Your message dated Fri, 01 Feb 2013 21:47:34 +0000
with message-id <e1u1osm-00010x...@franck.debian.org>
and subject line Bug#699316: fixed in libupnp 1:1.6.17-1.2
has caused the Debian Bug report #699316,
regarding libupnp: Multiple stack buffer overflow vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
699316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libupnp
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for libupnp.
CVE-2012-5958[0]: Stack buffer overflow of Tempbuf
CVE-2012-5959[1]: Stack buffer overflow of Event->UDN
CVE-2012-5960[2]: Stack buffer overflow of Event->UDN
CVE-2012-5961[3]: Stack buffer overflow of Evt->UDN
CVE-2012-5962[4]: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963[5]: Stack buffer overflow of Event->UDN
CVE-2012-5964[6]: Stack buffer overflow of Event->DeviceType
CVE-2012-5965[7]: Stack buffer overflow of Event->DeviceType
Upstream changelog for 1.6.18 states:
*******************************************************************************
Version 1.6.18
*******************************************************************************
2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
Security fix for CERT issue VU#922681
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE numbers:
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Notice that the following issues have already been dealt by previous
work:
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958
http://security-tracker.debian.org/tracker/CVE-2012-5958
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959
http://security-tracker.debian.org/tracker/CVE-2012-5959
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960
http://security-tracker.debian.org/tracker/CVE-2012-5960
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961
http://security-tracker.debian.org/tracker/CVE-2012-5961
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962
http://security-tracker.debian.org/tracker/CVE-2012-5962
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963
http://security-tracker.debian.org/tracker/CVE-2012-5963
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964
http://security-tracker.debian.org/tracker/CVE-2012-5964
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965
http://security-tracker.debian.org/tracker/CVE-2012-5965
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libupnp
Source-Version: 1:1.6.17-1.2
We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 699...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated libupnp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Feb 2013 21:56:12 +0100
Source: libupnp
Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc
Architecture: source amd64 all
Version: 1:1.6.17-1.2
Distribution: unstable
Urgency: high
Maintainer: Nick Leverton <n...@leverton.org>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description:
libupnp-dev - Portable SDK for UPnP Devices (development files)
libupnp6 - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
libupnp6-dbg - debugging symbols for libupnp6
libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6
Closes: 699316
Changes:
libupnp (1:1.6.17-1.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
various stack-based buffer overflows in service_unique_name() function.
This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316
Checksums-Sha1:
ca9a154edcc4addfbcc73df97e7875a2ca47d422 1634 libupnp_1.6.17-1.2.dsc
c6f946b9c04a14b5bd2efb6aa7d4cd664ed66b90 26686 libupnp_1.6.17-1.2.debian.tar.gz
8168ae3de4ef529de93ed68286497f4ec6fe5584 181164 libupnp6_1.6.17-1.2_amd64.deb
de73a4afae7232bf6459cc7a208c9cb0b2c330ea 262286
libupnp6-dev_1.6.17-1.2_amd64.deb
99ca41f164f5c1e59af16ea3a44d0d52feb775c3 43042 libupnp-dev_1.6.17-1.2_all.deb
9b7dc6a7c6fac33765f33e6d29f07d0debcfa77e 393582
libupnp6-dbg_1.6.17-1.2_amd64.deb
c702603c8a34834aa82da144e3dcdb3179adb0b6 13694894
libupnp6-doc_1.6.17-1.2_all.deb
Checksums-Sha256:
599d9105883c3151fd8163c3a7349e492264dd14202682c8ce6ab7b5dcc9d32f 1634
libupnp_1.6.17-1.2.dsc
0f35fc257226a5bc84f48a0ac389eb6d397c6a34b4c6481115cf08a5041ba0c0 26686
libupnp_1.6.17-1.2.debian.tar.gz
db75a2d1a6e81cbef7b190c5a82cc26e327c268c3a164b80a379ed9ce7137a26 181164
libupnp6_1.6.17-1.2_amd64.deb
62adf38507f9b9789cbbacb46b97f26b1413b7dd1503f5aee299846d3a439503 262286
libupnp6-dev_1.6.17-1.2_amd64.deb
dcd68e41dfbcad93469314f2285d127c5954792aaa4747b766385e89529a1e42 43042
libupnp-dev_1.6.17-1.2_all.deb
4a67947bfee7f8b4a584c667b173219a9abccf196b846ad64d60b1d6919b38d4 393582
libupnp6-dbg_1.6.17-1.2_amd64.deb
317964711fcb5a0c98c3d629507a306de9e00abd9c041c041a5a7822225ada79 13694894
libupnp6-doc_1.6.17-1.2_all.deb
Files:
e1309ce825bb0dd470c9b08bada8b64a 1634 net extra libupnp_1.6.17-1.2.dsc
1d899280eee3070f5a2ca5479760bad0 26686 net extra
libupnp_1.6.17-1.2.debian.tar.gz
e2a2c2038247fd02ba05a2513a13584e 181164 libs extra
libupnp6_1.6.17-1.2_amd64.deb
e4e3f6345350485ed4fcdff6fbe0da8f 262286 libdevel extra
libupnp6-dev_1.6.17-1.2_amd64.deb
0c4442fed70849a009452ebc488a0966 43042 libdevel extra
libupnp-dev_1.6.17-1.2_all.deb
baa27306006776a7a488252d1ef3fd75 393582 debug extra
libupnp6-dbg_1.6.17-1.2_amd64.deb
2c854d30bb220c196ad91eee99f05100 13694894 doc extra
libupnp6-doc_1.6.17-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJRDDbWAAoJEG3bU/KmdcClt+AH/22yVIics4uNdrutYrRxiB9I
jEMaBaFb2Uvw3xmuMsq1U6f1ItGnbYVTreeo1u44sFEG/1Uj5bE4PmT1EJR6EBkQ
sg3loaegz17x0MYXLm5fpedSk8E6VPlvkJzkEDHTYGKaimc9lEGzM3+ag/DMWbKf
CwWWjbtOWj4z1e3ES1GKtVNbReSHIcbdCyMKkYR086Lm2RXC1LLW9LuegkCjiRKJ
XwF0QceTRU+A/wc2dmJkKG8HB914+SvL+CWJloXf/IL0bGlcFt2GPr9prKkJy0mr
FWzXcPxnc8jFwIqkSR7I0iWM/rZjoSa/lzoxaJOi5wTuzsY/Ka2u01s4EMO7rr8=
=fETd
-----END PGP SIGNATURE-----
--- End Message ---
