From ${URL} : Wanted to point out this report by Matthew Garret (not sure if there's anything else than a couple of tweets public): https://twitter.com/mjg59/status/755062278513319936 Notable: "Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem" "Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile" "…and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access" And later on: "Emailed the Debian security team a couple of months ago, no response" Not good... Patch: https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream issue: https://sourceforge.net/p/pupnp/bugs/132/
I've commited the patch to the tree. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11bbfa2ad250fc7af97ecc95100fe45dcd86356f I've left stable alone for now with and -r2 version of the stable package. I guess 1.16.19 would be a better candidate for stable as its been in the tree for ages.
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Sure, go ahead and stabilize.
What version? 1.6.19-r1 Is 1.6.20 patched? Even though it is not stable it would still need to be patched.
@ Yury: Upstream's v1.6.20 isn't fixed, see https://sourceforge.net/p/pupnp/code/ci/release-1.6.20/tree/upnp/src/genlib/net/http/webserver.c and compare with https://gitweb.gentoo.org/repo/gentoo.git/diff/net-libs/libupnp/files/CVE-2016-6255.patch?id=84d8f21cc2ca94d4f4a3146302726bd1c8fd3f47 However our v1.6.20 in tree contains the fix, see https://gitweb.gentoo.org/repo/gentoo.git/tree/net-libs/libupnp/libupnp-1.6.20.ebuild#n22 @ Arches, please test and mark stable: =net-libs/libupnp-1.6.20 Stable targets: alpha amd64 arm hppa ppc ppc64 sparc x86
amd64 stable
x86 stable
arm stable
sparc stable
ppc stable
ppc64 stable
Superseded by bug 598202.
This issue was resolved and addressed in GLSA 201701-52 at https://security.gentoo.org/glsa/201701-52 by GLSA coordinator Aaron Bauman (b-man).
