upnp -- multiple vulnerabilities

Matthew Garett reports:

Reported this to upstream 8 months ago without response,
so: libupnp’s default behaviour allows anyone to write to your
filesystem. Seriously. Find a device running a libupnp based server
(Shodan says there’s rather a lot), and POST a file to /testfile.
Then GET /testfile … and yeah if the server is running as root
(it is) and is using / as the web root (probably not, but maybe)
this gives full host fs access.

Scott Tenaglia reports:

There is a heap buffer overflow vulnerability in the
create_url_list function in upnp/src/gena/gena_device.c.