Three buffer overflows have been fixed with the release of libupnp 1.6.18: http://pupnp.sourceforge.net/ChangeLog This fix is a reaction to research of the security company rapid7 about vulnerable upnp devices. Further infos: http://www.kb.cert.org/vuls/id/922681
I have bumped libupnp to 1.6.18 - it just needs stabilization.
Thanks, Hanno and Bjarke. Arches, please test and mark stable: =net-libs/libupnp-1.6.18 Target KEYWORDS: "alpha amd64 arm hppa ppc ppc64 sparc x86"
CVE-2012-5960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5960): Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka upnp:rootdevice) field in a UDP packet. CVE-2012-5959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5959): Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet. CVE-2012-5958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5958): Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.
Stable for HPPA.
455784 is not anymore a blocker
amd64 stable
x86 stable
sparc stable
ppc stable
arm stable
alpha stable
ppc64 stable
New GLSA request filed.
This issue was resolved and addressed in GLSA 201403-06 at http://security.gentoo.org/glsa/glsa-201403-06.xml by GLSA coordinator Mikle Kolyada (Zlogene).