Your message dated Fri, 01 Feb 2013 22:17:45 +0000
with message-id <e1u1ovz-0007ms...@franck.debian.org>
and subject line Bug#699459: fixed in libupnp4 1.8.0~svn20100507-1.2
has caused the Debian Bug report #699459,
regarding libupnp4: Multiple stack buffer overflow vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
699459: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699459
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libupnp4
Severity: grave
Tags: security
More information is available at bug #699316 (including a patch).
According to bug #699351, these security problems are also found in
libupnp4.
Here's the original posting by Salvatore Bonaccorso <car...@debian.org>
Hi,
the following vulnerabilities were published for libupnp.
CVE-2012-5958[0]: Stack buffer overflow of Tempbuf
CVE-2012-5959[1]: Stack buffer overflow of Event->UDN
CVE-2012-5960[2]: Stack buffer overflow of Event->UDN
CVE-2012-5961[3]: Stack buffer overflow of Evt->UDN
CVE-2012-5962[4]: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963[5]: Stack buffer overflow of Event->UDN
CVE-2012-5964[6]: Stack buffer overflow of Event->DeviceType
CVE-2012-5965[7]: Stack buffer overflow of Event->DeviceType
Upstream changelog for 1.6.18 states:
*******************************************************************************
Version 1.6.18
*******************************************************************************
2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
Security fix for CERT issue VU#922681
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE numbers:
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Notice that the following issues have already been dealt by previous
work:
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958
http://security-tracker.debian.org/tracker/CVE-2012-5958
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959
http://security-tracker.debian.org/tracker/CVE-2012-5959
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960
http://security-tracker.debian.org/tracker/CVE-2012-5960
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961
http://security-tracker.debian.org/tracker/CVE-2012-5961
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962
http://security-tracker.debian.org/tracker/CVE-2012-5962
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963
http://security-tracker.debian.org/tracker/CVE-2012-5963
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964
http://security-tracker.debian.org/tracker/CVE-2012-5964
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965
http://security-tracker.debian.org/tracker/CVE-2012-5965
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libupnp4
Source-Version: 1.8.0~svn20100507-1.2
We believe that the bug you reported is fixed in the latest version of
libupnp4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 699...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated libupnp4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Feb 2013 22:53:13 +0100
Source: libupnp4
Binary: libupnp4 libupnp4-dev libupnp4-dbg libupnp4-doc
Architecture: source amd64 all
Version: 1.8.0~svn20100507-1.2
Distribution: unstable
Urgency: high
Maintainer: Nick Leverton <n...@leverton.org>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description:
libupnp4 - Portable SDK for UPnP Devices, version 1.8 (shared libraries)
libupnp4-dbg - debugging symbols for libupnp4
libupnp4-dev - Portable SDK for UPnP Devices, version 1.8 (development files)
libupnp4-doc - Documentation for the Portable SDK for UPnP Devices, version 1.8
Closes: 699459
Changes:
libupnp4 (1.8.0~svn20100507-1.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
various stack-based buffer overflows in service_unique_name() function.
This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699459
* debian/rules:
- enable hardening flags.
* debian/control:
- add build-dep on dpkg-dev (>= 1.16.1~)
Checksums-Sha1:
b3eaf9b3af47d7ac1938c1b28487e2a2144d708b 1687
libupnp4_1.8.0~svn20100507-1.2.dsc
3dcb23cbf319448110069bcda364ffdd673f1498 28111
libupnp4_1.8.0~svn20100507-1.2.diff.gz
8b3a668c3aaaefad1f92cedca2e9ba516ea53f62 170846
libupnp4_1.8.0~svn20100507-1.2_amd64.deb
07455f21b5ffb248f1445fb413d1bad0adbcac5f 246880
libupnp4-dev_1.8.0~svn20100507-1.2_amd64.deb
c9327679aecb2cda721e598ca7adc59128f35b53 197106
libupnp4-dbg_1.8.0~svn20100507-1.2_amd64.deb
cfcb176dfcdb0167f67b0fbbe6d07906182be953 11582038
libupnp4-doc_1.8.0~svn20100507-1.2_all.deb
Checksums-Sha256:
ab5edb2634063806a23ad0c342f6db7e3de82a937e4e5eb259fcc6631d4c0010 1687
libupnp4_1.8.0~svn20100507-1.2.dsc
83c3976e08eaf101e81f24dc4878b392d7faf09367cc3036bcf6f515a37f2e74 28111
libupnp4_1.8.0~svn20100507-1.2.diff.gz
34f9d4a41c966b174e29ae0cd006c026b115dc31e2eff79ae27f2510443c9756 170846
libupnp4_1.8.0~svn20100507-1.2_amd64.deb
fcf9a98fc4cedb1fa64ab995b96c6898c5ff65883caccb8447d1370c90b14312 246880
libupnp4-dev_1.8.0~svn20100507-1.2_amd64.deb
c248f0ef4d912dab7954a48845cd06546dff22dfcd13d1908ce50a827f13d2f5 197106
libupnp4-dbg_1.8.0~svn20100507-1.2_amd64.deb
4f485f62ad8cf1ccdf9efc37a2aff1b2462c92572a0a1bee5e3bef8155a58ef9 11582038
libupnp4-doc_1.8.0~svn20100507-1.2_all.deb
Files:
4ea450979f718d7c32ba85c243635e9d 1687 net extra
libupnp4_1.8.0~svn20100507-1.2.dsc
b50fc57b0c56b3f98208b465ca97e8b5 28111 net extra
libupnp4_1.8.0~svn20100507-1.2.diff.gz
1cddd057a22cad15177aeaa796223532 170846 libs extra
libupnp4_1.8.0~svn20100507-1.2_amd64.deb
d0862dc8748c327bd04f7795050664d3 246880 libdevel extra
libupnp4-dev_1.8.0~svn20100507-1.2_amd64.deb
9158d735f0e36fbdc6edd02092bc8cb1 197106 debug extra
libupnp4-dbg_1.8.0~svn20100507-1.2_amd64.deb
ecc32475a9f376757cf392e615f0cb7e 11582038 doc extra
libupnp4-doc_1.8.0~svn20100507-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJRDDzwAAoJEG3bU/KmdcCldk8H/j4fTaxVsuwM3OjLMSRqEaUX
Iw4YZUZOYbgoGNnT6HbSLHqUP2vQMquEfr8jw6k6Iof1wxfl7lN8iJn1Lxo4omwX
PGgSlA82Z4UIbIvTdLNMs1bumGrkgnCvZY7KApO0v+WZnrUUyElciD4ls4Nbs9lh
VEeROxfng/BQI9Ax+42XHnvmjLRihfLdnedytm/ub4HMSzyk5wayxIzdVpffzHuE
PI5/olRPjGnfDJNkOiHKBebcWXj/eQWMAN8sNsWSjPldosEfJNnx9XjtQKblMe0v
ptGW+iLhDvl4Tr8uCYdukwE61V+X8q4QabAf8HyA2CZrwSv0hLy/nL3jxXPhCGk=
=8SH0
-----END PGP SIGNATURE-----
--- End Message ---
