Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 729306 - <net-libs/gupnp-1.2.3: CallStranger vulnerability (CVE-2020-12695)
Summary: <net-libs/gupnp-1.2.3: CallStranger vulnerability (CVE-2020-12695)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on: 723976
Blocks: CVE-2020-12695
  Show dependency tree
Reported: 2020-06-23 12:25 UTC by Sam James
Modified: 2020-10-04 14:01 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/gssdp-1.2.3 net-libs/gupnp-1.2.3
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-23 12:25:43 UTC
From URL:
"I have released new versions of GUPnP. The main "feature" of this
release is the implementation of the UDA 2.0 spec addendum from
2020/04/17 which restricts notifications registered with SUBSCRIBE to
the subnet of the server. For this reason, a new GSSDP version is
required to provide the required information.

This is a reaction to CVE-2020-12695 ("
Comment 1 Larry the Git Cow gentoo-dev 2020-06-27 12:45:57 UTC
The bug has been referenced in the following commit(s):

commit d60d8b4ff2362c2e130e1096bd769fefaa1a7d32
Author:     Mart Raudsepp <>
AuthorDate: 2020-06-27 12:45:43 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2020-06-27 12:45:43 +0000

    net-libs/gupnp: bump to 1.2.3
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <>

 net-libs/gupnp/Manifest           |  1 +
 net-libs/gupnp/gupnp-1.2.3.ebuild | 84 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)
Comment 2 Mart Raudsepp gentoo-dev 2020-06-27 12:48:00 UTC
Removed gssdp from summary, as as far as I can see, there's nothing vulnerable in there in itself, but gupnp version with mitigations just needs that now as a minimum version to implement the mitigation.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-27 20:53:49 UTC
arm64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-28 20:28:23 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-28 20:39:41 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-28 20:44:47 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-08 02:41:41 UTC
GLSA vote: no
Comment 8 Larry the Git Cow gentoo-dev 2020-10-04 14:01:17 UTC
The bug has been referenced in the following commit(s):

commit ddc30eee753215e4320afa847198ffa05823579a
Author:     John Helmert III <>
AuthorDate: 2020-07-30 06:40:43 +0000
Commit:     Sam James <>
CommitDate: 2020-10-04 14:01:09 +0000

    net-libs/gupnp: Security cleanup (drop <1.2.3)
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: John Helmert III <>
    Signed-off-by: Sam James <>

 net-libs/gupnp/Manifest           |  2 -
 net-libs/gupnp/gupnp-1.0.4.ebuild | 73 --------------------------------
 net-libs/gupnp/gupnp-1.2.2.ebuild | 88 ---------------------------------------
 3 files changed, 163 deletions(-)