libupnp package vulnerable to CVE-2021-28302

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Mark H Weaver
Owner
unassigned
Submitted by
Mark H Weaver
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 2021 22:29
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87lfaps9tu.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------
Subject: libupnp package vulnerable to CVE-2021-28302
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Sat, 13 Mar 2021 02:12:45 +0100
CVE-2021-28302 12.03.21 16:15
A stack overflow in pupnp 1.16.1 can cause the denial of service
through the Parser_parseDocument() function. ixmlNode_free() will
release a child node recursively, which will consume stack space and
lead to a crash.

Upstream did not provide a patch yet, see <

I suggest we wait for the patch to be made and then update, to be
monitored.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBMEY0ACgkQRaix6GvN
EKYUDQ//cJCRDapNXBPGtjw9g7Ki83WqsqSIG97YZF1+8vF3EKWaQ0yaUKwPyAhF
yngRqIGzo9nebdk9Ju8j8nFPICXKq3zwmiJzqg43mgdDoFjaVCgQLv/TIPbh/poi
+Y9JM0U4+1tkL2ePylpGTfgTZ2aSNh7DiWR2fsvIZpRozeX+XQBXnZJQBbjgAC5A
Nif2qFgohSYrMU7tii/O43aHsBSCnjBdq1v8X+OI9hLAWlclrw+sJMVAbEVVDft1
UM+vk9SJAS2YGZ8h6vxJkDQ2n5851P22vrIkRz1WUVL/ejlwvB5kk1PT4nyx53WT
aKd7SwvXbfb/nv5KaMSx4kXmAoquQzi/1nei1U6043ZLH8rsfquXPho3JUNZz28h
14Lj0nBwJ1ZxeGhD/5/XqMDWp/AbqXKaIsnaEKFZdUZfFPwTEpgRlntTeTs3Tiws
l9xuoV+Qib8slW8ZRS7cvpFO9Hnmt8R6MQgk5o0zDP3sdRc3v9rN9wT6CCHAUEHV
tSXPobwRKoEAZN7IQ4CqvXsAWa2eELEV4Xs18045iC5j5z2SCP5QcUro20sixc0M
eZF/1A8YoM7u1Qxhr9w3ptv9iiCywkBWhYLCBqC4BOUYSDFmDu/IErA0raiqO2e9
IfsJWzhQcFanAn0c/NhzJfaj0vhapCywcBdksw84ZmQ9dXK4E4E=
=3T+p
-----END PGP SIGNATURE-----

-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 2021 14:43
control message for bug #47140
(address . control@debbugs.gnu.org)
87lfaoh6rv.fsf@gnu.org
tags 47140 + security
quit
L
L
Leo Famulari wrote on 24 Mar 2021 05:06
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140
block 47297 with 47141
block 47297 with 47142
block 47297 with 47143
block 47297 with 47144
L
L
Léo Le Bouter wrote on 5 Apr 2021 22:50
libupnp package vulnerable to CVE-2021-28302
(address . 47140@debbugs.gnu.org)
ede99764b2ae52b0c5ae719a70b40fe8ac6aa6ca.camel@zaclys.net
Upstream created and merged a probable patch:

Reporter still needs to confirm if it fixes the issue.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBreDAACgkQRaix6GvN
EKbPTA/+MBbgjAjTCTeZ54pKRRUQdP8Pcb2IVreT0GmIpsiTGJeH8+4uFegkj/jJ
AA5vCyPuzEw+3P+4O9QKFbVvJq0znioA5fDHp9OvKdvTukRAu4rdaV/8EnRQnnVH
o/E23QgoUXbnCftpKzzI2NAgQWgJokfOeoaQho/b/kPlf3s9Mizr0GgX5kkXjHVC
ycw4IvMlabZor4ECujDHRhToNogkp2dO6929wf5/efl0pC8a1Bv5fbUDWvsSLyVX
sPrOTsEGo/D0yK6rucVG4D59B/YgGsljloB35upSatM0hmOFX6ynfHlj91kyf5qF
ks+9VeCIpm2fPyth+wTN7hu87MyNwMi6ZjjTmZ7G9NI+EyOQ3F+kPZREHZNFHhC7
5sVG8L0LFleCqrJWQgMXMZU6bF+guYrV01CGBczzvHwz4bxgT+zA2k/wW6/QTYlG
IjvnWwOe+pYuBVX1/cx77iguvU4FNRG+tXC8rqhYsLjF5fpuDbDUQv9DCfDoYmkK
SStYWyAH/8eLlKZprMbJUsa494MedFWyqdRCuiIxMykUVBz30rfHlcZXp1aXDz0k
9gUg+3GZQbcc4FKQG2znw5z4o4AHnqsfeffljph6Oqx9Y9/0iV1H080J5uE90xhl
fDlsu/rG3Aw0NzIlka8eBIKr9fSdkEKwti3FDu6/Hd+ihStWL/0=
=jvyO
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 9 Apr 2021 03:16
(address . 47140-done@debbugs.gnu.org)
5d2864e3ee90af06e3abc6e7899fa80de0b72ded.camel@zaclys.net
Fixed by 2b605ef3b145ec136530f08ee7aa27382aa64b46
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBvqtsACgkQRaix6GvN
EKa1Cw//d68L/ApbojqQHLvSDo5FrQPnkmFY9LnWB07qx1j68sJwUW9OYYtDcA4w
h1wFdm0/8u/Lj4gifo+aW0Cxm27BzCpf+QRRp2XSRkKQh8nWR8l/LUzVN65obSA6
iJlaV7o5w9f12GI44UxyT8pYTq5qJdaSowmsdwpPvQ/9iKj0Kx2PqT20Nr6XRdsP
sy/Y3y/c31SArwA8B9UDbMi3Ye/vgOSMv32aZOsRixAImkxPqzYq/PaKq463Jg5V
ErNjDM0fsQUFb8QzHQr9B9LXpUzWaHAC31/fFcaKidThPD8s8SUUY8FtZ5Jc6eTW
sDxXLZTcrMAno0Lh91K+H9bIZ39VZyZWJ88gzvo4JaydbCuaq9xms1CkwRcY0QSb
Jq2Lcj95cdqXeiUfEYFDBGcCHV/wVwfTAxHkblqbjbDS1IHKZYR4B/5PYYh6prTn
srBzPs1fn+xqDj2EzCs2JIMe82aZRQgUitCq64oMH9UPcLM7wS9bJ1JFUMyMU5il
FP0evjwoQo4jJ0Tbj3fYmUn7C/VCm0Xv9xumlcgbxNL7fJZNsAmZdSaFA40Hfhqa
pDBRz0vpFqTurGv/AbBrRM0asHzp2mRPhh1Z2GIZ9jL5EtgDTfp0EAMDZsgbeUN1
dp6mURYr43y6gD4JbokNBbfYEoaacREZeXKqCoKXHScx3U3EYI4=
=epMm
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47140@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47140
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch