Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 Apr 2014 16:45:26 +1000
From: Murray McAllister <>
Subject: CVE request: possible miniupnpc buffer overflow

Good morning,

It was pointed out in that miniupnpc
version 1.9 fixes a possible buffer overflow:

I am not familiar with the code but it may be just a crash, with an
invalid read here (on line 131):

129                         /* parse header lines */
130                         for(i = 0; i < endofheaders - 1; i++) {
131                                 if(colon <= linestart &&

Can a CVE be assigned if one has not been already?

On a related note, I'm not sure if there are other issues close by. For
example, in version 1.9, miniwget.c:

172                         /* copy the remaining of the received data
back to buf */
173                         n = header_buf_used - endofheaders;
174                         memcpy(buf, header_buf + endofheaders, n);

n and endofheaders are signed ints, and header_buf_used is unsigned.
Mixing the types together (and the signed int in the memcpy) may warrant
further investigation.


Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