Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598202 (CVE-2016-8863) - <net-libs/libupnp-1.6.21: Heap buffer overflow in the create_url_list function
Summary: <net-libs/libupnp-1.6.21: Heap buffer overflow in the create_url_list function
Status: RESOLVED FIXED
Alias: CVE-2016-8863
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-6255
  Show dependency tree
 
Reported: 2016-10-27 08:14 UTC by Agostino Sarubbo
Modified: 2017-01-23 22:29 UTC (History)
4 users (show)

See Also:
Package list:
=net-libs/libupnp-1.6.21
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-27 08:14:07 UTC
From ${URL} :

A heap buffer overflow vulnerability was found in libupnp. This vulnerability might allow for a wide range of impacts, from denial of service to remote 
code execution.

Upstream bug:

https://sourceforge.net/p/pupnp/bugs/133/

CVE assignment:

http://seclists.org/oss-sec/2016/q4/200


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Whyman (thev00d00) gentoo-dev 2016-12-30 21:55:27 UTC
This is fixed in 1.6.21 and also #589136 if you haven't stabled that yet.

Ready for stable as the patch is small.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-01-08 21:40:59 UTC
(In reply to Ian Whyman (thev00d00) from comment #1)
> This is fixed in 1.6.21 and also #589136 if you haven't stabled that yet.

Sorry, I don't understand your reference to bug 589136. CVE-2016-8863 is not addressed in that bug and the version we call stable in bug 589136 (v1.6.20) does not include the fix.


@ Arches,

please test and mark stable: =net-libs/libupnp-1.6.21
Comment 3 Ian Whyman (thev00d00) gentoo-dev 2017-01-08 21:46:37 UTC
@Thomas

To clarify I meant that if an arch has yet to stabilise 1.6.20 they can just jump to 1.6.21 as it includes both fixes - meaning they can "kill 2 birds with one stone" so to speak.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-10 10:24:35 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-10 15:23:49 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-11 10:49:44 UTC
sparc stable
Comment 7 Markus Meier gentoo-dev 2017-01-13 16:54:51 UTC
arm stable
Comment 8 Jeroen Roovers gentoo-dev 2017-01-15 00:30:29 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-15 16:01:41 UTC
ppc stable
Comment 10 Tobias Klausmann gentoo-dev 2017-01-16 08:48:55 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:05:14 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-19 08:51:33 UTC
GLSA request filed.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-23 03:29:37 UTC
This issue was resolved and addressed in
 GLSA 201701-52 at https://security.gentoo.org/glsa/201701-52
by GLSA coordinator Aaron Bauman (b-man).

@maintainer(s), please cleanup.
Comment 14 Ian Whyman (thev00d00) gentoo-dev 2017-01-23 18:38:46 UTC
Old versions dropped from tree.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6aa2e769e864701c8cc7d5953ae4819f2aca985
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-23 22:29:20 UTC
(In reply to Ian Whyman (thev00d00) from comment #14)
> Old versions dropped from tree.
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=b6aa2e769e864701c8cc7d5953ae4819f2aca985

Thank you!