-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear security team,

I have built an update of miniupnpd for Stretch. However, it's unclear
to me if this should go through stretch-pu, or through stretch-security.
Please let me know.

In case you would like to get it through stretch-security, here's a
debdiff attached.

Note that Sid/Buster was updated through a newer upstream release
upload. I'm also working on getting miniupnpc and libnatpmp updated
however this will need transition management from the release team.

Cheers,

Thomas Goirand (zigo)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlp64nsACgkQq1PlA1ho
d6ascw//WBlAIZpwqtx/TZaaYDB0LNnjiBKOWgxnAPwzewTH2X5IngLRKOGE6iME
sRYnPTHP9VDUpvXHcDROpPKa/CgRus1atss2P8wTv8B4gGR4//J28P9z8fTh7aBI
8pKlzjUrzGDZcricEUXs/Yga+B3yNOLBKT6XDfRdJmw76REzX4QJ5p/f63Pp5EKP
uL2DcvBBqg9dPaWpXcBTGIxSkWA3T22u9+lbaLQpl/Ra8F8B5+AZNWpTtDkJlYe6
BAMX+u+KUOVADiwsfQNuVLiitFOmqcn7oOoPgyG23cI4M6qSvduZiTpdHCVBsPSH
um+QjJ5f75cA54v+CdgGHQSl2YIAQ9tvv4triP6bYrKgX1U22q7Y3KYoBakCMkRN
SjF7Y6KooQ2smrWXessWbcq0JTE/vpRf2sA4OobHnbezUO/XEWs3dgduSfaz6wDO
NZEVPUi2JwsF1sLGMmwnDmUISp4tcAgPlkH7xwM2K/l78DXCtJl5Bz6E6E3PLlDB
A0j+sOy885ewML+CJlKoI/wiObNbHM4G2ql5FW5MD/CSC+Le43RCXDkWBHkNLfdR
wTrElauKY2tTKntysLzqM4SfXZIB4SWBuS58Guxc6Kiur/S59tb0adl24ok7Idsw
jtW6Bhkx/34B2NbVqavNQ1iW+ome71AExH3wRmsTAqo9vsuJkHo=
=zuEG
-----END PGP SIGNATURE-----
diff -Nru miniupnpd-1.8.20140523/debian/changelog 
miniupnpd-1.8.20140523/debian/changelog
--- miniupnpd-1.8.20140523/debian/changelog     2017-01-13 12:52:51.000000000 
+0100
+++ miniupnpd-1.8.20140523/debian/changelog     2018-02-07 12:18:50.000000000 
+0100
@@ -1,3 +1,9 @@
+miniupnpd (1.8.20140523-4.1+deb9u1) stretch; urgency=medium
+
+  * Apply patch from upstream for CVE-2017-1000494 (Closes: #887129).
+
+ -- Thomas Goirand <[email protected]>  Wed, 07 Feb 2018 12:18:50 +0100
+
 miniupnpd (1.8.20140523-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch 
miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch
--- miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch        
1970-01-01 01:00:00.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/CVE-2017-1000494.patch        
2018-02-07 12:18:43.000000000 +0100
@@ -0,0 +1,35 @@
+Description: fix for CVE-2017-1000494
+ This patch was backported by upstream.
+Author: Thomas Bernard <[email protected]>
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/887129
+Last-Update: 2018-02-07
+
+diff -ru miniupnpd-1.8.20140523.orig/minixml.c miniupnpd-1.8.20140523/minixml.c
+--- miniupnpd-1.8.20140523.orig/minixml.c      2014-02-05 17:29:33.000000000 
+0100
++++ miniupnpd-1.8.20140523/minixml.c   2018-02-02 16:46:19.115527000 +0100
+@@ -161,7 +161,8 @@
+                                               if (p->xml >= p->xmlend)
+                                                       return;
+                                       }
+-                                      if(memcmp(p->xml, "<![CDATA[", 9) == 0)
++                                      /* CDATA are at least 9 + 3 characters 
long : <![CDATA[ ]]> */
++                                      if((p->xmlend >= (p->xml + (9 + 3))) && 
(memcmp(p->xml, "<![CDATA[", 9) == 0))
+                                       {
+                                               /* CDATA handling */
+                                               p->xml += 9;
+Only in miniupnpd-1.8.20140523: minixml.c.orig
+diff -ru miniupnpd-1.8.20140523.orig/upnpreplyparse.c 
miniupnpd-1.8.20140523/upnpreplyparse.c
+--- miniupnpd-1.8.20140523.orig/upnpreplyparse.c       2013-06-07 
10:44:40.000000000 +0200
++++ miniupnpd-1.8.20140523/upnpreplyparse.c    2018-02-02 16:45:30.735156000 
+0100
+@@ -90,9 +90,8 @@
+                struct NameValueParserData * data)
+ {
+     struct xmlparser parser;
++      memset(data, 0, sizeof(struct NameValueParserData));
+     LIST_INIT(&(data->head));
+-      data->portListing = NULL;
+-      data->portListingLength = 0;
+     /* init xmlparser object */
+     parser.xmlstart = buffer;
+     parser.xmlsize = bufsize;
diff -Nru miniupnpd-1.8.20140523/debian/patches/series 
miniupnpd-1.8.20140523/debian/patches/series
--- miniupnpd-1.8.20140523/debian/patches/series        2017-01-13 
12:51:16.000000000 +0100
+++ miniupnpd-1.8.20140523/debian/patches/series        2018-02-07 
12:18:49.000000000 +0100
@@ -4,3 +4,4 @@
 0040_fix_buffer_overrun_in_ParseHttpHeaders.patch
 0050_check_if_BuildHeader_upnphttp_failed_to_allocate_memory.patch
 0060_iptables_check.patch
+CVE-2017-1000494.patch

Reply via email to