Bug#889940: stretch-pu: package miniupnpd/1.8.20140523-4.1 fix for CVE-2017-1000494
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I'd like to push for an update of miniupnpd in Stretch, in order to fix
CVE-2017-1000494. The security team decided to go without a DSA.
Attached is the debdiff for the fix.
Also, please let me know if my .changes must include the .orig.tar.gz,
if it must, I'll rebuild with --force-orig-source. I'm sorry for I
never remember when it should or not... :(
I've uploaded the built package there if you want to have a look:
http://sid.gplhost.com/stretch-proposed-updates/miniupnpd/
Cheers,
Thomas Goirand (zigo)
diff -Nru miniupnpd-1.8.20140523/debian/changelog miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog 2017-01-13 12:52:51.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/changelog 2018-02-07 12:18:50.000000000 +0100
@@ -1,3 +1,9 @@
+miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium
+
+ * Apply patch from upstream for CVE-2017-1000494 (Closes: #887129).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 07 Feb 2018 12:18:50 +0100
+
miniupnpd (1.8.20140523-4.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch 1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch 2018-02-07 12:18:43.000000000 +0100
@@ -0,0 +1,35 @@
+Description: fix for CVE-2017-1000494
+ This patch was backported by upstream.
+Author: Thomas Bernard <miniupnp@free.fr>
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/887129
+Last-Update: 2018-02-07
+
+diff -ru miniupnpd-1.8.20140523.orig/minixml.c miniupnpd-1.8.20140523/minixml.c
+--- miniupnpd-1.8.20140523.orig/minixml.c 2014-02-05 17:29:33.000000000 +0100
++++ miniupnpd-1.8.20140523/minixml.c 2018-02-02 16:46:19.115527000 +0100
+@@ -161,7 +161,8 @@
+ if (p->xml >= p->xmlend)
+ return;
+ }
+- if(memcmp(p->xml, "<![CDATA[", 9) == 0)
++ /* CDATA are at least 9 + 3 characters long : <![CDATA[ ]]> */
++ if((p->xmlend >= (p->xml + (9 + 3))) && (memcmp(p->xml, "<![CDATA[", 9) == 0))
+ {
+ /* CDATA handling */
+ p->xml += 9;
+Only in miniupnpd-1.8.20140523: minixml.c.orig
+diff -ru miniupnpd-1.8.20140523.orig/upnpreplyparse.c miniupnpd-1.8.20140523/upnpreplyparse.c
+--- miniupnpd-1.8.20140523.orig/upnpreplyparse.c 2013-06-07 10:44:40.000000000 +0200
++++ miniupnpd-1.8.20140523/upnpreplyparse.c 2018-02-02 16:45:30.735156000 +0100
+@@ -90,9 +90,8 @@
+ struct NameValueParserData * data)
+ {
+ struct xmlparser parser;
++ memset(data, 0, sizeof(struct NameValueParserData));
+ LIST_INIT(&(data->head));
+- data->portListing = NULL;
+- data->portListingLength = 0;
+ /* init xmlparser object */
+ parser.xmlstart = buffer;
+ parser.xmlsize = bufsize;
diff -Nru miniupnpd-1.8.20140523/debian/patches/series miniupnpd-1.8.20140523/debian/patches/series
--- miniupnpd-1.8.20140523/debian/patches/series 2017-01-13 12:51:16.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/series 2018-02-07 12:18:49.000000000 +0100
@@ -4,3 +4,4 @@
0040_fix_buffer_overrun_in_ParseHttpHeaders.patch
0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch
0060_iptables_check.patch
+CVE-2017-1000494.patch
Reply to: