Bug#889940: stretch-pu: package miniupnpd/1.8.20140523-4.1 fix for CVE-2017-1000494

2018-03-30 Thread Adam D. Barratt 
Control: tags -1 + pending

On Fri, 2018-02-23 at 17:35 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2018-02-09 at 00:15 +0100, Thomas Goirand wrote:
> > I'd like to push for an update of miniupnpd in Stretch, in order to
> > fix
> > CVE-2017-1000494. The security team decided to go without a DSA.
> > 
> > Attached is the debdiff for the fix.
> 
> Please go ahead.
> 

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#889940: stretch-pu: package miniupnpd/1.8.20140523-4.1 fix for CVE-2017-1000494

2018-02-23 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Fri, 2018-02-09 at 00:15 +0100, Thomas Goirand wrote:
> I'd like to push for an update of miniupnpd in Stretch, in order to
> fix
> CVE-2017-1000494. The security team decided to go without a DSA.
> 
> Attached is the debdiff for the fix.

Please go ahead.

> Also, please let me know if my .changes must include the
> .orig.tar.gz,
> if it must, I'll rebuild with --force-orig-source. I'm sorry for I
> never remember when it should or not... :(
> 

No. It's required for the first upload of that .orig to a particular
archive (i.e. ftp-master or security), but not for subsequent uploads
to that archive.

Regards,

Adam

Bug#889940: stretch-pu: package miniupnpd/1.8.20140523-4.1 fix for CVE-2017-1000494

2018-02-08 Thread Thomas Goirand 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I'd like to push for an update of miniupnpd in Stretch, in order to fix
CVE-2017-1000494. The security team decided to go without a DSA.

Attached is the debdiff for the fix.

Also, please let me know if my .changes must include the .orig.tar.gz,
if it must, I'll rebuild with --force-orig-source. I'm sorry for I
never remember when it should or not... :(

I've uploaded the built package there if you want to have a look:
http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/

Cheers,

Thomas Goirand (zigo)
diff -Nru miniupnpd-1.8.20140523/debian/changelog 
miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog 2017-01-13 12:52:51.0 
+0100
+++ miniupnpd-1.8.20140523/debian/changelog 2018-02-07 12:18:50.0 
+0100
@@ -1,3 +1,9 @@
+miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium
+
+  * Apply patch from upstream for CVE-2017-1000494 (Closes: #887129).
+
+ -- Thomas Goirand   Wed, 07 Feb 2018 12:18:50 +0100
+
 miniupnpd (1.8.20140523-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch 
miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch
1970-01-01 01:00:00.0 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch
2018-02-07 12:18:43.0 +0100
@@ -0,0 +1,35 @@
+Description: fix for CVE-2017-1000494
+ This patch was backported by upstream.
+Author: Thomas Bernard 
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/887129
+Last-Update: 2018-02-07
+
+diff -ru miniupnpd-1.8.20140523.orig/minixml.c miniupnpd-1.8.20140523/minixml.c
+--- miniupnpd-1.8.20140523.orig/minixml.c  2014-02-05 17:29:33.0 
+0100
 miniupnpd-1.8.20140523/minixml.c   2018-02-02 16:46:19.115527000 +0100
+@@ -161,7 +161,8 @@
+   if (p->xml >= p->xmlend)
+   return;
+   }
+-  if(memcmp(p->xml, " */
++  if((p->xmlend >= (p->xml + (9 + 3))) && 
(memcmp(p->xml,