From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C9D07138330 for ; Sun, 7 Jan 2018 23:58:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ECE0AE0B9A; Sun, 7 Jan 2018 23:57:57 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CC976E0B4B for ; Sun, 7 Jan 2018 23:51:40 +0000 (UTC) Received: from localhost.localdomain (107-1-160-144-ip-static.hfc.comcastbusiness.net [107.1.160.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id 9ED14335D7B for ; Sun, 7 Jan 2018 23:51:39 +0000 (UTC) From: Aaron Bauman To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Subject: [gentoo-announce] [ GLSA 201801-08 ] MiniUPnPc: Arbitrary code execution Date: Sun, 07 Jan 2018 18:51:37 -0500 Message-ID: <3703746.ED79X6X1tF@localhost.localdomain> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart8473473.IDe4dc95CO"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: e54a8766-e7f4-4db0-b475-c8e2c727180e X-Archives-Hash: e291f94f41cb6eea6ae08e30a228d81b --nextPart8473473.IDe4dc95CO Content-Type: multipart/alternative; boundary="nextPart3375210.iVafGEsKuR" Content-Transfer-Encoding: 7Bit This is a multi-part message in MIME format. --nextPart3375210.iVafGEsKuR Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201801-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MiniUPnPc: Arbitrary code execution Date: January 07, 2018 Bugs: #562684 ID: 201801-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in MiniUPnPc might allow remote attackers to execute arbitrary code. Background ========== The client library, enabling applications to access the services provided by an UPnP "Internet Gateway Device" present on the network. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/miniupnpc < 2.0.20170509 >= 2.0.20170509 Description =========== An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library. Impact ====== A remote attacker, by enticing a user to connect to a malicious server, could cause the execution of arbitrary code with the privileges of the user running a MiniUPnPc linked application. Workaround ========== There is no known workaround at this time. Resolution ========== All MiniUPnPc users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-libs/miniupnpc-2.0.20170509" References ========== [ 1 ] CVE-2015-6031 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6031 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201801-08 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License --nextPart3375210.iVafGEsKuR Content-Transfer-Encoding: 7Bit Content-Type: text/html; charset="us-ascii"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 201801-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

https://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: Normal

Title: MiniUPnPc: Arbitrary code execution

Date: January 07, 2018

Bugs: #562684

ID: 201801-08

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

A vulnerability in MiniUPnPc might allow remote attackers to execute

arbitrary code.

 

Background

==========

 

The client library, enabling applications to access the services

provided by an UPnP "Internet Gateway Device" present on the network.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 net-libs/miniupnpc < 2.0.20170509 >= 2.0.20170509

 

Description

===========

 

An exploitable buffer overflow vulnerability exists in the XML parser

functionality of the MiniUPnP library.

 

Impact

======

 

A remote attacker, by enticing a user to connect to a malicious server,

could cause the execution of arbitrary code with the privileges of the

user running a MiniUPnPc linked application.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All MiniUPnPc users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot -v ">=net-libs/miniupnpc-2.0.20170509"

 

References

==========

 

[ 1 ] CVE-2015-6031

https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6031

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

https://security.gentoo.org/glsa/201801-08

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users' machines is of utmost

importance to us. Any security concerns should be addressed to

security@gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.

 

License

=======

 

Copyright 2018 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5

--nextPart3375210.iVafGEsKuR-- --nextPart8473473.IDe4dc95CO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlpSsokACgkQpRQw84X1 dt2N3Af/S5kC2h28tZ2bRPRlScZRkx51BAv9Uwu4mbkT03raX7xmVXLj4M5JBqEk /z5ZQyA0OttXmSUmElbHhi4DWSgpRaPeAHU3JrY6wtHdtJdEgUe/2u0BhGP+DCuF iDkmWifz+s3CuSXkvmiN+XqkCNzKSw/dg1wNs6BD5BFaBmM4Dm6wlAPfD8ji2Hqu oW/IqZppBGyag+htB1EuhOU/pl0ajeEFLDOlI+6vqNLj7KmzIxGnChuooOFkIjEr +iFExHX0Z4+apic1CXnXY3KwGWh75/xlhYzakxjKaTwH6lM28KKJWOKKvrbhkL0u r4AYUJS+RXcDddXqir+IXV1t7o+nbg== =K1cx -----END PGP SIGNATURE----- --nextPart8473473.IDe4dc95CO--