diff -Nru minissdpd-1.1.20120121/debian/changelog minissdpd-1.1.20120121/debian/changelog
--- minissdpd-1.1.20120121/debian/changelog	2012-02-17 15:24:22.000000000 +0000
+++ minissdpd-1.1.20120121/debian/changelog	2016-07-01 18:36:35.000000000 +0000
@@ -1,3 +1,21 @@
+minissdpd (1.1.20120121-1+deb7u1build0.14.04.1) trusty-security; urgency=medium
+
+  * fake sync from Debian
+
+ -- Tyler Hicks <tyhicks@canonical.com>  Fri, 01 Jul 2016 13:36:35 -0500
+
+minissdpd (1.1.20120121-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Wheezy LTS Team. 
+  * patch for CVE-2016-3178 + CVE-2016-3179
+    The minissdpd daemon contains a improper validation of array index 
+    vulnerability (CWE-129) when processing requests sent to the Unix 
+    socket at /var/run/minissdpd.sock the Unix socket can be accessed 
+    by an unprivileged user to send invalid request causes an 
+    out-of-bounds memory access that crashes the minissdpd daemon.
+ 
+ -- Thorsten Alteholz <debian@alteholz.de>  Mon, 28 Mar 2016 12:03:02 +0100
+
 minissdpd (1.1.20120121-1) unstable; urgency=low
 
   * New upstream version.
diff -Nru minissdpd-1.1.20120121/debian/patches/CVE-2016-3178.patch minissdpd-1.1.20120121/debian/patches/CVE-2016-3178.patch
--- minissdpd-1.1.20120121/debian/patches/CVE-2016-3178.patch	1970-01-01 00:00:00.000000000 +0000
+++ minissdpd-1.1.20120121/debian/patches/CVE-2016-3178.patch	2016-03-28 14:39:17.000000000 +0000
@@ -0,0 +1,92 @@
+Index: minissdpd-1.1.20120121/minissdpd.c
+===================================================================
+--- minissdpd-1.1.20120121.orig/minissdpd.c	2016-03-28 16:26:09.000000000 +0200
++++ minissdpd-1.1.20120121/minissdpd.c	2016-03-28 16:29:13.000000000 +0200
+@@ -530,7 +530,7 @@
+ 	type = buf[0];
+ 	p = buf + 1;
+ 	DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-	if(p+l > buf+n) {
++	if(l > (unsigned)(buf+n-p)) {
+ 		syslog(LOG_WARNING, "bad request (length encoding)");
+ 		goto error;
+ 	}
+@@ -636,7 +636,7 @@
+ 			goto error;
+ 		}
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+@@ -654,7 +654,7 @@
+ 		newserv->usn[l] = '\0';
+ 		p += l;
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+@@ -672,7 +672,7 @@
+ 		newserv->server[l] = '\0';
+ 		p += l;
+ 		DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-		if(p+l > buf+n) {
++		if(l > (unsigned)(buf+n-p)) {
+ 			syslog(LOG_WARNING, "bad request (length encoding)");
+ 			goto error;
+ 		}
+Index: minissdpd-1.1.20120121/testminissdpd.c
+===================================================================
+--- minissdpd-1.1.20120121.orig/testminissdpd.c	2016-03-28 16:26:09.000000000 +0200
++++ minissdpd-1.1.20120121/testminissdpd.c	2016-03-28 16:39:14.000000000 +0200
+@@ -45,6 +45,23 @@
+ #define SENDCOMMAND(command, size) write(s, command, size); \
+               printf("Command written type=%u\n", (unsigned)command[0]);
+ 
++int connect_unix_socket(const char * sockpath)
++{
++	int s;
++	struct sockaddr_un addr;
++
++	s = socket(AF_UNIX, SOCK_STREAM, 0);
++	addr.sun_family = AF_UNIX;
++	strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path));
++	if(connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_un)) < 0) {
++		fprintf(stderr, "connecting to %s : ", addr.sun_path);
++		perror("connect");
++		exit(1);
++	}
++	printf("Connected to %s\n", addr.sun_path);
++	return s;
++}
++
+ /* test program for minissdpd */
+ int
+ main(int argc, char * * argv)
+@@ -52,6 +69,7 @@
+ 	char command1[] = "\x01\x00urn:schemas-upnp-org:device:InternetGatewayDevice";
+ 	char command2[] = "\x02\x00uuid:fc4ec57e-b051-11db-88f8-0060085db3f6::upnp:rootdevice";
+ 	char command3[] = { 0x03, 0x00 };
++        const char bad_command4[] = { 0x04, 0x01, 0x60, 0x8f, 0xff, 0xff, 0xff, 0x7f};
+ 	struct sockaddr_un addr;
+ 	int s;
+ 	int i;
+@@ -89,6 +107,15 @@
+ 	n = read(s, buf, sizeof(buf));
+ 	printf("Response received %d bytes\n", (int)n);
+ 	printresponse(buf, n);
++	if(n == 0) {
++		close(s);
++		s = connect_unix_socket(sockpath);
++	}
++
++	n = SENDCOMMAND(bad_command4, sizeof(bad_command4));
++	n = read(s, buf, sizeof(buf));
++	printf("Response received %d bytes\n", (int)n);
++	printresponse(buf, n);
+ 
+ 	close(s);
+ 	return 0;
diff -Nru minissdpd-1.1.20120121/debian/patches/CVE-2016-3179.patch minissdpd-1.1.20120121/debian/patches/CVE-2016-3179.patch
--- minissdpd-1.1.20120121/debian/patches/CVE-2016-3179.patch	1970-01-01 00:00:00.000000000 +0000
+++ minissdpd-1.1.20120121/debian/patches/CVE-2016-3179.patch	2016-03-28 14:20:02.000000000 +0000
@@ -0,0 +1,12 @@
+Index: minissdpd-1.1.20120121/minissdpd.c
+===================================================================
+--- minissdpd-1.1.20120121.orig/minissdpd.c	2016-03-28 16:19:57.000000000 +0200
++++ minissdpd-1.1.20120121/minissdpd.c	2016-03-28 16:19:57.000000000 +0200
+@@ -618,6 +618,7 @@
+ 			syslog(LOG_ERR, "cannot allocate memory");
+ 			goto error;
+ 		}
++		memset(newserv, 0, sizeof(struct service));	/* set pointers to NULL */
+ 		if(containsForbiddenChars(p, l)) {
+ 			syslog(LOG_ERR, "bad request (st contains forbidden chars)");
+ 			goto error;
diff -Nru minissdpd-1.1.20120121/debian/patches/series minissdpd-1.1.20120121/debian/patches/series
--- minissdpd-1.1.20120121/debian/patches/series	2012-02-17 15:24:22.000000000 +0000
+++ minissdpd-1.1.20120121/debian/patches/series	2016-03-28 14:21:50.000000000 +0000
@@ -1 +1,3 @@
 0001-always-disable-link_ntoa.diff
+CVE-2016-3179.patch
+CVE-2016-3178.patch