net: Drop support of the insecure miniUPnPc versions #15993
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsNo conflicts as of last run. |
|
Concept ACK, we definitely don't want to support miniUPnPc versions that are insecure |
hebasto
force-pushed
the
20190506-drop-ancient-miniupnpc-api
branch
from
67b1263 to
f8a381e
Compare
src/net.cpp
Outdated
There was a problem hiding this comment.
Why 10?
Everything below (and including 14) is broken: #6789
There was a problem hiding this comment.
Why 10?
This is API version for xenial and jessy libminiupnpc-dev.
Everything below (and including 14) is broken: #6789
You are right. This PR is a kind of trade-off. Otherwise, a user should be forced to build libminiupnpc-dev by himself.
Anyway, I'll appreciate any smart solution for this security issue.
There was a problem hiding this comment.
I don't think we should support building against known broken versions. If someone really needs to build against such an old version, they could update the code themselves (remove the assert) or build a newer version of miniupnpc (which conveniently is shipped in our ./depends)
There was a problem hiding this comment.
I cannot find a suitable assertion to let only build with CVE-2017-8798 fix commit (see: #10414):
MINIUPNPC_API_VERSION >= 17is too narrow (see: miniupnpc-2.1 changelog)MINIUPNPC_API_VERSION >= 16is too wide: versions beforeminiupnpc-2.0.20170509are included
There was a problem hiding this comment.
MINIUPNPC_API_VERSION >= 16 should be fine. The code might be removed soon anyway
There was a problem hiding this comment.
I agree we should ideally drop support for all vulnerable versions.
hebasto
force-pushed
the
20190506-drop-ancient-miniupnpc-api
branch
from
f8a381e to
fe94f27
Compare
hebasto
changed the title
|
@MarcoFalke |
|
Concept ACK We should now allow dependencies with known flaws. |
|
utACK fe94f276faa6f5905132d9062469432347bce747 Only checked that this is removing code and adding the static assert Show signature and timestampSignature: Timestamp of file with hash |
|
utACK fe94f276faa6f5905132d9062469432347bce747 |
|
If this requires >= 16 it eliminates miniupnp versions that debian is still using (but with fixes), no? |
yes which defines: |
|
This should be changed to 10 then, the (bulk of the?) API changes are compatible with 10-- and there are patched systems that return 10. I don't think we have any strong reason to gratuitously break compatibility beyond that. |
|
This PR is becoming a bit controversial: #15993 (comment), #15993 (comment) by @MarcoFalke:
#15993 (comment) by @gmaxwell:
Can we reach the consensus? Or should this PR be closed for now? |
|
Yeah, isn't this superseded by Changes to support NAT-PMP #15717 |
Just change it to 10 and it's OK imo. Dropping support for other versions can be done later but only when it's gone from debian stable. |
hebasto
force-pushed
the
20190506-drop-ancient-miniupnpc-api
branch
from
fe94f27 to
12a0de5
Compare
@gmaxwell, @laanwj |
|
LGTM now, utACK 12a0de5931fcbbad388e56447e297e38ff54bfcf |
|
Release notes have been added. |
doc/release-notes-15993.md
Outdated
There was a problem hiding this comment.
Aren't they patched? Otherwise we would set the API version higher, no?
There was a problem hiding this comment.
Aren't they patched?
The libminiupnpc10 package has been patched on Ubuntu only:
On Debian:
- in jessy
miniupnpcpackage is still vulnerable for CVE-2017-8798 and CVE-2017-1000494 - in stretch
miniupnpcpackage is still vulnerable for CVE-2017-1000494
luke-jr
left a comment
luke-jr
left a comment
There was a problem hiding this comment.
Concept ACK, but this needs to update configure to reject incompatible versions. (Ideally rejecting vulnerable versions even if they are API-compatible with the code.)
hebasto
force-pushed
the
20190506-drop-ancient-miniupnpc-api
branch
3 times, most recently
from
71919be to
ef43e37
Compare
hebasto
force-pushed
the
20190506-drop-ancient-miniupnpc-api
branch
from
ef43e37 to
3942fca
Compare
hebasto
force-pushed
the
20190506-drop-ancient-miniupnpc-api
branch
from
3942fca to
5993b87
Compare
configure.ac
Outdated
There was a problem hiding this comment.
I don't recommend referring to GitHub issues. I think we're supposed to have a self-contained [set of] git repo(s)?
configure.ac
Outdated
There was a problem hiding this comment.
--with-miniupnpc=auto (ie, the default) won't work with this check.
Just set have_miniupnpc=no here instead (and change this to AC_MSG_WARNING).
The minimum supported miniUPnPc API version is set to 10.
hebasto
force-pushed
the
20190506-drop-ancient-miniupnpc-api
branch
from
5993b87 to
ded2de5
Compare
|
@luke-jr |
configure.ac
Outdated
There was a problem hiding this comment.
Some API v10 is also vulnerable, right? I think we just want to say "unsupported" here.
src/net.cpp
Outdated
There was a problem hiding this comment.
Why remove the version comments?
There was a problem hiding this comment.
They are irrelevant now. See: miniupnpc/apiversions.txt
There was a problem hiding this comment.
I don't see how they are irrelevant...
There was a problem hiding this comment.
Prior to version 1.7, there was no MINIUPNPC API_VERSION macro. Therefore, different ways were used to distinguish between different versions. Comments were needed to make those "hacks" obvious.
Nowadays, the difference in the upnpDiscover() function signature is clear stated in different API versions.
Particularly,
API version 14
miniupnpc.h
add ttl argument to upnpDiscover() upnpDiscoverAll() upnpDiscoverDevice()
...
updated macro :
#define MINIUPNPC_API_VERSION 14
src/net.cpp
Outdated
There was a problem hiding this comment.
I agree we should ideally drop support for all vulnerable versions.
|
I think this is dragging on way too long, and maybe getting out of hand, getting round after round of nits for essentially removing a few Please, let's try to move forward and merge this to have this off our radar. |
Also fixes behavior when libminiupnpc is not installed.
hebasto
force-pushed
the
20190506-drop-ancient-miniupnpc-api
branch
from
ded2de5 to
59cb722
Compare
ryanofsky
left a comment
ryanofsky
left a comment
There was a problem hiding this comment.
utACK 59cb722. Changes since last review: adding a new commit which updates configure script to fall back to disabling upnp if version is too old, adding a requested comment explaining static_assert condition, and fixing a spelling (jessy/jessie)
59cb722 Update configure to reject unsafe miniUPnPc API ver (Hennadii Stepanov) ab21905 doc: Add release notes for 15993 (Hennadii Stepanov) 02709e9 Align formatting with clang-format (Hennadii Stepanov) 91a1b85 Use PACKAGE_NAME in UPnP description (Hennadii Stepanov) 9f76e45 Drop support of insecure miniUPnPc versions (Hennadii Stepanov) Pull request description: 1. Minimum supported miniUPnPc API version is set to 10: - https://packages.ubuntu.com/xenial/libminiupnpc-dev - https://packages.debian.org/jessie/libminiupnpc-dev Refs: - #6583 - #6789 - #10414 2. The hardcoded "Bitcoin" replaced with `PACKAGE_NAME`:  3. Also style-only commit applied. Pardon: could not reopen my previous PR #15966. ACKs for top commit: ryanofsky: utACK 59cb722. Changes since last review: adding a new commit which updates configure script to fall back to disabling upnp if version is too old, adding a requested comment explaining static_assert condition, and fixing a spelling (jessy/jessie) Tree-SHA512: 42ed11bc2fb2ec83d5dd58e2383da5444a24fd572707f6cf10b622cb8943e28adfcca4750d06801024c4472625b5ea9279516fbd9d2ccebc9bbaafe1d148e80d
…ions 59cb722 Update configure to reject unsafe miniUPnPc API ver (Hennadii Stepanov) ab21905 doc: Add release notes for 15993 (Hennadii Stepanov) 02709e9 Align formatting with clang-format (Hennadii Stepanov) 91a1b85 Use PACKAGE_NAME in UPnP description (Hennadii Stepanov) 9f76e45 Drop support of insecure miniUPnPc versions (Hennadii Stepanov) Pull request description: 1. Minimum supported miniUPnPc API version is set to 10: - https://packages.ubuntu.com/xenial/libminiupnpc-dev - https://packages.debian.org/jessie/libminiupnpc-dev Refs: - bitcoin#6583 - bitcoin#6789 - bitcoin#10414 2. The hardcoded "Bitcoin" replaced with `PACKAGE_NAME`:  3. Also style-only commit applied. Pardon: could not reopen my previous PR bitcoin#15966. ACKs for top commit: ryanofsky: utACK 59cb722. Changes since last review: adding a new commit which updates configure script to fall back to disabling upnp if version is too old, adding a requested comment explaining static_assert condition, and fixing a spelling (jessy/jessie) Tree-SHA512: 42ed11bc2fb2ec83d5dd58e2383da5444a24fd572707f6cf10b622cb8943e28adfcca4750d06801024c4472625b5ea9279516fbd9d2ccebc9bbaafe1d148e80d
