Ubuntu has issued an advisory on February 7: https://usn.ubuntu.com/usn/usn-3562-1/ Despite the description saying only < 2.0 is affected, our 2.0 snapshot from last year was too old to include the fix (which was committed in December): https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000494.html Note that the page above also references two other non-CVE security fixes in addition to the CVE fix. Mageia 6 is also affected.
Mageia 5 is also affected (but we don't need to push a fix there).
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Upstream patches are available
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=22455
Cauldron has been recently updated to a version which is not vulnerable. Two of the patches are already applied and 9fcc0a72f09e6e1aa46ddcc997d3dcae87d4b416 does not apply. That patch also did not apply to mga6. I did not do anything with mga#22455 as I do not know if the suggested changes are valid. Leaving that for the maintainer. This update fixes the security issue. Updated package uploaded for Mageia 6. Advisory: ======================== Updated miniupnpc package fixes security vulnerability: It was discovered that miniupnpc contained a heap buffer overflow in parseelt (minixml.c - no CVE assigned). It was discovered that miniupnpc also contained a memory corruption (invalid read, SIGSEGV) in NameValueParserEndElt (upnpreplyparse.c) while handling two consecutive malformed SOAP requests (CVE-2017-1000494). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000494 https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000494.html https://github.com/miniupnp/miniupnp/issues/268 ======================== Updated packages in core/updates_testing: ======================== lib64miniupnpc16-2.0.20170509-1.1.mga6 lib64miniupnpc-devel-2.0.20170509-1.1.mga6 miniupnpc-2.0.20170509-1.1.mga6 from miniupnpc-2.0.20170509-1.1.mga6.src.rpm Testing procedure https://bugs.mageia.org/show_bug.cgi?id=20851#c8
Version: Cauldron => 6Assignee: mageia => qa-bugsKeywords: (none) => has_procedureCC: (none) => mramboWhiteboard: MGA6TOO => (none)
Mageia 6, x86_64 Had a look at this, encouraged by the report from PC LX of previous testing. Searched for PoCs and found tests athttps://github.com/miniupnp/miniupnp/issues/268 which involved a daemon by the looks of it, called miniupnpd. The tests included a couple of message blocks to be sent via a specified port to another IP address, piping through xxd and netcat. I could not find xxd or miniupnpd so gave up on that. $ upnpc -l upnpc : miniupnpc library test client, version 2.0. (c) 2005-2016 Thomas Bernard. Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. No IGD UPnP Device found on the network ! That looks like a full stop to me so I shall have to hand this over to PC LX.
CC: (none) => tarazed25
MGA6-32 on IBM Thinkpad R50e MATE No installation issues Got no further than Len. I guessed that the IP address in the testcase of bug 20851 would be the address of the router ??? But of course port 2555 or 2222 is blocked and I'm not very eager to open up ports for testing.
CC: (none) => herman.viaene
Quick preparatory word. https://bugs.mageia.org/show_bug.cgi?id=13374#c11 describes possible use of megaglest game to use miniupnpc. https://bugs.mageia.org/show_bug.cgi?id=20851#c8 describes PC_LX's expert real test - if you can!
Testing complete mga6 64 Temporarily enabled uPnP on the router (forwarding settings) for testing.. $ upnpc -l upnpc : miniupnpc library test client, version 2.0. (c) 2005-2016 Thomas Bernard. Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.10.1:1900/igd.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.10.1:1900/ipc Local LAN ip address : 192.168.10.66 Connection Type : IP_Routed Status : Connected, uptime=35s, LastConnectionError : ERROR_NONE Time started : Fri May 18 14:54:32 2018 ...etc Validating.
Whiteboard: (none) => mga6-64-okKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Thank you Claire for your expert intervention.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0250.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED