Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Dear release team,
Please allow me to upload miniupnpd/1.8.20140523-4.1+deb9u2, as the
security team told me the CVE in the Subject do not need a DSA.
The upload only adds the upstream patches, Stretch doesn't seem to
be affected by CVE-2019-12111. On top of that, the fixed version adds
a change to debian/gbp.conf (only branch names), please allow this to
get in as well, as this simplifies the packaging update tasks.
Debdiff attached, pre-built packages available from here:
http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/
Cheers,
Thomas Goirand (zigo)
diff -Nru miniupnpd-1.8.20140523/debian/changelog
miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog 2018-02-07 12:18:50.0
+0100
+++ miniupnpd-1.8.20140523/debian/changelog 2019-06-07 09:16:03.0
+0200
@@ -1,3 +1,11 @@
+miniupnpd (1.8.20140523-4.1+deb9u2) stretch; urgency=medium
+
+ * Applied upstream patches for CVE-2019-12107, CVE-2019-12108,
+CVE-2019-12109, CVE-2019-12110. This version looks like not affected by
+CVE-2019-12111. (Closes: #930050).
+
+ -- Thomas Goirand Fri, 07 Jun 2019 09:16:03 +0200
+
miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium
* Apply patch from upstream for CVE-2017-1000494 (Closes: #887129).
diff -Nru miniupnpd-1.8.20140523/debian/gbp.conf
miniupnpd-1.8.20140523/debian/gbp.conf
--- miniupnpd-1.8.20140523/debian/gbp.conf 2014-12-09 15:37:29.0
+0100
+++ miniupnpd-1.8.20140523/debian/gbp.conf 2019-06-07 09:16:03.0
+0200
@@ -1,6 +1,6 @@
[DEFAULT]
-upstream-branch = upstream-sid
-debian-branch = debian-sid
+upstream-branch = upstream-stretch
+debian-branch = debian-stretch
pristine-tar = True
[git-buildpackage]
diff -Nru
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
---
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
1970-01-01 01:00:00.0 +0100
+++
miniupnpd-1.8.20140523/debian/patches/CVE-2019-12107_upnp_event_prepare_check_the_return_value_of_snprintf.patch
2019-06-07 09:16:03.0 +0200
@@ -0,0 +1,57 @@
+Description: CVE-2019-12107: upnp_event_prepare(): check the return value of
snprintf()
+Author: Thomas Bernard
+Date: Tue, 18 Dec 2018 22:37:14 +0100
+Origin: upstream,
https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94
+Last-Update: 2019-06-07
+Bug-Debian: https://bugs.debian.org/930050
+
+Index: miniupnpd/upnpevents.c
+===
+--- miniupnpd.orig/upnpevents.c
miniupnpd/upnpevents.c
+@@ -383,19 +383,34 @@ static void upnp_event_prepare(struct up
+ l = 0;
+ }
+ obj->buffersize = 1024;
+- obj->buffer = malloc(obj->buffersize);
+- if(!obj->buffer) {
+- syslog(LOG_ERR, "%s: malloc returned NULL",
"upnp_event_prepare");
+- if(xml) {
+- free(xml);
++ for (;;) {
++ obj->buffer = malloc(obj->buffersize);
++ if(!obj->buffer) {
++ syslog(LOG_ERR, "%s: malloc returned NULL",
"upnp_event_prepare");
++ if(xml) {
++ free(xml);
++ }
++ obj->state = EError;
++ return;
+ }
+- obj->state = EError;
+- return;
++ obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
++ obj->path, obj->addrstr, obj->portstr,
l+2,
++ obj->sub->uuid, obj->sub->seq,
++ l, xml);
++ if (obj->tosend < 0) {
++ syslog(LOG_ERR, "%s: snprintf() failed",
"upnp_event_prepare");
++ if(xml) {
++ free(xml);
++ }
++ obj->state = EError;
++ return;
++ } else if (obj->tosend < obj->buffersize) {
++ break; /* the buffer was large enough */
++ }
++ /* Try again with a buffer big enough */
++ free(obj->buffer);
++ obj->buffersize = obj->tosend + 1; /* reserve space for
the final 0 */
+ }
+- obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
+- obj->path, obj->addrstr, obj->portstr, l+2,
+- obj->sub->uuid, obj->sub->seq,
+- l, xml);
+ if(xml) {
+ free(xml);
+ xml = NULL;
diff -Nru
min