Summary: The minimum supported miniUPnPc API version is set to 10 (debian 8 and ubuntu 16.04) This is a backport of Core [[bitcoin/bitcoin#15993 | PR15993]] Included commits: - [[bitcoin/bitcoin@9f76e45 | 9f76e45 Drop support of insecure miniUPnPc versions]] - [[bitcoin/bitcoin@91a1b85 | 91a1b85 Use PACKAGE_NAME in UPnP description]] - [[bitcoin/bitcoin@ab21905 | ab21905 Add release notes]] Test Plan: `ninja all check-all` Reviewers: O1 Bitcoin ABC, #bitcoin_abc, Fabien Reviewed By: O1 Bitcoin ABC, #bitcoin_abc, Fabien Subscribers: Fabien Differential Revision: https://reviews.bitcoinabc.org/D8211
60cd984 doc: Add release notes about minimum required miniupnpc API version (Fuzzbawls) d9a2024 CMake: Require miniupnpc API version 10 or greater (Fuzzbawls) d0ed7d2 Update configure to reject unsafe miniUPnPc API ver (Hennadii Stepanov) bd0ed0c Align formatting with clang-format (Fuzzbawls) f43781f Use PACKAGE_NAME in UPnP description (Fuzzbawls) f2e1e09 Drop support of insecure miniUPnPc versions (Fuzzbawls) Pull request description: Backport of bitcoin#15993 This results in a rejection of older versions of miniupnpc for both autotools and CMake build systems. API Version 10 was used to maintain compatibility with Ubuntu Xenial (which uses a patched version of miniupnpc but still reports API version 10) and Debian 8 (which is not fully patched). Miniupnp support as a whole remains disabled by default ACKs for top commit: furszy: utACK 60cd984 random-zebra: utACK 60cd984 random-zebra: utACK 60cd984 Tree-SHA512: b3294c3474797226b5d154cc961efc1209fde58c6af70a1a292fcd3bc18de712ab3bcc6e1de6f6ba67ccf5ca9c8db90a116a4c43fbfd12b42d622b17523585df
Minimum supported miniUPnPc API version is set to 10. This prevents numerous security issues by enforcing a 2015 UPnP version (keeps compatibility with Ubuntu 16.04 LTS and Debian 8) Ref: bitcoin/bitcoin#15993
…ions 59cb722 Update configure to reject unsafe miniUPnPc API ver (Hennadii Stepanov) ab21905 doc: Add release notes for 15993 (Hennadii Stepanov) 02709e9 Align formatting with clang-format (Hennadii Stepanov) 91a1b85 Use PACKAGE_NAME in UPnP description (Hennadii Stepanov) 9f76e45 Drop support of insecure miniUPnPc versions (Hennadii Stepanov) Pull request description: 1. Minimum supported miniUPnPc API version is set to 10: - https://packages.ubuntu.com/xenial/libminiupnpc-dev - https://packages.debian.org/jessie/libminiupnpc-dev Refs: - dashpay#6583 - dashpay#6789 - bitcoin#10414 2. The hardcoded "Bitcoin" replaced with `PACKAGE_NAME`:  3. Also style-only commit applied. Pardon: could not reopen my previous PR bitcoin#15966. ACKs for top commit: ryanofsky: utACK 59cb722. Changes since last review: adding a new commit which updates configure script to fall back to disabling upnp if version is too old, adding a requested comment explaining static_assert condition, and fixing a spelling (jessy/jessie) Tree-SHA512: 42ed11bc2fb2ec83d5dd58e2383da5444a24fd572707f6cf10b622cb8943e28adfcca4750d06801024c4472625b5ea9279516fbd9d2ccebc9bbaafe1d148e80d
…ions 59cb722 Update configure to reject unsafe miniUPnPc API ver (Hennadii Stepanov) ab21905 doc: Add release notes for 15993 (Hennadii Stepanov) 02709e9 Align formatting with clang-format (Hennadii Stepanov) 91a1b85 Use PACKAGE_NAME in UPnP description (Hennadii Stepanov) 9f76e45 Drop support of insecure miniUPnPc versions (Hennadii Stepanov) Pull request description: 1. Minimum supported miniUPnPc API version is set to 10: - https://packages.ubuntu.com/xenial/libminiupnpc-dev - https://packages.debian.org/jessie/libminiupnpc-dev Refs: - dashpay#6583 - dashpay#6789 - bitcoin#10414 2. The hardcoded "Bitcoin" replaced with `PACKAGE_NAME`:  3. Also style-only commit applied. Pardon: could not reopen my previous PR bitcoin#15966. ACKs for top commit: ryanofsky: utACK 59cb722. Changes since last review: adding a new commit which updates configure script to fall back to disabling upnp if version is too old, adding a requested comment explaining static_assert condition, and fixing a spelling (jessy/jessie) Tree-SHA512: 42ed11bc2fb2ec83d5dd58e2383da5444a24fd572707f6cf10b622cb8943e28adfcca4750d06801024c4472625b5ea9279516fbd9d2ccebc9bbaafe1d148e80d
9 participants
Refs:
The hardcoded "Bitcoin" replaced with
PACKAGE_NAME:Also style-only commit applied.
Pardon: could not reopen my previous PR #15966.