debian/0000775000000000000000000000000012735534063007200 5ustar debian/init0000664000000000000000000000474011717470446010076 0ustar #!/bin/bash ### BEGIN INIT INFO # Provides: minissdpd # Required-Start: $remote_fs $all # Required-Stop: $remote_fs # Should-Start: $local_fs # Should-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: keep memory of all UPnP devices that announced themselves # Description: MiniSSDPd is a small daemon used by MiniUPnPc (a UPnP control point for IGD # devices) to speed up device discoveries. MiniSSDPd keep memory of all UPnP # devices that announced themselves on the network through SSDP NOTIFY packets. # MiniSSDPd also has the ability to handle all SSDP traffic recieved on a # computer via the multicast group 239.255.255.250:1900. ### END INIT INFO DESC="UPnP devices daemon" NAME="MiniSSDPd" . /lib/lsb/init-functions if [ -r /lib/init/vars.sh ] ; then . /lib/init/vars.sh fi # Exit if package is removed but not purged if ! [ -x /usr/sbin/minissdpd ] ; then exit 0 fi if [ -f "/etc/default/minissdpd" ] ; then . /etc/default/minissdpd else [ "${VERBOSE}" != no ] && log_daemon_msg "MiniSSDPd: Default file not found: exiting" [ "${VERBOSE}" != no ] && log_end_msg 1 exit 0 fi if ! [ "${START_DAEMON}" = "1" ] ; then [ "${VERBOSE}" != no ] && log_daemon_msg "MiniSSDPd: /etc/default/minissdpd isn't set to START_DAEMON=1: exiting" [ "${VERBOSE}" != no ] && log_end_msg 1 exit 0 fi if [ -z ${MiniSSDPd_INTERFACE_ADDRESS} ] ; then [ "${VERBOSE}" != no ] && log_daemon_msg "MiniSSDPd: no interface defined: exiting" [ "${VERBOSE}" != no ] && log_end_msg 1 exit 0 fi case "$1" in start) [ "${VERBOSE}" != no ] && log_daemon_msg "Starting ${DESC}" ${NAME} start-stop-daemon --start --pidfile /var/run/minissdpd.pid --exec "/usr/sbin/minissdpd" -- -i ${MiniSSDPd_INTERFACE_ADDRESS} RET=$? if [ ${RET} = 0 -o ${RET} = 1 ] ; then [ "${VERBOSE}" != no ] && log_end_msg 0 else [ "${VERBOSE}" != no ] && log_end_msg 1 exit 1 fi ;; stop) [ "${VERBOSE}" != no ] && log_daemon_msg "Stopping ${DESC}" ${NAME} start-stop-daemon --stop --oknodo --pidfile /var/run/minissdpd.pid RET=$? if [ ${RET} = 0 -o ${RET} = 1 ] ; then [ "${VERBOSE}" != no ] && log_end_msg $? else [ "${VERBOSE}" != no ] && log_end_msg 1 exit 1 fi ;; status) status_of_proc "/usr/sbin/minissdpd" ${NAME} && exit 0 || exit $? ;; restart|reload|force-reload) $0 stop sleep 1 $0 start ;; *) echo "Usage: ${0} {start|stop|status|restart|reload}" exit 1 esac exit 0 debian/compat0000664000000000000000000000000211717470446010401 0ustar 8 debian/watch0000664000000000000000000000012711717470446010234 0ustar version=3 http://miniupnp.free.fr/files/download.php\?file=minissdpd-(\d\.\d.*).tar.gz debian/patches/0000775000000000000000000000000012676241025010624 5ustar debian/patches/series0000664000000000000000000000011312676236776012055 0ustar 0001-always-disable-link_ntoa.diff CVE-2016-3179.patch CVE-2016-3178.patch debian/patches/CVE-2016-3179.patch0000664000000000000000000000104312676236622013256 0ustar Index: minissdpd-1.1.20120121/minissdpd.c =================================================================== --- minissdpd-1.1.20120121.orig/minissdpd.c 2016-03-28 16:19:57.000000000 +0200 +++ minissdpd-1.1.20120121/minissdpd.c 2016-03-28 16:19:57.000000000 +0200 @@ -618,6 +618,7 @@ syslog(LOG_ERR, "cannot allocate memory"); goto error; } + memset(newserv, 0, sizeof(struct service)); /* set pointers to NULL */ if(containsForbiddenChars(p, l)) { syslog(LOG_ERR, "bad request (st contains forbidden chars)"); goto error; debian/patches/CVE-2016-3178.patch0000664000000000000000000000547712676241025013265 0ustar Index: minissdpd-1.1.20120121/minissdpd.c =================================================================== --- minissdpd-1.1.20120121.orig/minissdpd.c 2016-03-28 16:26:09.000000000 +0200 +++ minissdpd-1.1.20120121/minissdpd.c 2016-03-28 16:29:13.000000000 +0200 @@ -530,7 +530,7 @@ type = buf[0]; p = buf + 1; DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding)"); goto error; } @@ -636,7 +636,7 @@ goto error; } DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding)"); goto error; } @@ -654,7 +654,7 @@ newserv->usn[l] = '\0'; p += l; DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding)"); goto error; } @@ -672,7 +672,7 @@ newserv->server[l] = '\0'; p += l; DECODELENGTH_CHECKLIMIT(l, p, buf + n); - if(p+l > buf+n) { + if(l > (unsigned)(buf+n-p)) { syslog(LOG_WARNING, "bad request (length encoding)"); goto error; } Index: minissdpd-1.1.20120121/testminissdpd.c =================================================================== --- minissdpd-1.1.20120121.orig/testminissdpd.c 2016-03-28 16:26:09.000000000 +0200 +++ minissdpd-1.1.20120121/testminissdpd.c 2016-03-28 16:39:14.000000000 +0200 @@ -45,6 +45,23 @@ #define SENDCOMMAND(command, size) write(s, command, size); \ printf("Command written type=%u\n", (unsigned)command[0]); +int connect_unix_socket(const char * sockpath) +{ + int s; + struct sockaddr_un addr; + + s = socket(AF_UNIX, SOCK_STREAM, 0); + addr.sun_family = AF_UNIX; + strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path)); + if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) { + fprintf(stderr, "connecting to %s : ", addr.sun_path); + perror("connect"); + exit(1); + } + printf("Connected to %s\n", addr.sun_path); + return s; +} + /* test program for minissdpd */ int main(int argc, char * * argv) @@ -52,6 +69,7 @@ char command1[] = "\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice"; char command2[] = "\x02\x00uuid:fc4ec57e-b051-11db-88f8-0060085db3f6::upnp:rootdevice"; char command3[] = { 0x03, 0x00 }; + const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f}; struct sockaddr_un addr; int s; int i; @@ -89,6 +107,15 @@ n = read(s, buf, sizeof(buf)); printf("Response received %d bytes\n", (int)n); printresponse(buf, n); + if(n == 0) { + close(s); + s = connect_unix_socket(sockpath); + } + + n = SENDCOMMAND(bad_command4, sizeof(bad_command4)); + n = read(s, buf, sizeof(buf)); + printf("Response received %d bytes\n", (int)n); + printresponse(buf, n); close(s); return 0; debian/patches/0001-always-disable-link_ntoa.diff0000775000000000000000000000136211717470446016724 0ustar Description: Always disables AF_LINK checks This patch disable the bit that uses link_ntoa under FreeBSD, because this bit is not working in Debian/kFreeBSD (the function is not available). Note that to me, this is an isue in kFreeBSD itself and that it is kFreeBSD that should be patched to support this FreeBSD kernel functionality. Author: Thomas Goirand Forwarded: not-needed --- a/upnputils.c 2011-10-09 17:52:38.000000000 +0000 +++ b/upnputils.c 2011-10-09 17:53:25.000000000 +0000 @@ -41,7 +41,7 @@ port = ntohs(((struct sockaddr_in *)addr)->sin_port); n = snprintf(str, size, "%s:%hu", buffer, port); break; -#ifdef AF_LINK +#if 0 case AF_LINK: { struct sockaddr_dl * sdl = (struct sockaddr_dl *)addr; debian/manpages0000664000000000000000000000001411717470446010714 0ustar minissdpd.1 debian/gbp.conf0000664000000000000000000000023311717470446010620 0ustar [DEFAULT] builder = debuild upstream-branch = upstream-sid debian-branch = debian-sid pristine-tar = False [git-buildpackage] export-dir = ../build-area/ debian/changelog0000664000000000000000000000623312735534063011056 0ustar minissdpd (1.1.20120121-1+deb7u1build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Tyler Hicks Fri, 01 Jul 2016 13:36:35 -0500 minissdpd (1.1.20120121-1+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. * patch for CVE-2016-3178 + CVE-2016-3179 The minissdpd daemon contains a improper validation of array index vulnerability (CWE-129) when processing requests sent to the Unix socket at /var/run/minissdpd.sock the Unix socket can be accessed by an unprivileged user to send invalid request causes an out-of-bounds memory access that crashes the minissdpd daemon. -- Thorsten Alteholz Mon, 28 Mar 2016 12:03:02 +0100 minissdpd (1.1.20120121-1) unstable; urgency=low * New upstream version. * Fixed the init script to handle when start-stop-daemon returns 1, and handling of the VERBOSE variable. * Switching from dpatch to quilt, and from source format 1.0 to 3.0. -- Thomas Goirand Fri, 17 Feb 2012 19:23:48 +0800 minissdpd (1.1.20111007-4) unstable; urgency=low * Fixed English grammar mistakes, thanks to Martin Eberhard Schauer (Closes: #653027). * Added a debian/gbp.conf * Added support for "status" action to init.d script, thanks to patch from Peter Eisentraut (Closes: #652916). -- Thomas Goirand Fri, 23 Dec 2011 19:53:11 +0800 minissdpd (1.1.20111007-3) unstable; urgency=low * Exits if binary isn't found (Closes: #646746). -- Thomas Goirand Thu, 27 Oct 2011 19:28:20 +0800 minissdpd (1.1.20111007-2) unstable; urgency=low * Calling dpatch directly in debian/rules because the patch wasn't applied at all, so this bug was still remaining, thanks to Christoph Egger for reporting it (Closes: #635911). -- Thomas Goirand Mon, 10 Oct 