Hello community, here is the log from the commit of package miniupnpc.4234 for openSUSE:13.2:Update checked in at 2015-11-21 13:23:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/miniupnpc.4234 (Old) and /work/SRC/openSUSE:13.2:Update/.miniupnpc.4234.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "miniupnpc.4234" Changes: -------- New Changes file: --- /dev/null 2015-11-02 12:10:47.524024255 +0100 +++ /work/SRC/openSUSE:13.2:Update/.miniupnpc.4234.new/miniupnpc.changes 2015-11-21 13:23:07.000000000 +0100 @@ -0,0 +1,111 @@ +------------------------------------------------------------------- +Thu Nov 12 12:52:17 UTC 2015 - abergm...@suse.com + +- fixed a xml parser buffer overflow (bsc#950759)(CVE-2015-6031) + * added miniupnpc-buffer-overflow-fix.patch + +------------------------------------------------------------------- +Wed Jun 11 07:34:30 UTC 2014 - joop.boo...@opensuse.org + +- Update to 1.9: + * added argument remoteHost to UPNP_GetSpecificPortMappingEntry() + increment API_VERSION to 10 + * --help and -h arguments in upnpc.c + * fixed potential buffer overrun in miniwget.c + bnc#881990 + CVE-2014-3985 + Modified UPNP_GetValidIGD() to check for ExternalIpAddress + * define MAXHOSTNAMELEN if not already done + * update upnpreplyparse to allow larger values (128 chars instead of 64) + * Update upnpreplyparse to take into account "empty" elements + validate upnpreplyparse.c code with "make check" + * Fix Solaris build thanks to Maciej MaĆecki + * Fix testminiwget.sh for BSD + * Fixed Makefile for *BSD + * Update Makefile to use JNAerator version 0.11 + * Fix testminiwget.sh for use with dash + Use $(DESTDIR) in Makefile + +------------------------------------------------------------------- +Thu Jun 6 07:37:52 UTC 2013 - joop.boo...@opensuse.org + +- Update to 1.8: + * fix testminiwget with no IPv6 support + * Rename all include guards to not clash with C99 + (7.1.3 Reserved identifiers). + * Added -e option to upnpc program (set description for port mappings) + * Python 3 support (thanks to Christopher Foo) + * Fix a memory link in UPNP_GetValidIGD() + * Try to handle scope id in link local IPv6 URL under MS Windows + * Disable HAS_IP_MREQN on DragonFly BSD + * GetUPNPUrls() now inserts scope into link-local IPv6 addresses + * More error return checks in upnpc.c + #define MINIUPNPC_GET_SRC_ADDR enables receivedata() to get scope_id + * parseURL() now parses IPv6 addresses scope + * new parameter for miniwget() : IPv6 address scope + * increment API_VERSION to 9 + * fixed CMakeLists.txt + * Improvements in testminiwget.sh + +------------------------------------------------------------------- +Mon Dec 24 22:29:47 UTC 2012 - p.drou...@gmail.com + +- Update to 1.7 version: + * Cleanup settings of CFLAGS in Makefile + * Fix signed/unsigned integer comparaisons + * Allow to specify protocol with TCP or UDP for -A option + * Only try to fetch XML description once in UPNP_GetValidIGD() + * Added -ansi flag to compilation, and fixed C++ comments to ANSI C comments. + * minor improvements to minihttptestserver.c + * upnperrors.c returns valid error string for unrecognized error codes + * make minihttptestserver listen on loopback interface instead of 0.0.0.0 + * Maven installation thanks to Alexey Kuznetsov + * Replace WIN32 macro by _WIN32 + * Fixes in java wrappers thanks to Alexey Kuznetsov : + https://github.com/axet/miniupnp/tree/fix-javatest/miniupnpc + * Make and install .deb packages (python) thanks to Alexey Kuznetsov : + https://github.com/axet/miniupnp/tree/feature-debbuild/miniupnpc + * The multicast interface can now be specified by name with IPv4. + * Install man page + * added header to Port Mappings list in upnpc.c + * Makefile : make clean now removes jnaerator generated files. + * MINIUPNPC_VERSION in miniupnpc.h (updated by make) + * added rootdescURL to UPNPUrls structure. +- Remove unneeded miniupnpc-makefile.patch + +------------------------------------------------------------------- +Fri Feb 17 09:03:59 UTC 2012 - vu...@opensuse.org + +- Install the headers in /usr/include/miniupnpc/ instead of + /usr/include/: this is cleaner, and this is what users of the + library expect. + +------------------------------------------------------------------- +Sat Jan 7 22:08:25 UTC 2012 - joop.boo...