Your message dated Fri, 01 Feb 2013 21:47:34 +0000 with message-id <[email protected]> and subject line Bug#699316: fixed in libupnp 1:1.6.17-1.2 has caused the Debian Bug report #699316, regarding libupnp: Multiple stack buffer overflow vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 699316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699316 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libupnp Severity: grave Tags: security Hi, the following vulnerabilities were published for libupnp. CVE-2012-5958[0]: Stack buffer overflow of Tempbuf CVE-2012-5959[1]: Stack buffer overflow of Event->UDN CVE-2012-5960[2]: Stack buffer overflow of Event->UDN CVE-2012-5961[3]: Stack buffer overflow of Evt->UDN CVE-2012-5962[4]: Stack buffer overflow of Evt->DeviceType CVE-2012-5963[5]: Stack buffer overflow of Event->UDN CVE-2012-5964[6]: Stack buffer overflow of Event->DeviceType CVE-2012-5965[7]: Stack buffer overflow of Event->DeviceType Upstream changelog for 1.6.18 states: ******************************************************************************* Version 1.6.18 ******************************************************************************* 2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net> Security fix for CERT issue VU#922681 This patch addresses three possible buffer overflows in function unique_service_name(). The three issues have the folowing CVE numbers: CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN Notice that the following issues have already been dealt by previous work: CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958 http://security-tracker.debian.org/tracker/CVE-2012-5958 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959 http://security-tracker.debian.org/tracker/CVE-2012-5959 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960 http://security-tracker.debian.org/tracker/CVE-2012-5960 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961 http://security-tracker.debian.org/tracker/CVE-2012-5961 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962 http://security-tracker.debian.org/tracker/CVE-2012-5962 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963 http://security-tracker.debian.org/tracker/CVE-2012-5963 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964 http://security-tracker.debian.org/tracker/CVE-2012-5964 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965 http://security-tracker.debian.org/tracker/CVE-2012-5965 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libupnp Source-Version: 1:1.6.17-1.2 We believe that the bug you reported is fixed in the latest version of libupnp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yves-Alexis Perez <[email protected]> (supplier of updated libupnp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 01 Feb 2013 21:56:12 +0100 Source: libupnp Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc Architecture: source amd64 all Version: 1:1.6.17-1.2 Distribution: unstable Urgency: high Maintainer: Nick Leverton <[email protected]> Changed-By: Yves-Alexis Perez <[email protected]> Description: libupnp-dev - Portable SDK for UPnP Devices (development files) libupnp6 - Portable SDK for UPnP Devices, version 1.6 (shared libraries) libupnp6-dbg - debugging symbols for libupnp6 libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files) libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6 Closes: 699316 Changes: libupnp (1:1.6.17-1.2) unstable; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix various stack-based buffer overflows in service_unique_name() function. This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316 Checksums-Sha1: ca9a154edcc4addfbcc73df97e7875a2ca47d422 1634 libupnp_1.6.17-1.2.dsc c6f946b9c04a14b5bd2efb6aa7d4cd664ed66b90 26686 libupnp_1.6.17-1.2.debian.tar.gz 8168ae3de4ef529de93ed68286497f4ec6fe5584 181164 libupnp6_1.6.17-1.2_amd64.deb de73a4afae7232bf6459cc7a208c9cb0b2c330ea 262286 libupnp6-dev_1.6.17-1.2_amd64.deb 99ca41f164f5c1e59af16ea3a44d0d52feb775c3 43042 libupnp-dev_1.6.17-1.2_all.deb 9b7dc6a7c6fac33765f33e6d29f07d0debcfa77e 393582 libupnp6-dbg_1.6.17-1.2_amd64.deb c702603c8a34834aa82da144e3dcdb3179adb0b6 13694894 libupnp6-doc_1.6.17-1.2_all.deb Checksums-Sha256: 599d9105883c3151fd8163c3a7349e492264dd14202682c8ce6ab7b5dcc9d32f 1634 libupnp_1.6.17-1.2.dsc 0f35fc257226a5bc84f48a0ac389eb6d397c6a34b4c6481115cf08a5041ba0c0 26686 libupnp_1.6.17-1.2.debian.tar.gz db75a2d1a6e81cbef7b190c5a82cc26e327c268c3a164b80a379ed9ce7137a26 181164 libupnp6_1.6.17-1.2_amd64.deb 62adf38507f9b9789cbbacb46b97f26b1413b7dd1503f5aee299846d3a439503 262286 libupnp6-dev_1.6.17-1.2_amd64.deb dcd68e41dfbcad93469314f2285d127c5954792aaa4747b766385e89529a1e42 43042 libupnp-dev_1.6.17-1.2_all.deb 4a67947bfee7f8b4a584c667b173219a9abccf196b846ad64d60b1d6919b38d4 393582 libupnp6-dbg_1.6.17-1.2_amd64.deb 317964711fcb5a0c98c3d629507a306de9e00abd9c041c041a5a7822225ada79 13694894 libupnp6-doc_1.6.17-1.2_all.deb Files: e1309ce825bb0dd470c9b08bada8b64a 1634 net extra libupnp_1.6.17-1.2.dsc 1d899280eee3070f5a2ca5479760bad0 26686 net extra libupnp_1.6.17-1.2.debian.tar.gz e2a2c2038247fd02ba05a2513a13584e 181164 libs extra libupnp6_1.6.17-1.2_amd64.deb e4e3f6345350485ed4fcdff6fbe0da8f 262286 libdevel extra libupnp6-dev_1.6.17-1.2_amd64.deb 0c4442fed70849a009452ebc488a0966 43042 libdevel extra libupnp-dev_1.6.17-1.2_all.deb baa27306006776a7a488252d1ef3fd75 393582 debug extra libupnp6-dbg_1.6.17-1.2_amd64.deb 2c854d30bb220c196ad91eee99f05100 13694894 doc extra libupnp6-doc_1.6.17-1.2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJRDDbWAAoJEG3bU/KmdcClt+AH/22yVIics4uNdrutYrRxiB9I jEMaBaFb2Uvw3xmuMsq1U6f1ItGnbYVTreeo1u44sFEG/1Uj5bE4PmT1EJR6EBkQ sg3loaegz17x0MYXLm5fpedSk8E6VPlvkJzkEDHTYGKaimc9lEGzM3+ag/DMWbKf CwWWjbtOWj4z1e3ES1GKtVNbReSHIcbdCyMKkYR086Lm2RXC1LLW9LuegkCjiRKJ XwF0QceTRU+A/wc2dmJkKG8HB914+SvL+CWJloXf/IL0bGlcFt2GPr9prKkJy0mr FWzXcPxnc8jFwIqkSR7I0iWM/rZjoSa/lzoxaJOi5wTuzsY/Ka2u01s4EMO7rr8= =fETd -----END PGP SIGNATURE-----
--- End Message ---
