libupnp package vulnerable to CVE-2021-28302

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------

To: guix-devel@gnu.org

CVE-2021-28302 12.03.21 16:15

A stack overflow in pupnp 1.16.1 can cause the denial of service

through the Parser_parseDocument() function. ixmlNode_free() will

release a child node recursively, which will consume stack space and

lead to a crash.

Upstream did not provide a patch yet, see <

https://github.com/pupnp/pupnp/issues/249.

I suggest we wait for the patch to be made and then update, to be

monitored.

-------------------- End of forwarded message --------------------

tags 47140 + security

quit

block 47297 with 47140

block 47297 with 47141

block 47297 with 47142

block 47297 with 47143

block 47297 with 47144

Upstream created and merged a probable patch:

Reporter still needs to confirm if it fixes the issue.

Fixed by 2b605ef3b145ec136530f08ee7aa27382aa64b46