Summary: | net-misc/minissdpd: improper validation of array index weakness | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED OBSOLETE | ||
Severity: | trivial | CC: | blueness |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/03/07/9 | ||
Whiteboard: | ~3 [upstream] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-03-09 15:35:04 UTC
The effected versions have long been off the tree. Currently we only have 1.5.20160119 and 1.5.20160301 on the tree. (In reply to Anthony Basile from comment #1) > The effected versions have long been off the tree. Currently we only have > 1.5.20160119 and 1.5.20160301 on the tree. Is not clear to me if who made the advisory tested only on debian-ubuntu and/or he believes that only 1.2 version is affected. The patch has the following date: Date: Fri, 4 Mar 2016 12:38:18 +0100 Subject: [PATCH] Fix minissdpd.c handling of request with negative length Since the patch is recent, I really don't guess that we have a version that includes such patch. Maybe 1.5 is just not-affected. Patch exists upstream, but cannot be validated against the current sources. None of the effected code is found in the current upstream github or available Portage versions. Testing of the vulnerability was only confirmed on version 1.2.20130907-3, which has long been gone from the tree. Additionally, the package has never been marked stable. |