Vulnerability in tinysvcmdns (TALOS-2017-0486)

Thanks for reporting this issue. Has a CVE been assigned?

This appears to be related to issue
https://bitbucket.org/geekman/tinysvcmdns/issues/7/talos-security-advisory-for-tinysvcmdns
Please let me know if this is incorrect.

Versions of tinysvcmdns are incorporated in shairport-sync and clementine which are both community supported packages.

CVE-2017-12130 is assigned to this issue

This issue is a separate/new issue and is not related to Bug#1729668

Are there any updates for this issue?

Hi,

Did you report this issue to upstream already?
Since it affects only pkgs in universe we haven't much to do here.

Thanks for the response. It is reported to the author as well. If no interest in this bug, feel free to close.

Can I make this bug public?

This issue was made public on 1/16/18.

Regina Wilson
Engineer. Research
<email address hidden><mailto:<email address hidden>>

[cid:<email address hidden>]

On Apr 13, 2018, at 8:18 AM, Marc Deslauriers <<email address hidden><mailto:<email address hidden>>> wrote:

Can I make this bug public?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1733690

Title:
 Vulnerability in tinysvcmdns (TALOS-2017-0486)

Status in shairport-sync package in Ubuntu:
 New

Bug description:
 ### Summary

 An exploitable NULL pointer dereference vulnerability exists in the
 tinysvcmdns library version 2017-11-05. A specially crafted packet can
 make the library dereference a NULL pointer leading to server crash
 and denial of service. An attacker needs to send a DNS query to
 trigger this vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1733690/+subscriptions