Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 729306

Summary: <net-libs/gupnp-1.2.3: CallStranger vulnerability (CVE-2020-12695)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://mail.gnome.org/archives/gnome-announce-list/2020-June/msg00011.html
See Also: https://github.com/gentoo/gentoo/pull/16908
Whiteboard: B3 [noglsa cve]
Package list:
net-libs/gssdp-1.2.3 net-libs/gupnp-1.2.3
 Runtime testing required: ---
Bug Depends on: 723976    
Bug Blocks: 729302    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-23 12:25:43 UTC 
From URL:
"I have released new versions of GUPnP. The main "feature" of this
release is the implementation of the UDA 2.0 spec addendum from
2020/04/17 which restricts notifications registered with SUBSCRIBE to
the subnet of the server. For this reason, a new GSSDP version is
required to provide the required information.

This is a reaction to CVE-2020-12695 (https://www.callstranger.com/)"
Comment 1 Larry the Git Cow gentoo-dev 2020-06-27 12:45:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d60d8b4ff2362c2e130e1096bd769fefaa1a7d32

commit d60d8b4ff2362c2e130e1096bd769fefaa1a7d32
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-06-27 12:45:43 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-06-27 12:45:43 +0000

    net-libs/gupnp: bump to 1.2.3
    
    Bug: https://bugs.gentoo.org/729306
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/gupnp/Manifest           |  1 +
 net-libs/gupnp/gupnp-1.2.3.ebuild | 84 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)
Comment 2 Mart Raudsepp gentoo-dev 2020-06-27 12:48:00 UTC 
Removed gssdp from summary, as as far as I can see, there's nothing vulnerable in there in itself, but gupnp version with mitigations just needs that now as a minimum version to implement the mitigation.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-27 20:53:49 UTC 
arm64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-28 20:28:23 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-28 20:39:41 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-28 20:44:47 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-08 02:41:41 UTC 
GLSA vote: no
Comment 8 Larry the Git Cow gentoo-dev 2020-10-04 14:01:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddc30eee753215e4320afa847198ffa05823579a

commit ddc30eee753215e4320afa847198ffa05823579a
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-30 06:40:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-04 14:01:09 +0000

    net-libs/gupnp: Security cleanup (drop <1.2.3)
    
    Bug: https://bugs.gentoo.org/729306
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16908
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gupnp/Manifest           |  2 -
 net-libs/gupnp/gupnp-1.0.4.ebuild | 73 --------------------------------
 net-libs/gupnp/gupnp-1.2.2.ebuild | 88 ---------------------------------------
 3 files changed, 163 deletions(-)