729306 – <net-libs/gupnp-1.2.3: CallStranger vulnerability (CVE-2020-12695)

Bug 729306 - <net-libs/gupnp-1.2.3: CallStranger vulnerability (CVE-2020-12695)

Summary: <net-libs/gupnp-1.2.3: CallStranger vulnerability (CVE-2020-12695)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://mail.gnome.org/archives/gnome...
Whiteboard:	B3 [noglsa cve]
Keywords:	PullRequest

Depends on:	723976
Blocks:	CVE-2020-12695
	Show dependency tree

Reported:	2020-06-23 12:25 UTC by Sam James
Modified:	2020-10-04 14:01 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/16908
Package list:	net-libs/gssdp-1.2.3 net-libs/gupnp-1.2.3
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-06-23 12:25:43 UTC

From URL:
"I have released new versions of GUPnP. The main "feature" of this
release is the implementation of the UDA 2.0 spec addendum from
2020/04/17 which restricts notifications registered with SUBSCRIBE to
the subnet of the server. For this reason, a new GSSDP version is
required to provide the required information.

This is a reaction to CVE-2020-12695 (https://www.callstranger.com/)"

Comment 1 Larry the Git Cow gentoo-dev

2020-06-27 12:45:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d60d8b4ff2362c2e130e1096bd769fefaa1a7d32

commit d60d8b4ff2362c2e130e1096bd769fefaa1a7d32
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-06-27 12:45:43 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-06-27 12:45:43 +0000

    net-libs/gupnp: bump to 1.2.3
    
    Bug: https://bugs.gentoo.org/729306
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/gupnp/Manifest           |  1 +
 net-libs/gupnp/gupnp-1.2.3.ebuild | 84 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)

Comment 2 Mart Raudsepp gentoo-dev

2020-06-27 12:48:00 UTC

Removed gssdp from summary, as as far as I can see, there's nothing vulnerable in there in itself, but gupnp version with mitigations just needs that now as a minimum version to implement the mitigation.

Comment 3 Sam James archtester

2020-06-27 20:53:49 UTC

arm64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-06-28 20:28:23 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-06-28 20:39:41 UTC

ppc64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-06-28 20:44:47 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Sam James archtester

2020-08-08 02:41:41 UTC

GLSA vote: no

Comment 8 Larry the Git Cow gentoo-dev

2020-10-04 14:01:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddc30eee753215e4320afa847198ffa05823579a

commit ddc30eee753215e4320afa847198ffa05823579a
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-30 06:40:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-04 14:01:09 +0000

    net-libs/gupnp: Security cleanup (drop <1.2.3)
    
    Bug: https://bugs.gentoo.org/729306
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16908
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gupnp/Manifest           |  2 -
 net-libs/gupnp/gupnp-1.0.4.ebuild | 73 --------------------------------
 net-libs/gupnp/gupnp-1.2.2.ebuild | 88 ---------------------------------------
 3 files changed, 163 deletions(-)