CVE-2017-12087

NameCVE-2017-12087
DescriptionAn exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs882508

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
shairport-sync (PTS)stretch2.8.6-1vulnerable
buster, sid3.2.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
shairport-syncsource(unstable)3.1.4-1unimportant882508

Notes

Debian build uses Avahi instead
https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1729668

Search for package or bug name: Reporting problems