Version in base suite: 2.3.9-2 Base version: miniupnpd_2.3.9-2 Target version: miniupnpd_2.3.9-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/miniupnpd/miniupnpd_2.3.9-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/miniupnpd/miniupnpd_2.3.9-2+deb13u1.dsc changelog | 8 ++ patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch | 31 ++++++++++ patches/series | 1 3 files changed, 40 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpgzghb9qn/miniupnpd_2.3.9-2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpgzghb9qn/miniupnpd_2.3.9-2+deb13u1.dsc: no acceptable signature found diff -Nru miniupnpd-2.3.9/debian/changelog miniupnpd-2.3.9/debian/changelog --- miniupnpd-2.3.9/debian/changelog 2025-05-09 15:45:01.000000000 +0000 +++ miniupnpd-2.3.9/debian/changelog 2026-06-20 12:18:31.000000000 +0000 @@ -1,3 +1,11 @@ +miniupnpd (2.3.9-2+deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + * CVE-2026-5720: integer underflow in SOAPAction header parsing + (Closes: #1134334) + + -- Adrian Bunk Sat, 20 Jun 2026 15:18:31 +0300 + miniupnpd (2.3.9-2) unstable; urgency=medium * Fix autopkgtest. diff -Nru miniupnpd-2.3.9/debian/patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch miniupnpd-2.3.9/debian/patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch --- miniupnpd-2.3.9/debian/patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch 1970-01-01 00:00:00.000000000 +0000 +++ miniupnpd-2.3.9/debian/patches/0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch 2026-06-20 12:18:31.000000000 +0000 @@ -0,0 +1,31 @@ +From 8bf6c943b86b2ac476426da36f9557a377767c14 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 23 Mar 2026 02:37:02 +0100 +Subject: upnphttp.c: fix removal of quotes in ParseHttpHeaders() + +the length of the string including the quotes must be at +least 2 for the string to contain the 2 enclosing quotes ! +--- + upnphttp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/upnphttp.c b/upnphttp.c +index f405f7d..838fdcc 100644 +--- a/upnphttp.c ++++ b/upnphttp.c +@@ -262,9 +262,10 @@ ParseHttpHeaders(struct upnphttp * h) + p++; + while(p[n]>=' ') + n++; +- if((p[0] == '"' && p[n-1] == '"') +- || (p[0] == '\'' && p[n-1] == '\'')) ++ if((n >= 2) && ((p[0] == '"' && p[n-1] == '"') ++ || (p[0] == '\'' && p[n-1] == '\''))) + { ++ /* remove the quotes */ + p++; n -= 2; + } + h->req_soapActionOff = p - h->req_buf; +-- +2.47.3 + diff -Nru miniupnpd-2.3.9/debian/patches/series miniupnpd-2.3.9/debian/patches/series --- miniupnpd-2.3.9/debian/patches/series 2025-05-09 15:45:01.000000000 +0000 +++ miniupnpd-2.3.9/debian/patches/series 2026-06-20 12:18:31.000000000 +0000 @@ -1,2 +1,3 @@ makefile-tweak.patch miniupnpd-allow-ipv4-listening-specify.patch +0001-upnphttp.c-fix-removal-of-quotes-in-ParseHttpHeaders.patch