Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

miniupnpc: CVE-2017-8798: miniupnp integer signedness error

Related Vulnerabilities: CVE-2017-8798  

Source

Debian Bug report logs - #862273
miniupnpc: CVE-2017-8798: miniupnp integer signedness error

version graph

Package: src:miniupnpc; Maintainer for src:miniupnpc is Thomas Goirand <zigo@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 10 May 2017 14:27:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in version miniupnpc/1.9.20140610-2

Fixed in version miniupnpc/1.9.20140610-3

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#862273; Package src:miniupnpc. (Wed, 10 May 2017 14:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>. (Wed, 10 May 2017 14:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: miniupnpc: CVE-2017-8798: miniupnp integer signedness error
Date: Wed, 10 May 2017 16:23:43 +0200
Source: miniupnpc
Version: 1.9.20140610-2
Severity: grave
Tags: patch upstream security
Justification: user security hole

Hi,

the following vulnerability was published for miniupnpc.

CVE-2017-8798[0]:
miniupnp integer signedness error

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8798
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8798
[1] https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229

Regards,
Salvatore

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Thu, 18 May 2017 15:21:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 18 May 2017 15:21:04 GMT) (full text, mbox, link).

Message #10 received at 862273-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: 862273-close@bugs.debian.org
Subject: Bug#862273: fixed in miniupnpc 1.9.20140610-3
Date: Thu, 18 May 2017 15:18:43 +0000
Source: miniupnpc
Source-Version: 1.9.20140610-3

We believe that the bug you reported is fixed in the latest version of
miniupnpc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862273@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated miniupnpc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 18 May 2017 13:41:57 +0200
Source: miniupnpc
Binary: miniupnpc libminiupnpc10 libminiupnpc-dev python-miniupnpc
Architecture: source amd64
Version: 1.9.20140610-3
Distribution: unstable
Urgency: high
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 libminiupnpc-dev - UPnP IGD client lightweight library development files
 libminiupnpc10 - UPnP IGD client lightweight library
 miniupnpc  - UPnP IGD client lightweight library client
 python-miniupnpc - UPnP IGD client lightweight library Python bindings
Closes: 862273
Changes:
 miniupnpc (1.9.20140610-3) unstable; urgency=high
 .
   * Add More_accurate_checking_while_writing_buffer_in_simpleUPnPcommand2.patch
     which fixes a buffer overflow.
   * CVE-2017-8798: integer signedness error. Applied upstream patch.
     (Closes: #862273).
   * Define define _DEFAULT_SOURCE do avoid FTBFS.
Checksums-Sha1:
 94799ffbeb70e599311eaca25a99ea3bd97f4242 2132 miniupnpc_1.9.20140610-3.dsc
 1ac7380de69dc4c369689aa292ac0702b0963559 8208 miniupnpc_1.9.20140610-3.debian.tar.xz
 a9c098f32a1c8cebb7e6d63670e24462c46c2133 35508 libminiupnpc-dev_1.9.20140610-3_amd64.deb
 ab7ed28dee334617aeb1a188231fedfe01fe6f87 51384 libminiupnpc10-dbgsym_1.9.20140610-3_amd64.deb
 b89da22e18441bee4f4b0a09da81c9d5046b5091 29992 libminiupnpc10_1.9.20140610-3_amd64.deb
 0e3e6d1de410127170656e6872b0ccb8e27335cd 17702 miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
 67d73ab5a492c8117eacc81efa1d2f59b6cb058b 8009 miniupnpc_1.9.20140610-3_amd64.buildinfo
 bae80568bf0186e0c5c046dc52a781da24e04a92 20676 miniupnpc_1.9.20140610-3_amd64.deb
 c382f86d014cc4ad8cc28ecd207a0312218ce7ff 64832 python-miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
 fb1a242d9cc5c08565a63e8202344a2f390a5aed 32564 python-miniupnpc_1.9.20140610-3_amd64.deb
Checksums-Sha256:
 7bed2619bc00b45dca50b14e000d10e241559f60edb764985a5f01bc8282dc0d 2132 miniupnpc_1.9.20140610-3.dsc
 257f27e401296ae054c6636891ee3d58a9c4eed55225a914b4ddcb1cd6063114 8208 miniupnpc_1.9.20140610-3.debian.tar.xz
 7ef7b3fd85bbb67613b3974a77d26d314afda95a71d572dc70c36ef454825db6 35508 libminiupnpc-dev_1.9.20140610-3_amd64.deb
 84a94347e2f228fd7e575ed2290bebce9ff3e63fdfbcaab163c068d65f96f35c 51384 libminiupnpc10-dbgsym_1.9.20140610-3_amd64.deb
 fdfafb29506fdf908137e09974a304523f5cf26a07503bdd498b3d6faa729c5c 29992 libminiupnpc10_1.9.20140610-3_amd64.deb
 f49d1c598b1f22d5c8658ecb29780f422d6e337cbe8c323c45a2a06dda581534 17702 miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
 dfbae67a4c7dd7e40ce9cce5fe487785f132ff224164aa34bc8ef065757e836c 8009 miniupnpc_1.9.20140610-3_amd64.buildinfo
 2b04c494bc3131fbb742a583904078c149688a01fd8623ba42012f29fa107d2c 20676 miniupnpc_1.9.20140610-3_amd64.deb
 8f8f659c1f684bb380464e296a4949cbabec64823baaa158c9a2cae134bed38c 64832 python-miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
 21d9cbcf3ab029467242946772e896214960a73a50438dd57a8bb07e63ded1c0 32564 python-miniupnpc_1.9.20140610-3_amd64.deb
Files:
 3b1dd4a2f62cc32ef75a2be189887cdc 2132 net optional miniupnpc_1.9.20140610-3.dsc
 31355ea9b24d50128981ea5ee5d97227 8208 net optional miniupnpc_1.9.20140610-3.debian.tar.xz
 ec8345d7a704a6be1b930eaa0308079b 35508 libdevel optional libminiupnpc-dev_1.9.20140610-3_amd64.deb
 c5e34e3d8329a183537d6bbd059c60c2 51384 debug extra libminiupnpc10-dbgsym_1.9.20140610-3_amd64.deb
 2a1848819b53efbd48d2b346832fc966 29992 net optional libminiupnpc10_1.9.20140610-3_amd64.deb
 4998c7c98a999693ca81d91d8421f042 17702 debug extra miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
 ac6ec827a05339a0dc6c713673cb18a0 8009 net optional miniupnpc_1.9.20140610-3_amd64.buildinfo
 6b08dea79c9fd3e1d34386cfa9819fd3 20676 net optional miniupnpc_1.9.20140610-3_amd64.deb
 86cb83b0c4837066736fefc30304c258 64832 debug extra python-miniupnpc-dbgsym_1.9.20140610-3_amd64.deb
 5122f9fd2c62d1436fd49527fa0bc92d 32564 python optional python-miniupnpc_1.9.20140610-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlkdtoAQHHppZ29AZGVi
aWFuLm9yZwAKCRDUFq0VrGtD/pUAD/9OvIRDf9aKkyugA9ZcNnSSO2V98l9PtX2t
h+tuhmlxEiWGaQbPvG/H0b1E2V5TrHA0ltu1u+JoaKic6K24sEuoy1J/IRvLRAvX
KamnFH4lM9wvWbZ0NqPOhVZ6qYhWx+mvdYI70U7yt8ZEwISMKN1hbNTNbc8U/iuQ
8hHC34P4kHLj3pAk/HvZ71pmeRXPI4tFS0D0/saJ25gEYfne4MKeFZMl2rlh6ilW
BdAviosALEAcLUO7xtQIG4UuCzP6jSKRZPMxA0Uf47t/GS9wpD8SZ/0669OcGkFF
YxFsGxLzAfBJN6D7bk9acjeIBzzn27RTFTTig8Sg+HePMKzs6oPIlx+YosxqVI0r
9Y8z6JYUNn0x/qj5IttKaDnhGpgCHRYNXnpVB/Xu76cOr8xe/Z8wecRyyoPeqiFx
3GfDHmfSS8AI0MhfJ78xIPzcF9f6dd0p0R2d63VHoq1kASIahkuxsw/elNaNxAZ6
xU7QC8XnvzNjHW5oVdYoQqWoGx6T3ukaWARJZFDIly9oiQwL5SSpABYyPQVrBo/l
lmb+kXFtJfFkk3aH6htbjg/rFxPDd0rWMGcK/ckg0Tk5WNJiE7xaWdWVlCyv0y42
QKd8wmGasXl7HoXxrp8QDnuXU0pzdzFO/Gmeg8mZgDCjGS2kwdzEZ5n04SjZ/FPR
QF1KVCUTSQ==
=+7q3
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#862273; Package src:miniupnpc. (Fri, 09 Jun 2017 08:45:11 GMT) (full text, mbox, link).

