(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: libupnp package vulnerable to CVE-2021-28302
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Sat, 13 Mar 2021 02:12:45 +0100
CVE-2021-28302 12.03.21 16:15
A stack overflow in pupnp 1.16.1 can cause the denial of service
through the Parser_parseDocument() function. ixmlNode_free() will
release a child node recursively, which will consume stack space and
lead to a crash.
Upstream did not provide a patch yet, see <
I suggest we wait for the patch to be made and then update, to be
monitored.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBMEY0ACgkQRaix6GvN
EKYUDQ//cJCRDapNXBPGtjw9g7Ki83WqsqSIG97YZF1+8vF3EKWaQ0yaUKwPyAhF
yngRqIGzo9nebdk9Ju8j8nFPICXKq3zwmiJzqg43mgdDoFjaVCgQLv/TIPbh/poi
+Y9JM0U4+1tkL2ePylpGTfgTZ2aSNh7DiWR2fsvIZpRozeX+XQBXnZJQBbjgAC5A
Nif2qFgohSYrMU7tii/O43aHsBSCnjBdq1v8X+OI9hLAWlclrw+sJMVAbEVVDft1
UM+vk9SJAS2YGZ8h6vxJkDQ2n5851P22vrIkRz1WUVL/ejlwvB5kk1PT4nyx53WT
aKd7SwvXbfb/nv5KaMSx4kXmAoquQzi/1nei1U6043ZLH8rsfquXPho3JUNZz28h
14Lj0nBwJ1ZxeGhD/5/XqMDWp/AbqXKaIsnaEKFZdUZfFPwTEpgRlntTeTs3Tiws
l9xuoV+Qib8slW8ZRS7cvpFO9Hnmt8R6MQgk5o0zDP3sdRc3v9rN9wT6CCHAUEHV
tSXPobwRKoEAZN7IQ4CqvXsAWa2eELEV4Xs18045iC5j5z2SCP5QcUro20sixc0M
eZF/1A8YoM7u1Qxhr9w3ptv9iiCywkBWhYLCBqC4BOUYSDFmDu/IErA0raiqO2e9
IfsJWzhQcFanAn0c/NhzJfaj0vhapCywcBdksw84ZmQ9dXK4E4E=
=3T+p
-----END PGP SIGNATURE-----
-------------------- End of forwarded message --------------------