A security issue fixed upstream in miniupnpc has been announced:
The upstream commit to fix the issue is linked at the end of the message above (see ).
Mageia 5 is also affected.
(In reply to David Walser from comment #0)
> A security issue fixed upstream in miniupnpc has been announced:
> The upstream commit to fix the issue is linked at the end of the message
> above (see ).
> Mageia 5 is also affected.
Also, so this should be filed against cauldron & MGA5TOO instead of to
5 & MGA5TOO ;-)
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Fixed in cauldron
Ubuntu has issued advisories for this today (May 24):
openSUSE has issued an advisory for this on May 31:
Patched package uploaded for Mageia 5.
Updated miniupnpc packages fix security vulnerabilities:
It was discovered that MiniUPnP incorrectly handled memory. A remote attacker
could use this issue to cause a denial of service or possibly execute arbitrary
code with privileges of the user running an application that uses the MiniUPnP
Updated packages in core/updates_testing:
Had a look but it is not for me.
$ urpmq --whatrequires lib64miniupnpc12 | sort |uniq
Could not make anything of that except possibly 0ad, which is a multi-player network game. Installed that and started it under another user with the intention of playing it across the LAN but without knowing anything about games culture there was little chance of understanding how to set it up properly let alone play it. Presumably it would need a server daemon of some kind attached to some port and then a couple of month's attention to the manual. The local router has upnp enabled.
$ urpmq --requires 0ad | sort | uniq | grep mini
There is a PoC (attached) which is just as opaque; there is no indication how to run it to show the vulnerability (CVE-2017-8798).
The following command generated a continuous stream of network monitoring data:
$ ./poc.py --listen <ip of user machine>:65000 --havoc
This is all very negative but might be of some assistance to whomsoever attempts this one. megaglest is another game - maybe somebody knows it?
Created attachment 9478 [details]
A possible PoC for this issue
Cannot comment on this.