Bug#1140436: trixie-pu: package miniupnpd/2.3.9-2+deb13u1

[Adrian Bunk]

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: miniup...@packages.debian.org, secur...@debian.org
Control: affects -1 + src:miniupnpd
User: release.debian....@packages.debian.org
Usertags: pu

  * CVE-2026-5720: integer underflow in SOAPAction header parsing
    (Closes: #1134334)

diffstat for miniupnpd-2.3.9 miniupnpd-2.3.9

 changelog                                                               |    8 
++
 patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch |   31 
++++++++++
 patches/series                                                          |    1 
 3 files changed, 40 insertions(+)

diff -Nru miniupnpd-2.3.9/debian/changelog miniupnpd-2.3.9/debian/changelog
--- miniupnpd-2.3.9/debian/changelog    2025-05-09 18:45:01.000000000 +0300
+++ miniupnpd-2.3.9/debian/changelog    2026-06-20 15:18:31.000000000 +0300
@@ -1,3 +1,11 @@
+miniupnpd (2.3.9-2+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-5720: integer underflow in SOAPAction header parsing
+    (Closes: #1134334)
+
+ -- Adrian Bunk <b...@debian.org>  Sat, 20 Jun 2026 15:18:31 +0300
+
 miniupnpd (2.3.9-2) unstable; urgency=medium
 
   * Fix autopkgtest.
diff -Nru 
miniupnpd-2.3.9/debian/patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch
 
miniupnpd-2.3.9/debian/patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch
--- 
miniupnpd-2.3.9/debian/patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch
      1970-01-01 02:00:00.000000000 +0200
+++ 
miniupnpd-2.3.9/debian/patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch
      2026-06-20 15:18:31.000000000 +0300
@@ -0,0 +1,31 @@
+From 8bf6c943b86b2ac476426da36f9557a377767c14 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniu...@free.fr>
+Date: Mon, 23 Mar 2026 02:37:02 +0100
+Subject: upnphttp.c: fix removal of quotes in ParseHttpHeaders()
+
+the length of the string including the quotes must be at
+least 2 for the string to contain the 2 enclosing quotes !
+---
+ upnphttp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/upnphttp.c b/upnphttp.c
+index f405f7d..838fdcc 100644
+--- a/upnphttp.c
++++ b/upnphttp.c
+@@ -262,9 +262,10 @@ ParseHttpHeaders(struct upnphttp * h)
+                                       p++;
+                               while(p[n]>=' ')
+                                       n++;
+-                              if((p[0] == '"' && p[n-1] == '"')
+-                                || (p[0] == '\'' && p[n-1] == '\''))
++                              if((n >= 2) && ((p[0] == '"' && p[n-1] == '"')
++                                           || (p[0] == '\'' && p[n-1] == 
'\'')))
+                               {
++                                      /* remove the quotes */
+                                       p++; n -= 2;
+                               }
+                               h->req_soapActionOff = p - h->req_buf;
+-- 
+2.47.3
+
diff -Nru miniupnpd-2.3.9/debian/patches/series 
miniupnpd-2.3.9/debian/patches/series
--- miniupnpd-2.3.9/debian/patches/series       2025-05-09 18:45:01.000000000 
+0300
+++ miniupnpd-2.3.9/debian/patches/series       2026-06-20 15:18:31.000000000 
+0300
@@ -1,2 +1,3 @@
 makefile-tweak.patch
 miniupnpd-allow-ipv4-listening-specify.patch
+0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch