Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589136 (CVE-2016-6255) - <net-libs/libupnp-1.6.18-r2: write files via POST
Summary: <net-libs/libupnp-1.6.18-r2: write files via POST
Alias: CVE-2016-6255
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve blocked]
Depends on: CVE-2016-8863
  Show dependency tree
Reported: 2016-07-19 07:46 UTC by Agostino Sarubbo
Modified: 2017-01-23 03:29 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---
kensington: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-19 07:46:50 UTC
From ${URL} :

Wanted to point out this report by Matthew Garret (not sure if there's
anything else than a couple of tweets public):

"Reported this to upstream 8 months ago without response, so: libupnp's
default behaviour allows anyone to write to your filesystem"
"Seriously. Find a device running a libupnp based server (Shodan says
there's rather a lot), and POST a file to /testfile. Then GET /testfile"
"…and yeah if the server is running as root (it is) and is using / as
the web root (probably not, but maybe) this gives full host fs access"

And later on:
"Emailed the Debian security team a couple of months ago, no response"

Not good...


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Whyman (thev00d00) (RETIRED) gentoo-dev 2016-09-15 19:33:46 UTC
Upstream issue:
Comment 2 Ian Whyman (thev00d00) (RETIRED) gentoo-dev 2016-09-15 20:11:37 UTC
I've commited the patch to the tree.

I've left stable alone for now with and -r2 version of the stable package. I guess 1.16.19 would be a better candidate for stable as its been in the tree for ages.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2016-09-15 22:20:10 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2016-09-16 06:54:36 UTC
Sure, go ahead and stabilize.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2016-09-16 20:47:11 UTC
What version?  1.6.19-r1
Is 1.6.20 patched? Even though it is not stable it would still need to be patched.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:40:30 UTC
@ Yury:

Upstream's v1.6.20 isn't fixed, see and compare with

However our v1.6.20 in tree contains the fix, see

@ Arches,

please test and mark stable: =net-libs/libupnp-1.6.20

Stable targets: alpha amd64 arm hppa ppc ppc64 sparc x86
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-19 13:54:16 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-19 13:56:36 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2016-11-29 17:39:27 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-19 14:36:35 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-20 09:45:58 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-12-22 09:36:13 UTC
ppc64 stable
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 21:42:44 UTC
Superseded by bug 598202.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-01-23 03:29:11 UTC
This issue was resolved and addressed in
 GLSA 201701-52 at
by GLSA coordinator Aaron Bauman (b-man).