Bug#930050: miniupnpd: CVE-2019-12107 CVE-2019-12108 CVE-2019-12109 CVE-2019-12110 CVE-2019-12111

Thu, 06 Jun 2019 00:42:55 -0700 

Source: miniupnpd
Version: 2.1-5
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1.8.20140523-4.1+deb9u1
Control: found -1 1.8.20140523-1

Hi,

The following vulnerabilities were published for miniupnpd.

CVE-2019-12107[0]:
| The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd
| through 2.1 allows a remote attacker to leak information from the heap
| due to improper validation of an snprintf return value.


CVE-2019-12108[1]:
| A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
| exists due to a NULL pointer dereference in GetOutboundPinholeTimeout
| in upnpsoap.c for int_port.


CVE-2019-12109[2]:
| A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
| exists due to a NULL pointer dereference in GetOutboundPinholeTimeout
| in upnpsoap.c for rem_port.


CVE-2019-12110[3]:
| An AddPortMapping Denial Of Service vulnerability in MiniUPnP
| MiniUPnPd through 2.1 exists due to a NULL pointer dereference in
| upnpredirect.c.


CVE-2019-12111[4]:
| A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1
| exists due to a NULL pointer dereference in copyIPv6IfDifferent in
| pcpserver.c.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12107
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12107
[1] https://security-tracker.debian.org/tracker/CVE-2019-12108
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12108
[2] https://security-tracker.debian.org/tracker/CVE-2019-12109
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12109
[3] https://security-tracker.debian.org/tracker/CVE-2019-12110
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12110
[4] https://security-tracker.debian.org/tracker/CVE-2019-12111
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12111

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to