@opensuse.org + +- Corrected the License + +------------------------------------------------------------------- +Fri Dec 23 21:36:13 UTC 2011 - jeng...@medozas.de + +- Remove redundant/unwanted tags/section (cf. specfile guidelines) +- Use %_smp_mflags for parallel building + +------------------------------------------------------------------- +Fri Dec 23 16:44:12 UTC 2011 - joop.boo...@opensuse.org + +- Build version 1.6 +- soname 5 -> 8 + +------------------------------------------------------------------- +Wed Mar 9 00:00:00 UTC 2011 - pascal.ble...@opensuse.org + +- soname 4 -> 5 +- update to 1.5 + +------------------------------------------------------------------- +Sun Mar 7 00:00:00 UTC 2010 - pas...@links2linux.de + +- initial package + +------------------------------------------------------------------- New: ---- miniupnpc-1.9.tar.gz miniupnpc-buffer-overflow-fix.patch miniupnpc.changes miniupnpc.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ miniupnpc.spec ++++++ # # spec file for package miniupnpc # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define soname 10 Name: miniupnpc Version: 1.9 Release: 0 Summary: Universal Plug'n'Play (UPnP) Client License: BSD-3-Clause Group: Productivity/Networking/Other Source: http://miniupnp.free.fr/files/miniupnpc-%{version}.tar.gz Url: http://miniupnp.free.fr/ Patch0: miniupnpc-buffer-overflow-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: python-devel Requires: libminiupnpc%{soname} = %{version}-%{release} %description The MiniUPnP project offers software which supports the UPnP Internet Gateway Device (IGD) specifications. %package -n libminiupnpc%{soname} Summary: Universal Plug'n'Play (UPnP) Client Library Group: System/Libraries %description -n libminiupnpc%{soname} The MiniUPnP project offers software which supports the UPnP Internet Gateway Device (IGD) specifications. %package -n libminiupnpc-devel Summary: Universal Plug'n'Play (UPnP) Client Library Group: Development/Libraries/C and C++ Requires: libminiupnpc%{soname} = %{version}-%{release} %description -n libminiupnpc-devel The MiniUPnP project offers software which supports the UPnP Internet Gateway Device (IGD) specifications. %package -n python-miniupnpc Summary: Universal Plug'n'Play (UPnP) Client Module for Python Group: Development/Libraries/Python Requires: libminiupnpc%{soname} = %{version}-%{release} %py_requires %description -n python-miniupnpc The MiniUPnP project offers software which supports the UPnP Internet Gateway Device (IGD) specifications. %prep %setup -q %patch0 -p2 %build make %{?_smp_mflags} \ CC="%__cc" \ OPTFLAGS="%{optflags}" \ PYTHON="%__python" %__python ./setup.py build %install %__make \ INSTALLPREFIX="%{buildroot}%{_prefix}" \ INSTALLDIRINC="%{buildroot}%{_includedir}/miniupnpc" \ INSTALLDIRLIB="%{buildroot}%{_libdir}" \ INSTALLDIRBIN="%{buildroot}%{_bindir}" \ INSTALL="%__install" \ install %__python ./setup.py install \ --prefix="%{_prefix}" \ --root="%{buildroot}" \ --record-rpm="rpmfiles.lst" # Remove static libs rm -f %{buildroot}%{_libdir}/*.a # The man page should be non executable chmod -x %{buildroot}%{_mandir}/man3/miniupnpc.3.gz %post -n libminiupnpc%{soname} -p /sbin/ldconfig %postun -n libminiupnpc%{soname} -p /sbin/ldconfig %files %defattr(-,root,root) %{_bindir}/upnpc %{_bindir}/external-ip %{_mandir}/man3/miniupnpc.3.gz %files -n libminiupnpc%{soname} %defattr(-,root,root) %doc LICENSE Changelog.txt README %{_libdir}/libminiupnpc.so.%{soname} %files -n libminiupnpc-devel %defattr(-,root,root) %{_includedir}/miniupnpc/ %{_libdir}/libminiupnpc.so %files -n python-miniupnpc -f rpmfiles.lst %defattr(-,root,root) %changelog ++++++ miniupnpc-buffer-overflow-fix.patch ++++++ This patch fixes CVE-2015-6031 and is based on: commit 79cca974a4c2ab1199786732a67ff6d898051b78 Author: Thomas Bernard <miniu...@free.fr> Date: Tue Sep 15 15:32:33 2015 +0200 igd_desc_parse.c: fix buffer overflow diff --git a/miniupnpc/igd_desc_parse.c b/miniupnpc/igd_desc_parse.c index 892a090..d2999ad 100644 --- a/miniupnpc/igd_desc_parse.c +++ b/miniupnpc/igd_desc_parse.c @@ -15,7 +15,9 @@ void IGDstartelt(void * d, const char * name, int l) { struct IGDdatas * datas = (struct IGDdatas *)d; - memcpy( datas->cureltname, name, l); + if(l >= MINIUPNPC_URL_MAXSIZE) + l = MINIUPNPC_URL_MAXSIZE-1; + memcpy(datas->cureltname, name, l); datas->cureltname[l] = '\0'; datas->level++; if( (l==7) && !memcmp(name, "service", l) ) {