Acknowledgement sent to Suraj Bhandari <surajb7260@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>. (Fri, 09 Jun 2017 08:45:11 GMT) (full text, mbox, link).

Message #15 received at 862273@bugs.debian.org (full text, mbox, reply):

From: Suraj Bhandari <surajb7260@gmail.com>
To: 862273@bugs.debian.org
Subject: Hindi
Date: Fri, 9 Jun 2017 01:39:43 -0700
[Message part 1 (text/plain, inline)]


[Message part 2 (text/html, inline)]











Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
 (Sun, 16 Jul 2017 07:50:03 GMT) (full text, mbox, link).





Send a report that this bug log contains spam.




Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:32:48 2019; 
Machine Name:
beach


Debian Bug tracking system




  Debbugs is free software and licensed under the terms of the GNU
  Public License version 2. The current version can be obtained
  from https://bugs.debian.org/debbugs-source/.




Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.








            

        

    



 



 






    


    
        
        

            

                


                    

                        
Vulmon Search

                        

                            
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

                        


                        

                            
    
                                
    • 
                                
    • 
                                
    • 
                                
    • 
                            

                        

                    


                    

                        
About

                        

                            Home
                            Recent Vulnerabilities                           
                            Research Posts
                            Trends
                            Blog
                            About
                            Contact
                        

                    

                    

                        
Products

                        

                            Vulmon Search
                            Vulmon Research
                            Vulmon Alerts
                            Vulmap
                        

                    

                    

                        
Connect

                        

                            Twitter
                            Reddit
                            Linkedin
                            Facebook
                        

                    


                

            


        

        




        

        

            


            

                
            


                
                    

                        
                        

                        Vulnerability Notification Service
                        
You don’t have to wait for vulnerability
                            scanning results

                    

                    

                        
Get Started