svn commit: r429627 - head/security/vuxml
Pawel Pekala
pawel at FreeBSD.org
Tue Dec 27 16:07:25 UTC 2016
Author: pawel
Date: Tue Dec 27 16:07:23 2016
New Revision: 429627
URL: https://svnweb.freebsd.org/changeset/ports/429627
Log:
Document devel/upnp 2 security vulnerabilities:
- unhandled write of files to filesystem via POST by default
- heap buffer overflow in create_url_list function
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Dec 27 15:34:55 2016 (r429626)
+++ head/security/vuxml/vuln.xml Tue Dec 27 16:07:23 2016 (r429627)
@@ -58,6 +58,45 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="244c8288-cc4a-11e6-a475-bcaec524bf84">
+ <topic>upnp -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>upnp</name>
+ <range><lt>1.6.21</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Matthew Garett reports:</p>
+ <blockquote cite="https://twitter.com/mjg59/status/755062278513319936">
+ <p>Reported this to upstream 8 months ago without response,
+ so: libupnp's default behaviour allows anyone to write to your
+ filesystem. Seriously. Find a device running a libupnp based server
+ (Shodan says there's rather a lot), and POST a file to /testfile.
+ Then GET /testfile ... and yeah if the server is running as root
+ (it is) and is using / as the web root (probably not, but maybe)
+ this gives full host fs access.</p>
+ </blockquote>
+ <p>Scott Tenaglia reports:</p>
+ <blockquote cite="https://sourceforge.net/p/pupnp/bugs/133/">
+ <p>There is a heap buffer overflow vulnerability in the
+ create_url_list function in upnp/src/gena/gena_device.c.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://twitter.com/mjg59/status/755062278513319936</url>
+ <url>https://sourceforge.net/p/pupnp/bugs/133/</url>
+ <cvename>CVE-2016-6255</cvename>
+ <cvename>CVE-2016-8863</cvename>
+ </references>
+ <dates>
+ <discovery>2016-02-23</discovery>
+ <entry>2016-12-27</entry>
+ </dates>
+ </vuln>
+
<vuln vid="c7656d4c-cb60-11e6-a9a5-b499baebfeaf">
<topic>phpmailer -- Remote Code Execution</topic>
<affects>
More information about the svn-ports-head
mailing list