Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 512666 (CVE-2014-3985)

Summary: <net-libs/miniupnpc-1.9.20150427: buffer overflow (CVE-2014-3985)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: bugs+gentoo, mgorny, nikoli, proxy-maint
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve cleanup]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-06-07 16:59:07 UTC
From ${URL} :

It was pointed out in that miniupnpc
version 1.9 fixes a possible buffer overflow:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 19:58:00 UTC
CVE-2014-3985 (
  The getHTTPResponse function in miniwget.c in MiniUPnP 1.9 allows remote
  attackers to cause a denial of service (crash) via crafted headers that
  trigger an out-of-bounds read.
Comment 2 Maxim Koltsov gentoo-dev 2015-04-28 17:51:07 UTC
Should be fixed in miniupnpc-1.9.20150424 added to tree now. Please check and mark this bug as resolved.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-19 07:14:25 UTC
Cannot confirm this was backported to 1.8 which is stable in the tree.

@maintainer, can you confirm this is backported?  If not, you can call for the stabilization of patched version and we can proceed to cleanup of the old vulnerable.  Thanks.
Comment 4 Thomas Deutschmann gentoo-dev Security 2016-11-21 19:20:50 UTC
Vulnerability is fixed in every 1.9er release in tree.

@ Arches,

please test and mark stable: =net-libs/miniupnpc-1.9.20151008
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-22 11:31:39 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-11-22 11:32:57 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-11-29 17:30:50 UTC
arm stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-07 11:22:25 UTC
Stable for HPPA PPC64.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-11 10:36:52 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-15 15:50:43 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Thomas Deutschmann gentoo-dev Security 2017-01-15 18:50:49 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-01-17 09:20:01 UTC
This issue was resolved and addressed in
 GLSA 201701-41 at
by GLSA coordinator Aaron Bauman (b-man).