Date: Tue, 27 Dec 2016 16:07:24 +0000 (UTC) From: Pawel Pekala <pawel@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r429627 - head/security/vuxml Message-ID: <201612271607.uBRG7OQr070650@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pawel Date: Tue Dec 27 16:07:23 2016 New Revision: 429627 URL: https://svnweb.freebsd.org/changeset/ports/429627 Log: Document devel/upnp 2 security vulnerabilities: - unhandled write of files to filesystem via POST by default - heap buffer overflow in create_url_list function Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Dec 27 15:34:55 2016 (r429626) +++ head/security/vuxml/vuln.xml Tue Dec 27 16:07:23 2016 (r429627) @@ -58,6 +58,45 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="244c8288-cc4a-11e6-a475-bcaec524bf84"> + <topic>upnp -- multiple vulnerabilities</topic> + <affects> + <package> + <name>upnp</name> + <range><lt>1.6.21</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Matthew Garett reports:</p> + <blockquote cite="https://twitter.com/mjg59/status/755062278513319936">; + <p>Reported this to upstream 8 months ago without response, + so: libupnp's default behaviour allows anyone to write to your + filesystem. Seriously. Find a device running a libupnp based server + (Shodan says there's rather a lot), and POST a file to /testfile. + Then GET /testfile ... and yeah if the server is running as root + (it is) and is using / as the web root (probably not, but maybe) + this gives full host fs access.</p> + </blockquote> + <p>Scott Tenaglia reports:</p> + <blockquote cite="https://sourceforge.net/p/pupnp/bugs/133/">; + <p>There is a heap buffer overflow vulnerability in the + create_url_list function in upnp/src/gena/gena_device.c.</p> + </blockquote> + </body> + </description> + <references> + <url>https://twitter.com/mjg59/status/755062278513319936</url>; + <url>https://sourceforge.net/p/pupnp/bugs/133/</url>; + <cvename>CVE-2016-6255</cvename> + <cvename>CVE-2016-8863</cvename> + </references> + <dates> + <discovery>2016-02-23</discovery> + <entry>2016-12-27</entry> + </dates> + </vuln> + <vuln vid="c7656d4c-cb60-11e6-a9a5-b499baebfeaf"> <topic>phpmailer -- Remote Code Execution</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612271607.uBRG7OQr070650>