Your message dated Sun, 03 Feb 2013 23:02:10 +0000
with message-id <e1u28ze-0006ll...@franck.debian.org>
and subject line Bug#699316: fixed in libupnp 1:1.6.6-5+squeeze1
has caused the Debian Bug report #699316,
regarding libupnp: Multiple stack buffer overflow vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
699316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libupnp
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for libupnp.
CVE-2012-5958[0]: Stack buffer overflow of Tempbuf
CVE-2012-5959[1]: Stack buffer overflow of Event->UDN
CVE-2012-5960[2]: Stack buffer overflow of Event->UDN
CVE-2012-5961[3]: Stack buffer overflow of Evt->UDN
CVE-2012-5962[4]: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963[5]: Stack buffer overflow of Event->UDN
CVE-2012-5964[6]: Stack buffer overflow of Event->DeviceType
CVE-2012-5965[7]: Stack buffer overflow of Event->DeviceType
Upstream changelog for 1.6.18 states:
*******************************************************************************
Version 1.6.18
*******************************************************************************
2012-12-06 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>
Security fix for CERT issue VU#922681
This patch addresses three possible buffer overflows in function
unique_service_name(). The three issues have the folowing CVE numbers:
CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf
CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN
CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN
Notice that the following issues have already been dealt by previous
work:
CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN
CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType
CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN
CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType
CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958
http://security-tracker.debian.org/tracker/CVE-2012-5958
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959
http://security-tracker.debian.org/tracker/CVE-2012-5959
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960
http://security-tracker.debian.org/tracker/CVE-2012-5960
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961
http://security-tracker.debian.org/tracker/CVE-2012-5961
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962
http://security-tracker.debian.org/tracker/CVE-2012-5962
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963
http://security-tracker.debian.org/tracker/CVE-2012-5963
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964
http://security-tracker.debian.org/tracker/CVE-2012-5964
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965
http://security-tracker.debian.org/tracker/CVE-2012-5965
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libupnp
Source-Version: 1:1.6.6-5+squeeze1
We believe that the bug you reported is fixed in the latest version of
libupnp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 699...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated libupnp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Feb 2013 21:55:32 +0100
Source: libupnp
Binary: libupnp3 libupnp3-dev libupnp-dev libupnp3-dbg
Architecture: source amd64
Version: 1:1.6.6-5+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Nick Leverton <n...@leverton.org>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description:
libupnp-dev - Portable SDK for UPnP Devices (development files)
libupnp3 - Portable SDK for UPnP Devices, version 1.6 (shared libraries)
libupnp3-dbg - debugging symbols for libupnp3
libupnp3-dev - Portable SDK for UPnP Devices, version 1.6 (development files)
Closes: 699316
Changes:
libupnp (1:1.6.6-5+squeeze1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix
various stack-based buffer overflows in service_unique_name() function.
This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961,
CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316
Checksums-Sha1:
6c3737bb3f8a7c10feaaa29e7fb056fd9526af41 1448 libupnp_1.6.6-5+squeeze1.dsc
ac7094be846a34f8e1ad316ab2fe4988050fd07a 1354224 libupnp_1.6.6.orig.tar.gz
06304f4af0834e0a8a24b188c3e045284f7ada6a 33552 libupnp_1.6.6-5+squeeze1.diff.gz
e29c865e8bd1bac508ff07a5d5aca57591525236 140420
libupnp3_1.6.6-5+squeeze1_amd64.deb
9e10872913b48038c6dd72a087150714530e8a43 854936
libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
ae1eebb478331bd96fc39dc6f41ef84cb017352c 18724
libupnp-dev_1.6.6-5+squeeze1_amd64.deb
127a5e7e5ace031f41377ef761e91814a1286630 163138
libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb
Checksums-Sha256:
889dee6d3b3977071df6b533278088cffc14b106e4f134fc03a13c8e2fa41e3d 1448
libupnp_1.6.6-5+squeeze1.dsc
c6b26357c99658171da1aeb4b9260d0078e3e16de837e39620a26f85d16b48fc 1354224
libupnp_1.6.6.orig.tar.gz
600bb4d7d531de923b13cd061ae1250404decc92f73eb2842ef872f2954ad18a 33552
libupnp_1.6.6-5+squeeze1.diff.gz
10997a6480856dd908f021841bd7544d537182b166cd4c508cbdbc4b49b9a21e 140420
libupnp3_1.6.6-5+squeeze1_amd64.deb
b23d159c51d6ecc627bcd9a19bad3ba570299045c1c77d38c8e5225ff5d9ba51 854936
libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
321d38e00cbd6ca227ae6db2bbb79b7cb260925ebac6687194ff58541f4b6b16 18724
libupnp-dev_1.6.6-5+squeeze1_amd64.deb
eace16a5fb10cc59128d3d01ae14a76dd9c862a31b741afb264b9164b96b65fe 163138
libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb
Files:
832e50490291c43b0f6f7d0f200ac910 1448 net extra libupnp_1.6.6-5+squeeze1.dsc
533d09459db59552fed7f25c752bf7f9 1354224 net extra libupnp_1.6.6.orig.tar.gz
71cd98c26960e95d7b4bcb9b03cab38a 33552 net extra
libupnp_1.6.6-5+squeeze1.diff.gz
92d1c41dc8188c553799cc03e18d0cd6 140420 libs extra
libupnp3_1.6.6-5+squeeze1_amd64.deb
84ebf5050c6423673fac193d8a840f8b 854936 libdevel extra
libupnp3-dev_1.6.6-5+squeeze1_amd64.deb
b00a2442224a9477faa013092104ab06 18724 libdevel extra
libupnp-dev_1.6.6-5+squeeze1_amd64.deb
ad59ad11b9c237a060ce8945d51f0860 163138 debug extra
libupnp3-dbg_1.6.6-5+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJRDCzqAAoJEG3bU/KmdcCldiMH/0d1JMtqigsNNvAkX4Aa2tag
E4bOPLKNFC6Yf5pp4lz9VyLa4cOhUA/JLj5CDzObBJrDMxPOpeEWyV/uFJVRSIaq
SWKhDojyc3SWZ2GpYerG6q2HtnnDx9C01XNQqK+F1rwNxBU1mlujpR5pJ92/aF+r
2c87bK8z369XUrgb2lmbl5CO0c7wUiECEn+a2V/5SHMPX9+Rh/8B8UOFWcOPxxeW
pyH1QIGk8yPPxSrQohZQBWx/MDQq2cZEKJbj9IWvORcRJpSHG89iskiRyfo1skTo
QeYi/9AW2q0P3n9uv8Zsqt61Ke5Jwz0z0n76FVg7lhCosvwAVcM2s00+WasqBTw=
=gUEo
-----END PGP SIGNATURE-----
--- End Message ---
