New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow in parseelt (minixml.c) and SIGSEGV in NameValueParserEndElt (upnpreplyparse.c) #268
Comments
|
@stze thank you for the bug report. |
|
@miniupnp I did a quick check. The two issues seem to be resolved. |
laanwj
added a commit
to bitcoin/bitcoin
that referenced
this issue
Feb 16, 2018
…0203 25409b1 fixme: depends: Add D_DARWIN_C_SOURCE to miniupnpc CFLAGS (fanquake) 3335d45 [depends] latest config.guess and config.sub (fanquake) 41550d6 [depends] miniupnpc 2.0.20180203 (fanquake) 61647a4 [depends] ccache 3.4.1 (fanquake) 5a10859 [depends] expat 2.2.5 (fanquake) Pull request description: miniupnpc changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20180203.tar.gz 2.0.20180203 includes fixes for the recent buffer overflow and segfault issues, see miniupnp/miniupnp#268. expat changelog: https://github.com/libexpat/libexpat/blob/R_2_2_5/expat/Changes 2.2.2 & 2.2.3 included security fixes. ccache changelog: https://ccache.samba.org/releasenotes.html#_ccache_3_4_1 Also includes latest config.guess and config.sub. Tree-SHA512: 5115b6ccf2bc50c62fd16ab2350bdc752eef7db8b1e4fbe35998fe1aac3702baa6c7f5e471ec48f7c614278df20a68ee6a254dde7c3e2d5c6ce2d10257a5aa21
deadalnix
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this issue
Mar 19, 2020
Summary: ``` miniupnpc changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20180203.tar.gz 2.0.20180203 includes fixes for the recent buffer overflow and segfault issues, see miniupnp/miniupnp#268. expat changelog: https://github.com/libexpat/libexpat/blob/R_2_2_5/expat/Changes 2.2.2 & 2.2.3 included security fixes. Also includes latest config.guess and config.sub. ``` This updates our depends version for expat, miniupnpc, config.guess and config.sub. The ccache version is **NOT** updated (see D5503). It also includes a fix for miniupnpc. Backport of core [[bitcoin/bitcoin#12402 | PR12402]] and [[bitcoin/bitcoin#12466 | PR12466]]. Depends on D5502 and D5503. *Note to reviewers:* the diff ends up fairly large due to the pull of config.guess and config.sub. However this is mostly formatting changes (`${FOO}` vs `$FOO` in particular), and there was no merge conflict during the cherry-pick. Test Plan: Run the Gitian builds twice, ensure the build is still deterministic. Reviewers: #bitcoin_abc, deadalnix Reviewed By: #bitcoin_abc, deadalnix Subscribers: deadalnix Differential Revision: https://reviews.bitcoinabc.org/D5504
10xcryptodev
pushed a commit
to 10xcryptodev/dash
that referenced
this issue
May 16, 2020
….0.20180203 25409b1 fixme: depends: Add D_DARWIN_C_SOURCE to miniupnpc CFLAGS (fanquake) 3335d45 [depends] latest config.guess and config.sub (fanquake) 41550d6 [depends] miniupnpc 2.0.20180203 (fanquake) 61647a4 [depends] ccache 3.4.1 (fanquake) 5a10859 [depends] expat 2.2.5 (fanquake) Pull request description: miniupnpc changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20180203.tar.gz 2.0.20180203 includes fixes for the recent buffer overflow and segfault issues, see miniupnp/miniupnp#268. expat changelog: https://github.com/libexpat/libexpat/blob/R_2_2_5/expat/Changes 2.2.2 & 2.2.3 included security fixes. ccache changelog: https://ccache.samba.org/releasenotes.html#_ccache_3_4_1 Also includes latest config.guess and config.sub. Tree-SHA512: 5115b6ccf2bc50c62fd16ab2350bdc752eef7db8b1e4fbe35998fe1aac3702baa6c7f5e471ec48f7c614278df20a68ee6a254dde7c3e2d5c6ce2d10257a5aa21 (cherry picked from commit 59e032b) # Conflicts: # depends/packages/miniupnpc.mk # depends/packages/native_ccache.mk # doc/dependencies.md
10xcryptodev
pushed a commit
to 10xcryptodev/dash
that referenced
this issue
May 17, 2020
….0.20180203 25409b1 fixme: depends: Add D_DARWIN_C_SOURCE to miniupnpc CFLAGS (fanquake) 3335d45 [depends] latest config.guess and config.sub (fanquake) 41550d6 [depends] miniupnpc 2.0.20180203 (fanquake) 61647a4 [depends] ccache 3.4.1 (fanquake) 5a10859 [depends] expat 2.2.5 (fanquake) Pull request description: miniupnpc changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20180203.tar.gz 2.0.20180203 includes fixes for the recent buffer overflow and segfault issues, see miniupnp/miniupnp#268. expat changelog: https://github.com/libexpat/libexpat/blob/R_2_2_5/expat/Changes 2.2.2 & 2.2.3 included security fixes. ccache changelog: https://ccache.samba.org/releasenotes.html#_ccache_3_4_1 Also includes latest config.guess and config.sub. Tree-SHA512: 5115b6ccf2bc50c62fd16ab2350bdc752eef7db8b1e4fbe35998fe1aac3702baa6c7f5e471ec48f7c614278df20a68ee6a254dde7c3e2d5c6ce2d10257a5aa21 (cherry picked from commit 59e032b) # Conflicts: # depends/packages/miniupnpc.mk # depends/packages/native_ccache.mk # doc/dependencies.md
ftrader
pushed a commit
to bitcoin-cash-node/bitcoin-cash-node
that referenced
this issue
May 19, 2020
Summary: ``` miniupnpc changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20180203.tar.gz 2.0.20180203 includes fixes for the recent buffer overflow and segfault issues, see miniupnp/miniupnp#268. expat changelog: https://github.com/libexpat/libexpat/blob/R_2_2_5/expat/Changes 2.2.2 & 2.2.3 included security fixes. Also includes latest config.guess and config.sub. ``` This updates our depends version for expat, miniupnpc, config.guess and config.sub. The ccache version is **NOT** updated (see D5503). It also includes a fix for miniupnpc. Backport of core [[bitcoin/bitcoin#12402 | PR12402]] and [[bitcoin/bitcoin#12466 | PR12466]]. Depends on D5502 and D5503. *Note to reviewers:* the diff ends up fairly large due to the pull of config.guess and config.sub. However this is mostly formatting changes (`${FOO}` vs `$FOO` in particular), and there was no merge conflict during the cherry-pick. Test Plan: Run the Gitian builds twice, ensure the build is still deterministic. Reviewers: #bitcoin_abc, deadalnix Reviewed By: #bitcoin_abc, deadalnix Subscribers: deadalnix Differential Revision: https://reviews.bitcoinabc.org/D5504
gades
pushed a commit
to cosanta/cosanta-core
that referenced
this issue
Jun 24, 2021
….0.20180203 25409b1 fixme: depends: Add D_DARWIN_C_SOURCE to miniupnpc CFLAGS (fanquake) 3335d45 [depends] latest config.guess and config.sub (fanquake) 41550d6 [depends] miniupnpc 2.0.20180203 (fanquake) 61647a4 [depends] ccache 3.4.1 (fanquake) 5a10859 [depends] expat 2.2.5 (fanquake) Pull request description: miniupnpc changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20180203.tar.gz 2.0.20180203 includes fixes for the recent buffer overflow and segfault issues, see miniupnp/miniupnp#268. expat changelog: https://github.com/libexpat/libexpat/blob/R_2_2_5/expat/Changes 2.2.2 & 2.2.3 included security fixes. ccache changelog: https://ccache.samba.org/releasenotes.html#_ccache_3_4_1 Also includes latest config.guess and config.sub. Tree-SHA512: 5115b6ccf2bc50c62fd16ab2350bdc752eef7db8b1e4fbe35998fe1aac3702baa6c7f5e471ec48f7c614278df20a68ee6a254dde7c3e2d5c6ce2d10257a5aa21 (cherry picked from commit 59e032b) # Conflicts: # depends/packages/miniupnpc.mk # depends/packages/native_ccache.mk # doc/dependencies.md
CryptoCentric
pushed a commit
to absolute-community/absolute
that referenced
this issue
Jul 2, 2021
….0.20180203 25409b1 fixme: depends: Add D_DARWIN_C_SOURCE to miniupnpc CFLAGS (fanquake) 3335d45 [depends] latest config.guess and config.sub (fanquake) 41550d6 [depends] miniupnpc 2.0.20180203 (fanquake) 61647a4 [depends] ccache 3.4.1 (fanquake) 5a10859 [depends] expat 2.2.5 (fanquake) Pull request description: miniupnpc changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20180203.tar.gz 2.0.20180203 includes fixes for the recent buffer overflow and segfault issues, see miniupnp/miniupnp#268. expat changelog: https://github.com/libexpat/libexpat/blob/R_2_2_5/expat/Changes 2.2.2 & 2.2.3 included security fixes. ccache changelog: https://ccache.samba.org/releasenotes.html#_ccache_3_4_1 Also includes latest config.guess and config.sub. Tree-SHA512: 5115b6ccf2bc50c62fd16ab2350bdc752eef7db8b1e4fbe35998fe1aac3702baa6c7f5e471ec48f7c614278df20a68ee6a254dde7c3e2d5c6ce2d10257a5aa21 (cherry picked from commit 59e032b)
gades
pushed a commit
to cosanta/cosanta-core
that referenced
this issue
Mar 16, 2022
….0.20180203 25409b1 fixme: depends: Add D_DARWIN_C_SOURCE to miniupnpc CFLAGS (fanquake) 3335d45 [depends] latest config.guess and config.sub (fanquake) 41550d6 [depends] miniupnpc 2.0.20180203 (fanquake) 61647a4 [depends] ccache 3.4.1 (fanquake) 5a10859 [depends] expat 2.2.5 (fanquake) Pull request description: miniupnpc changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20180203.tar.gz 2.0.20180203 includes fixes for the recent buffer overflow and segfault issues, see miniupnp/miniupnp#268. expat changelog: https://github.com/libexpat/libexpat/blob/R_2_2_5/expat/Changes 2.2.2 & 2.2.3 included security fixes. ccache changelog: https://ccache.samba.org/releasenotes.html#_ccache_3_4_1 Also includes latest config.guess and config.sub. Tree-SHA512: 5115b6ccf2bc50c62fd16ab2350bdc752eef7db8b1e4fbe35998fe1aac3702baa6c7f5e471ec48f7c614278df20a68ee6a254dde7c3e2d5c6ce2d10257a5aa21 (cherry picked from commit 59e032b)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear miniupnpd team —
I have detected a heap-buffer-overflow in parseelt (minixml.c) and a memory corruption (invalid read, SIGSEGV) in NameValueParserEndElt (upnpreplyparse.c). while handling two consecutive malformed SOAP Request.
Version
How to reproduce the 2 issues
ASAN output (heap-buffer-overflow)
ASAN output (SIGSEGV)
Valgrind output (heap-buffer-overflow + SIGSEGV if compiled without the flags from 1.)
I found the two issues with AFL.
Best
-Stephan Zeisberg
The text was updated successfully, but these errors were encountered: