CVE-2017-1000494

NameCVE-2017-1000494
DescriptionUninitialized stack variable vulnerability in NameValueParserEndElt (upnpreplyparse.c) in miniupnpd < 2.0 allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or possibly have unspecified other impact
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1811-1
Debian Bugs887129

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
miniupnpc (PTS)buster2.1-1fixed
bullseye2.2.1-1fixed
bookworm2.2.4-1fixed
trixie, sid2.2.5-1fixed
miniupnpd (PTS)buster2.1-6fixed
bullseye2.2.1-1fixed
bookworm2.3.1-1fixed
trixie, sid2.3.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
miniupnpcsource(unstable)2.0.20171212-3unimportant
miniupnpdsourcejessie1.8.20140523-4+deb8u1DLA-1811-1
miniupnpdsourcestretch1.8.20140523-4.1+deb9u1
miniupnpdsource(unstable)2.0.20171212-1887129

Notes

https://github.com/miniupnp/miniupnp/issues/268
https://github.com/miniupnp/miniupnp/commit/7aeb624b44f86d335841242ff427433190e7168a
https://github.com/miniupnp/miniupnp/commit/a0573e251817ec090a8c9f9f41b56d720c835a6c
Search for package or bug name: Reporting problems