingEntry@Base 1.6 + UPNP_GetStatusInfo@Base 1.6 + UPNP_GetTotalBytesReceived@Base 1.6 + UPNP_GetTotalBytesSent@Base 1.6 + UPNP_GetTotalPacketsReceived@Base 1.6 + UPNP_GetTotalPacketsSent@Base 1.6 + UPNP_GetValidIGD@Base 1.6 + UPNP_UpdatePinhole@Base 1.6 + connecthostport@Base 1.6 + freeUPNPDevlist@Base 1.6 + getDevicesFromMiniSSDPD@Base 1.6 + getHTTPResponse@Base 1.6 + miniwget@Base 1.6 + miniwget_getaddr@Base 1.6 + parseURL@Base 1.6 + parserootdesc@Base 1.6 + parsexml@Base 1.6 + printIGD@Base 1.6 + receivedata@Base 1.6 + simpleUPnPcommand2@Base 1.6 + simpleUPnPcommand@Base 1.6 + soapPostSubmit@Base 1.6 + strupnperror@Base 1.6 + upnpDiscover@Base 1.6 --- miniupnpc-1.6.orig/debian/man/external-ip.1 +++ miniupnpc-1.6/debian/man/external-ip.1 @@ -0,0 +1,10 @@ +.TH external-ip 1 + +.SH NAME +external-ip \- finds the external IP of your gateway + +.SH DESCRIPTION +Display the IP address of your router and exits. + +.SH "SEE ALSO" +upnpc(1) --- miniupnpc-1.6.orig/debian/man/upnpc.1 +++ miniupnpc-1.6/debian/man/upnpc.1 @@ -0,0 +1,39 @@ +.TH upnpc 1 + +.SH NAME +upnpc \- miniupnpc library test client. + +.SH "SYNOPSIS" +Add port redirection: +.br +\fBupnpc\fP [options] \-a ip port external_port protocol + +Delete port redirection: +.br +\fBupnpc\fP [options] \-d external_port protocol [port2 protocol2] [...] + +Get Connection status: +.br +\fBupnpc\fP [options] \-s + +List redirections: +.br +\fBupnpc\fP [options] \-l + +Add all redirections to the current host: +.br +\fBupnpc\fP [options] \-r port1 protocol1 [port2 protocol2] [...] + +.SH DESCRIPTION +protocol is UDP or TCP + +.SH OPTIONS + +\fB-u url\fP : bypass discovery process by providing the XML root description url + +\fB-m address\fP : provide ip address of the interface to use for sending SSDP-multicast packets. + +\fB-p path\fP : use this path for MiniSSDPd socket. + +.SH "SEE ALSO" +external-ip(1) --- miniupnpc-1.6.orig/debian/miniupnpc.manpages +++ miniupnpc-1.6/debian/miniupnpc.manpages @@ -0,0 +1,2 @@ +debian/man/external-ip.1 +debian/man/upnpc.1 --- miniupnpc-1.6.orig/debian/rules +++ miniupnpc-1.6/debian/rules @@ -0,0 +1,58 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +configure: configure-stamp +configure-stamp: + dh_testdir + touch $@ + +build: build-stamp build-arch build-indep +build-stamp: + dh_testdir + $(MAKE) + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp portlistingparse.o + + $(MAKE) clean + dh_clean + +install: build + dh_testdir + dh_testroot + dh_prep + $(MAKE) install PREFIX=$(CURDIR)/debian/miniupnpc + # Move the library in its corresponding separate package folder. + mkdir -p $(CURDIR)/debian/libminiupnpc8/usr + mv $(CURDIR)/debian/miniupnpc/usr/lib $(CURDIR)/debian/libminiupnpc8/usr + # Move the include files + mkdir -p $(CURDIR)/debian/libminiupnpc-dev/usr/lib + mv $(CURDIR)/debian/miniupnpc/usr/include $(CURDIR)/debian/libminiupnpc-dev/usr + mv $(CURDIR)/debian/libminiupnpc8/usr/lib/libminiupnpc.so $(CURDIR)/debian/libminiupnpc-dev/usr/lib + mv $(CURDIR)/debian/libminiupnpc8/usr/lib/libminiupnpc.a $(CURDIR)/debian/libminiupnpc-dev/usr/lib + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs Changelog.txt + dh_installdocs + dh_installman + dh_strip + dh_compress + dh_fixperms + dh_makeshlibs -V -- -c4 + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure build-arch build-indep --- miniupnpc-1.6.orig/debian/source/format +++ miniupnpc-1.6/debian/source/format @@ -0,0 +1 @@ +1.0 --- miniupnpc-1.6.orig/debian/watch +++ miniupnpc-1.6/debian/watch @@ -0,0 +1,4 @@ +version=3 + +opts=filenamemangle=s/.*file=([^&]*)/$1/ \ + http://miniupnp.free.fr/files/download.php\?file=miniupnpc-(\d\.\d.*).tar.gz --- miniupnpc-1.6.orig/igd_desc_parse.c +++ miniupnpc-1.6/igd_desc_parse.c @@ -15,7 +15,9 @@ void IGDstartelt(void * d, const char * name, int l) { struct IGDdatas * datas = (struct IGDdatas *)d; - memcpy( datas->cureltname, name, l); + if(l >= MINIUPNPC_URL_MAXSIZE) + l = MINIUPNPC_URL_MAXSIZE-1; + memcpy(datas->cureltname, name, l); datas->cureltname[l] = '\0'; datas->level++; if( (l==7) && !memcmp(name, "service", l) ) { --- miniupnpc-1.6.orig/miniupnpc.c +++ miniupnpc-1.6/miniupnpc.c @@ -139,6 +139,7 @@ char * p; const char * pe, * pv; int soapbodylen; + const char * const pend = soapbody + sizeof(soapbody); soapbodylen = snprintf(soapbody, sizeof(soapbody), "\r\n" "<" SOAPPREFIX ":Envelope " @@ -150,39 +151,54 @@ p = soapbody + soapbodylen; while(args->elt) { - /* check that we are never overflowing the string... */ - if(soapbody + sizeof(soapbody) <= p + 100) - { - /* we keep a margin of at least 100 bytes */ + if((p+1) > pend) /* check for space to write next byte */ return NULL; - } *(p++) = '<'; + pe = args->elt; - while(*pe) + while(p < pend && *pe) *(p++) = *(pe++); + + if((p+1) > pend) /* check for space to write next byte */ + return NULL; *(p++) = '>'; + if((pv = args->val)) { - while(*pv) + while(p < pend && *pv) *(p++) = *(pv++); } + + if((p+2) > pend) /* check for space to write next 2 bytes */ + return NULL; *(p++) = '<'; *(p++) = '/'; + pe = args->elt; - while(*pe) + while(p < pend && *pe) *(p++) = *(pe++); + + if((p+1) > pend) /* check for space to write next byte */ + return NULL; *(p++) = '>'; + args++; } + if((p+4) > pend) /* check for space to write next 4 bytes */ + return NULL; *(p++) = '<'; *(p++) = '/'; *(p++) = SERVICEPREFIX2; *(p++) = ':'; + pe = action; - while(*pe) + while(p < pend && *pe) *(p++) = *(pe++); + strncpy(p, ">\r\n", - soapbody + sizeof(soapbody) - p); + pend - p); + if(soapbody[sizeof(soapbody)-1]) /* strncpy pads buffer with 0s, so if it doesn't end in 0, could not fit full string */ + return NULL; } if(!parseURL(url, hostname, &port, &path)) return NULL; if(s<0) --- miniupnpc-1.6.orig/miniwget.c +++ miniupnpc-1.6/miniwget.c @@ -67,13 +67,13 @@ unsigned int bytestocopy = 0; /* buffers : */ char * header_buf; - int header_buf_len = 2048; - int header_buf_used = 0; + unsigned int header_buf_len = 2048; + unsigned int header_buf_used = 0; char * content_buf; - int content_buf_len = 2048; - int content_buf_used = 0; + unsigned int content_buf_len = 2048; + unsigned int content_buf_used = 0; char chunksize_buf[32]; - int chunksize_buf_index; + unsigned int chunksize_buf_index; header_buf = malloc(header_buf_len); content_buf = malloc(content_buf_len); @@ -97,14 +97,14 @@ /* search for CR LF CR LF (end of headers) * recognize also LF LF */ i = 0; - while(i < (header_buf_used-1) && (endofheaders == 0)) { + while(i < ((int)header_buf_used-1) && (endofheaders == 0)) { if(header_buf[i] == '\r') { i++; if(header_buf[i] == '\n') { i++; - if(i < header_buf_used && header_buf[i] == '\r') { + if(i < (int)header_buf_used && header_buf[i] == '\r') { i++; - if(i < header_buf_used && header_buf[i] == '\n') { + if(i < (int)header_buf_used && header_buf[i] == '\n') { endofheaders = i+1; } } @@ -155,7 +155,7 @@ chunked = 1; } } - while(header_buf[i]=='\r' || header_buf[i] == '\n') + while((i < (int)header_buf_used) && (header_buf[i]=='\r' || header_buf[i] == '\n')) i++; linestart = i; colon = linestart; @@ -194,7 +194,7 @@ i++; /* discarding chunk-extension */ if(i= '0' && chunksize_buf[j] <= '9') @@ -221,13 +221,13 @@ goto end_of_stream; } } - bytestocopy = ((int)chunksize < n - i)?chunksize:(n - i); - if((int)(content_buf_used + bytestocopy) > content_buf_len) + bytestocopy = (chunksize < (unsigned int)(n - i))?chunksize:(unsigned int)(n - i); + if((content_buf_used + bytestocopy) > content_buf_len) { - if(content_length >= content_buf_used + (int)bytestocopy) { + if(content_length >= 0 && (unsigned int)content_length >= (content_buf_used + bytestocopy)) { content_buf_len = content_length; } else { - content_buf_len = content_buf_used + (int)bytestocopy; + content_buf_len = content_buf_used + bytestocopy; } content_buf = (char *)realloc((void *)content_buf, content_buf_len); @@ -242,13 +242,14 @@ { /* not chunked */ if(content_length > 0 - && (content_buf_used + n) > content_length) { + && (content_buf_used + n) > (unsigned int)content_length) { /* skipping additional bytes */ n = content_length - content_buf_used; } if(content_buf_used + n > content_buf_len) { - if(content_length >= content_buf_used + n) { + if(content_length >= 0 + && (unsigned int)content_length >= (content_buf_used + n)) { content_buf_len = content_length; } else { content_buf_len = content_buf_used + n; @@ -261,7 +262,7 @@ } } /* use the Content-Length header value if available */ - if(content_length > 0 && content_buf_used >= content_length) + if(content_length > 0 && content_buf_used >= (unsigned int)content_length) { #ifdef DEBUG printf("End of HTTP content\n"); --- miniupnpc-1.6.orig/minixml.c +++ miniupnpc-1.6/minixml.c @@ -148,7 +148,8 @@ if (p->xml >= p->xmlend) return; } - if(memcmp(p->xml, " */ + if((p->xmlend >= (p->xml + (9 + 3))) && (memcmp(p->xml, "xml += 9; --- miniupnpc-1.6.orig/upnpreplyparse.c +++ miniupnpc-1.6/upnpreplyparse.c @@ -59,9 +59,7 @@ struct NameValueParserData * data) { struct xmlparser parser; - LIST_INIT(&(data->head)); - data->portListing = NULL; - data->portListingLength = 0; + memset(data, 0, sizeof(struct NameValueParserData)); /* init xmlparser object */ parser.xmlstart = buffer; parser.xmlsize = bufsize;