MiniUPnPc: Arbitrary code execution — GLSA 201801-08

A vulnerability in MiniUPnPc might allow remote attackers to execute arbitrary code.

Affected Packages

net-libs/miniupnpc on all architectures
Affected versions < 2.0.20170509
Unaffected versions >= 2.0.20170509

Background

The client library, enabling applications to access the services provided by an UPnP “Internet Gateway Device” present on the network.

Description

An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library.

Impact

A remote attacker, by enticing a user to connect to a malicious server, could cause the execution of arbitrary code with the privileges of the user running a MiniUPnPc linked application.

Workaround

There is no known workaround at this time.

Resolution

All MiniUPnPc users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/miniupnpc-2.0.20170509"
 

References

Release Date
January 07, 2018

Latest Revision
January 07, 2018: 1

Severity
normal

Exploitable
remote

Bugzilla entries