784593 – (CVE-2021-31718) <net-libs/libnpupnp-4.1.4: DNS rebinding vulnerability in npupnp (CVE-2021-31718)

Bug 784593 (CVE-2021-31718) - <net-libs/libnpupnp-4.1.4: DNS rebinding vulnerability in npupnp (CVE-2021-31718)

Summary: <net-libs/libnpupnp-4.1.4: DNS rebinding vulnerability in npupnp (CVE-2021-31...

Status:	IN_PROGRESS

Alias:	CVE-2021-31718

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2021-04-20 22:04 UTC by Thomas Deutschmann (RETIRED)
Modified:	2021-10-30 16:37 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2021-04-20 22:04:34 UTC

The server-part of npupnp, a library used to implement UUPnP clients and
servers, is vulnerable to DNS rebinding attacks.

Impact: A remote web server can exploit this vulnerability to trick the
user browser into triggering actions on the local UPnP services
implemented using this library.

@ maintainer(s): Please bump to >=net-libs/libnpupnp-4.1.4!

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:22:54 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:31:12 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:39:10 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:47:18 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 18:03:16 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:11:34 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 Larry the Git Cow gentoo-dev

2021-08-03 20:52:15 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7d0dd3b17b0588881711f671bcfee23334a01a0

commit f7d0dd3b17b0588881711f671bcfee23334a01a0
Author:     Erik Mackdanz <stasibear@gentoo.org>
AuthorDate: 2021-08-03 20:51:55 +0000
Commit:     Erik Mackdanz <stasibear@gentoo.org>
CommitDate: 2021-08-03 20:51:55 +0000

    net-libs/libnpupnp: bump to 4.1.4
    
    Closes: https://bugs.gentoo.org/784593
    Signed-off-by: Erik Mackdanz <stasibear@gentoo.org>
    Package-Manager: Portage-3.0.20, Repoman-3.0.3

 net-libs/libnpupnp/Manifest               |  1 +
 net-libs/libnpupnp/libnpupnp-4.1.4.ebuild | 37 +++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

Comment 8 Sam James archtester

2021-08-03 22:56:20 UTC

Reopening, we need to stable and so on - please CC arches when ready, thanks!

Comment 9 NATTkA bot gentoo-dev

2021-08-03 23:01:49 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: net-libs/libnpupnp-1.4.4

Comment 10 NATTkA bot gentoo-dev

2021-08-06 04:08:32 UTC

All sanity-check issues have been resolved

Comment 11 Sam James archtester

2021-08-10 03:34:15 UTC

ping, ready to stable?

Comment 12 Erik Mackdanz gentoo-dev

2021-08-10 03:59:04 UTC

I can stabilize it.  I usually wait 30 days per the handbook but given there's a GLSA and the package is otherwise low-risk I don't mind shortening that.

Comment 13 Sam James archtester

2021-08-10 03:59:43 UTC

(In reply to Erik Mackdanz from comment #12)
> I can stabilize it.  I usually wait 30 days per the handbook but given
> there's a GLSA and the package is otherwise low-risk I don't mind shortening
> that.

We don't worry about waiting the full period if it's a low-risk change and such when there's a security bug. Just add CC-ARCHES to the KEYWORDS on the bug when it's ready and it'll roll. Thanks!

Comment 14 John Helmert III archtester

2021-10-29 12:47:05 UTC

4.1.4 is stable, no need for further stabilization

Comment 15 Erik Mackdanz gentoo-dev

2021-10-30 16:37:31 UTC

No problem.  I can't tell if the Security team is waiting for me to do something.  I don't think so, so I'll wander away and let Security close this when you're ready.