Hi Thomas, and Thomas, On Fri, Oct 23, 2015 at 12:18:57AM +0200, miniupnp wrote: > Doesn't the following patch apply ? > > https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78 > > I think it applies properly on all release since at least 1.5, maybe even > before.
I now uploaded the attached debdiffs to security-master to be released in a DSA. I can prepare -- if needed -- as well a NMU for sid, but just applying the patch. I guess though it would be better to go just for a new upstream version there. Regards, Salvatore
diff -u miniupnpc-1.5/debian/changelog miniupnpc-1.5/debian/changelog --- miniupnpc-1.5/debian/changelog +++ miniupnpc-1.5/debian/changelog @@ -1,3 +1,11 @@ +miniupnpc (1.5-2+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2015-6031: Buffer overflow vulnerability in XML parser functionality + (Closes: #802650) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 25 Oct 2015 07:35:29 +0100 + miniupnpc (1.5-2) unstable; urgency=low * libminiupnpc-dev now depends on libminiupnpc5 (Closes: #617774). only in patch2: unchanged: --- miniupnpc-1.5.orig/igd_desc_parse.c +++ miniupnpc-1.5/igd_desc_parse.c @@ -15,7 +15,9 @@ void IGDstartelt(void * d, const char * name, int l) { struct IGDdatas * datas = (struct IGDdatas *)d; - memcpy( datas->cureltname, name, l); + if(l >= MINIUPNPC_URL_MAXSIZE) + l = MINIUPNPC_URL_MAXSIZE-1; + memcpy(datas->cureltname, name, l); datas->cureltname[l] = '\0'; datas->level++; if( (l==7) && !memcmp(name, "service", l) ) {
diff -Nru miniupnpc-1.9.20140610/debian/changelog miniupnpc-1.9.20140610/debian/changelog --- miniupnpc-1.9.20140610/debian/changelog 2014-07-13 16:43:51.000000000 +0200 +++ miniupnpc-1.9.20140610/debian/changelog 2015-10-25 07:54:43.000000000 +0100 @@ -1,3 +1,12 @@ +miniupnpc (1.9.20140610-2+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Add CVE-2015-6031.patch patch. + CVE-2015-6031: Buffer overflow vulnerability in XML parser + functionality. (Closes: #802650) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 25 Oct 2015 07:49:17 +0100 + miniupnpc (1.9.20140610-2) unstable; urgency=medium * Uploading to unstable. diff -Nru miniupnpc-1.9.20140610/debian/patches/CVE-2015-6031.patch miniupnpc-1.9.20140610/debian/patches/CVE-2015-6031.patch --- miniupnpc-1.9.20140610/debian/patches/CVE-2015-6031.patch 1970-01-01 01:00:00.000000000 +0100 +++ miniupnpc-1.9.20140610/debian/patches/CVE-2015-6031.patch 2015-10-25 07:54:43.000000000 +0100 @@ -0,0 +1,21 @@ +Description: igd_desc_parse.c: fix buffer overflow (CVE-2015-6031) +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78 +Bug-Debian: https://bugs.debian.org/802650 +Forwarded: no +Author: Thomas Bernard <miniu...@free.fr> +Last-Update: 2015-10-25 +Applied-Upstream: 1.9.20150917 +--- +--- a/igd_desc_parse.c ++++ b/igd_desc_parse.c +@@ -15,7 +15,9 @@ + void IGDstartelt(void * d, const char * name, int l) + { + struct IGDdatas * datas = (struct IGDdatas *)d; +- memcpy( datas->cureltname, name, l); ++ if(l >= MINIUPNPC_URL_MAXSIZE) ++ l = MINIUPNPC_URL_MAXSIZE-1; ++ memcpy(datas->cureltname, name, l); + datas->cureltname[l] = '\0'; + datas->level++; + if( (l==7) && !memcmp(name, "service", l) ) { diff -Nru miniupnpc-1.9.20140610/debian/patches/series miniupnpc-1.9.20140610/debian/patches/series --- miniupnpc-1.9.20140610/debian/patches/series 2014-07-13 16:43:51.000000000 +0200 +++ miniupnpc-1.9.20140610/debian/patches/series 2015-10-25 07:54:43.000000000 +0100 @@ -1 +1,2 @@ correct-typo-in-manpage.patch +CVE-2015-6031.patch
signature.asc
Description: PGP signature