2011 15:16:20 +0800 minissdpd (1.1.20111007-1) unstable; urgency=low * New upstream version including the bugfixes to bugs sent to the Debian BTS (Closes: #644508, #644509, #644510, #644511, #630665). * Added a patch to disable calls to link_ntoa in Debian/kFreeBSD (Closes: #635911). * debian/copyright is now in DEP5 format. -- Thomas Goirand Sun, 09 Oct 2011 17:49:12 +0000 minissdpd (1.0.20110729-1) unstable; urgency=high * New upstream release 1.0.20110729, fixing root exploit issue reported on launchpad (Closes: #635836) (LP: #813313), thanks to Moritz Muehlenhoff for the bug report, and to falks at Ubuntu for the investigation of the issue. * Added build-arch: and build-indep: targets in debian/rules. * Bumped standard-version to 3.9.2. -- Thomas Goirand Fri, 29 Jul 2011 14:41:55 +0200 minissdpd (1.0-2) unstable; urgency=low * Watch file was wrong (it was the one of miniupnpc). * Uploading to unstable from now on. -- Thomas Goirand Fri, 11 Mar 2011 19:59:51 +0800 minissdpd (1.0-1) experimental; urgency=low * Initial release (Closes: #608270). -- Thomas Goirand Wed, 29 Dec 2010 16:49:20 +0800 debian/defaults0000664000000000000000000000031211717470446010731 0ustar # MiniSSDPd default configuration # Set this to 1 if you want to start the daemon START_DAEMON=1 # Set this to the IP of the interface you want the demon to run on MiniSSDPd_INTERFACE_ADDRESS=0.0.0.0 debian/rules0000775000000000000000000000160011717470446010260 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 configure: configure-stamp configure-stamp: dh_testdir touch $@ build: build-arch build-indep build-arch: build-stamp build-indep: build-stamp build-stamp: dh_testdir $(MAKE) touch $@ clean: dh_testdir dh_testroot rm -f build-stamp configure-stamp testcodelength.o $(MAKE) clean dh_clean install: build dh_testdir dh_testroot dh_prep $(MAKE) install PREFIX=$(CURDIR)/debian/minissdpd install -D -m 0644 debian/defaults $(CURDIR)/debian/minissdpd/etc/default/minissdpd binary-indep: build install binary-arch: build install dh_testdir dh_testroot dh_installchangelogs Changelog.txt dh_installdocs README dh_installman dh_installinit dh_strip dh_compress dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install configure debian/README.source0000664000000000000000000000023411717470446011361 0ustar This package uses dpatch. To patch upstream sources, do: dpatch apply-all and to unpatch do: dpatch deapply-all All patches are located in debian/patches debian/copyright0000664000000000000000000000360411717470446011141 0ustar Format: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=173 Upstream-Name: minissdpd Upstream-Contact: Thomas Bernard Source: http://miniupnp.free.fr/files/ Files: debian/* Copyright: (c) 2007\-2010, Thomas Goirand License: 3 clauses BSD Files: bsdqueue.h Copyright: (c) 1991, 1993 The Regents of the University of California. License: 3 clauses BSD Files: * Copyright: (c) 2005\-2010, Thomas Bernard License: 3 clauses BSD License: 3 clauses BSD Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/source/0000775000000000000000000000000011717470446010503 5ustar debian/source/format0000664000000000000000000000001411717470446011711 0ustar 3.0 (quilt) debian/control0000664000000000000000000000235011717470446010606 0ustar Source: minissdpd Section: net Priority: optional Maintainer: Thomas Goirand Build-Depends: debhelper (>= 8) Standards-Version: 3.9.2 Vcs-Browser: http://git.debian.org/?p=users/zigo/minissdpd.git Vcs-Git: http://git.debian.org/git/users/zigo/minissdpd.git Homepage: http://miniupnp.free.fr/ Package: minissdpd Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Description: keep memory of all UPnP devices that announced themselves MiniSSDPd is a small daemon used by MiniUPnPc (a UPnP control point for IGD devices) to speed up device discoveries. MiniSSDPd keeps memory of all UPnP devices that announced themselves on the network through SSDP NOTIFY packets. MiniSSDPd also has the ability to handle all SSDP traffic received on a computer via the multicast group 239.255.255.250:1900. . MiniSSDPd receives NOTIFY packets and stores information contained for later use by UPnP Control Points on the machine. MiniSSDPd receives M-SEARCH packets and answers on behalf of the UPnP devices running on the machine. MiniUPnPd and MiniUPnPc are designed to take automatically advantage of MiniSSDPd running on the same computer. Just make sure that MiniSSDPd is started before any other UPnP program on the computer.