Debian Bug report logs -
#862273
miniupnpc: CVE-2017-8798: miniupnp integer signedness error
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 10 May 2017 14:27:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version miniupnpc/1.9.20140610-2
Fixed in version miniupnpc/1.9.20140610-3
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>
:
Bug#862273
; Package src:miniupnpc
.
(Wed, 10 May 2017 14:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>
.
(Wed, 10 May 2017 14:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: miniupnpc
Version: 1.9.20140610-2
Severity: grave
Tags: patch upstream security
Justification: user security hole
Hi,
the following vulnerability was published for miniupnpc.
CVE-2017-8798[0]:
miniupnp integer signedness error
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8798
[1] https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229
Regards,
Salvatore
Reply sent
to Thomas Goirand <zigo@debian.org>
:
You have taken responsibility.
(Thu, 18 May 2017 15:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 18 May 2017 15:21:04 GMT) (full text, mbox, link).
Message #10 received at 862273-close@bugs.debian.org (full text, mbox, reply):
Source: miniupnpc
Source-Version: 1.9.20140610-3
We believe that the bug you reported is fixed in the latest version of
miniupnpc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862273@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated miniupnpc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 18 May 2017 13:41:57 +0200
Source: miniupnpc
Binary: miniupnpc libminiupnpc10 libminiupnpc-dev python-miniupnpc
Architecture: source amd64
Version: 1.9.20140610-3
Distribution: unstable
Urgency: high
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
libminiupnpc-dev - UPnP IGD client lightweight library development files
libminiupnpc10 - UPnP IGD client lightweight library
miniupnpc - UPnP IGD client lightweight library client
python-miniupnpc - UPnP IGD client lightweight library Python bindings
Closes: 862273
Changes:
miniupnpc (1.9.20140610-3) unstable; urgency=high
.
* Add More_accurate_checking_while_writing_buffer_in_simpleUPnPcommand2.patch
which fixes a buffer overflow.
* CVE-2017-8798: integer signedness error. Applied upstream patch.
(Closes: #862273).
* Define define _DEFAULT_SOURCE do avoid FTBFS.
Checksums-Sha1:
94799ffbeb70e599311eaca25a99ea3bd97f4242 2132 miniupnpc_1.9.20140610-3.dsc
1ac7380de69dc4c369689aa292ac0702b0963559 8208 miniupnpc_1.9.20140610-3.debian.tar.xz
a9c098f32a1c8cebb7e6d63670e24462c46c2133 35508 libminiupnpc-dev_1.9.20140610-3_amd64.deb
ab7ed28dee334617aeb1a188231fedfe01fe6f87 51384 libminiupnpc10-dbgsym_1.9.20140610-3_amd64.deb
b89da22e18441bee4f4b0a09da81c9d5046b5091 29992 libminiupnpc10_1.9.20140610-3_amd64.deb
0e3e6d1de410127170656e6872b0ccb8e27335cd 17702 miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
67d73ab5a492c8117eacc81efa1d2f59b6cb058b 8009 miniupnpc_1.9.20140610-3_amd64.buildinfo
bae80568bf0186e0c5c046dc52a781da24e04a92 20676 miniupnpc_1.9.20140610-3_amd64.deb
c382f86d014cc4ad8cc28ecd207a0312218ce7ff 64832 python-miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
fb1a242d9cc5c08565a63e8202344a2f390a5aed 32564 python-miniupnpc_1.9.20140610-3_amd64.deb
Checksums-Sha256:
7bed2619bc00b45dca50b14e000d10e241559f60edb764985a5f01bc8282dc0d 2132 miniupnpc_1.9.20140610-3.dsc
257f27e401296ae054c6636891ee3d58a9c4eed55225a914b4ddcb1cd6063114 8208 miniupnpc_1.9.20140610-3.debian.tar.xz
7ef7b3fd85bbb67613b3974a77d26d314afda95a71d572dc70c36ef454825db6 35508 libminiupnpc-dev_1.9.20140610-3_amd64.deb
84a94347e2f228fd7e575ed2290bebce9ff3e63fdfbcaab163c068d65f96f35c 51384 libminiupnpc10-dbgsym_1.9.20140610-3_amd64.deb
fdfafb29506fdf908137e09974a304523f5cf26a07503bdd498b3d6faa729c5c 29992 libminiupnpc10_1.9.20140610-3_amd64.deb
f49d1c598b1f22d5c8658ecb29780f422d6e337cbe8c323c45a2a06dda581534 17702 miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
dfbae67a4c7dd7e40ce9cce5fe487785f132ff224164aa34bc8ef065757e836c 8009 miniupnpc_1.9.20140610-3_amd64.buildinfo
2b04c494bc3131fbb742a583904078c149688a01fd8623ba42012f29fa107d2c 20676 miniupnpc_1.9.20140610-3_amd64.deb
8f8f659c1f684bb380464e296a4949cbabec64823baaa158c9a2cae134bed38c 64832 python-miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
21d9cbcf3ab029467242946772e896214960a73a50438dd57a8bb07e63ded1c0 32564 python-miniupnpc_1.9.20140610-3_amd64.deb
Files:
3b1dd4a2f62cc32ef75a2be189887cdc 2132 net optional miniupnpc_1.9.20140610-3.dsc
31355ea9b24d50128981ea5ee5d97227 8208 net optional miniupnpc_1.9.20140610-3.debian.tar.xz
ec8345d7a704a6be1b930eaa0308079b 35508 libdevel optional libminiupnpc-dev_1.9.20140610-3_amd64.deb
c5e34e3d8329a183537d6bbd059c60c2 51384 debug extra libminiupnpc10-dbgsym_1.9.20140610-3_amd64.deb
2a1848819b53efbd48d2b346832fc966 29992 net optional libminiupnpc10_1.9.20140610-3_amd64.deb
4998c7c98a999693ca81d91d8421f042 17702 debug extra miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
ac6ec827a05339a0dc6c713673cb18a0 8009 net optional miniupnpc_1.9.20140610-3_amd64.buildinfo
6b08dea79c9fd3e1d34386cfa9819fd3 20676 net optional miniupnpc_1.9.20140610-3_amd64.deb
86cb83b0c4837066736fefc30304c258 64832 debug extra python-miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
5122f9fd2c62d1436fd49527fa0bc92d 32564 python optional python-miniupnpc_1.9.20140610-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlkdtoAQHHppZ29AZGVi
aWFuLm9yZwAKCRDUFq0VrGtD/pUAD/9OvIRDf9aKkyugA9ZcNnSSO2V98l9PtX2t
h+tuhmlxEiWGaQbPvG/H0b1E2V5TrHA0ltu1u+JoaKic6K24sEuoy1J/IRvLRAvX
KamnFH4lM9wvWbZ0NqPOhVZ6qYhWx+mvdYI70U7yt8ZEwISMKN1hbNTNbc8U/iuQ
8hHC34P4kHLj3pAk/HvZ71pmeRXPI4tFS0D0/saJ25gEYfne4MKeFZMl2rlh6ilW
BdAviosALEAcLUO7xtQIG4UuCzP6jSKRZPMxA0Uf47t/GS9wpD8SZ/0669OcGkFF
YxFsGxLzAfBJN6D7bk9acjeIBzzn27RTFTTig8Sg+HePMKzs6oPIlx+YosxqVI0r
9Y8z6JYUNn0x/qj5IttKaDnhGpgCHRYNXnpVB/Xu76cOr8xe/Z8wecRyyoPeqiFx
3GfDHmfSS8AI0MhfJ78xIPzcF9f6dd0p0R2d63VHoq1kASIahkuxsw/elNaNxAZ6
xU7QC8XnvzNjHW5oVdYoQqWoGx6T3ukaWARJZFDIly9oiQwL5SSpABYyPQVrBo/l
lmb+kXFtJfFkk3aH6htbjg/rFxPDd0rWMGcK/ckg0Tk5WNJiE7xaWdWVlCyv0y42
QKd8wmGasXl7HoXxrp8QDnuXU0pzdzFO/Gmeg8mZgDCjGS2kwdzEZ5n04SjZ/FPR
QF1KVCUTSQ==
=+7q3
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>
:
Bug#862273
; Package src:miniupnpc
.
(Fri, 09 Jun 2017 08:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Suraj Bhandari <surajb7260@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>
.
(Fri, 09 Jun 2017 08:45:11 GMT) (full text, mbox, link).
Message #15 received at 862273@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
[Message part 2 (text/html, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 16 Jul 2017 07:50:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:32:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.