CVE-2017-12087

NameCVE-2017-12087
DescriptionAn exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs882508

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
shairport-sync (PTS)stretch2.8.6-1vulnerable
buster3.2.2-1fixed
bullseye3.3.7-1fixed
sid, trixie, bookworm3.3.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
shairport-syncsource(unstable)3.1.4-1unimportant882508

Notes

Debian build uses Avahi instead
https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1729668
Search for package or bug name: Reporting problems