-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear security team,
I have built an update of miniupnpd for Stretch. However, it's unclear to me if this should go through stretch-pu, or through stretch-security. Please let me know. In case you would like to get it through stretch-security, here's a debdiff attached. Note that Sid/Buster was updated through a newer upstream release upload. I'm also working on getting miniupnpc and libnatpmp updated however this will need transition management from the release team. Cheers, Thomas Goirand (zigo) -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlp64nsACgkQq1PlA1ho d6ascw//WBlAIZpwqtx/TZaaYDB0LNnjiBKOWgxnAPwzewTH2X5IngLRKOGE6iME sRYnPTHP9VDUpvXHcDROpPKa/CgRus1atss2P8wTv8B4gGR4//J28P9z8fTh7aBI 8pKlzjUrzGDZcricEUXs/Yga+B3yNOLBKT6XDfRdJmw76REzX4QJ5p/f63Pp5EKP uL2DcvBBqg9dPaWpXcBTGIxSkWA3T22u9+lbaLQpl/Ra8F8B5+AZNWpTtDkJlYe6 BAMX+u+KUOVADiwsfQNuVLiitFOmqcn7oOoPgyG23cI4M6qSvduZiTpdHCVBsPSH um+QjJ5f75cA54v+CdgGHQSl2YIAQ9tvv4triP6bYrKgX1U22q7Y3KYoBakCMkRN SjF7Y6KooQ2smrWXessWbcq0JTE/vpRf2sA4OobHnbezUO/XEWs3dgduSfaz6wDO NZEVPUi2JwsF1sLGMmwnDmUISp4tcAgPlkH7xwM2K/l78DXCtJl5Bz6E6E3PLlDB A0j+sOy885ewML+CJlKoI/wiObNbHM4G2ql5FW5MD/CSC+Le43RCXDkWBHkNLfdR wTrElauKY2tTKntysLzqM4SfXZIB4SWBuS58Guxc6Kiur/S59tb0adl24ok7Idsw jtW6Bhkx/34B2NbVqavNQ1iW+ome71AExH3wRmsTAqo9vsuJkHo= =zuEG -----END PGP SIGNATURE-----
diff -Nru miniupnpd-1.8.20140523/debian/changelog miniupnpd-1.8.20140523/debian/changelog --- miniupnpd-1.8.20140523/debian/changelog 2017-01-13 12:52:51.000000000 +0100 +++ miniupnpd-1.8.20140523/debian/changelog 2018-02-07 12:18:50.000000000 +0100 @@ -1,3 +1,9 @@ +miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium + + * Apply patch from upstream for CVE-2017-1000494 (Closes: #887129). + + -- Thomas Goirand <[email protected]> Wed, 07 Feb 2018 12:18:50 +0100 + miniupnpd (1.8.20140523-4.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch --- miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch 1970-01-01 01:00:00.000000000 +0100 +++ miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch 2018-02-07 12:18:43.000000000 +0100 @@ -0,0 +1,35 @@ +Description: fix for CVE-2017-1000494 + This patch was backported by upstream. +Author: Thomas Bernard <[email protected]> +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/887129 +Last-Update: 2018-02-07 + +diff -ru miniupnpd-1.8.20140523.orig/minixml.c miniupnpd-1.8.20140523/minixml.c +--- miniupnpd-1.8.20140523.orig/minixml.c 2014-02-05 17:29:33.000000000 +0100 ++++ miniupnpd-1.8.20140523/minixml.c 2018-02-02 16:46:19.115527000 +0100 +@@ -161,7 +161,8 @@ + if (p->xml >= p->xmlend) + return; + } +- if(memcmp(p->xml, "<![CDATA[", 9) == 0) ++ /* CDATA are at least 9 + 3 characters long : <![CDATA[ ]]> */ ++ if((p->xmlend >= (p->xml + (9 + 3))) && (memcmp(p->xml, "<
