Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 792063 (CVE-2021-33516) - <net-libs/gupnp-1.2.6: DNS rebinding vulnerability (CVE-2021-33516)
Summary: <net-libs/gupnp-1.2.6: DNS rebinding vulnerability (CVE-2021-33516)
Status: IN_PROGRESS
Alias: CVE-2021-33516
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-25 16:23 UTC by Sam James
Modified: 2021-07-26 07:16 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/gupnp-1.2.6 *
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-05-25 16:23:52 UTC
Description:
"An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc."
Comment 2 Sam James archtester gentoo-dev Security 2021-05-25 16:24:29 UTC
Please bump to >=1.2.5.
Comment 3 Larry the Git Cow gentoo-dev 2021-05-25 18:51:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e3cc58515aa791fac22f1c725689b257606e751

commit 9e3cc58515aa791fac22f1c725689b257606e751
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-05-25 18:41:47 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-05-25 18:51:49 +0000

    net-libs/gupnp: Version bump to 1.2.6
    
    Bug: https://bugs.gentoo.org/792063
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/gupnp/Manifest           |  1 +
 net-libs/gupnp/gupnp-1.2.6.ebuild | 84 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)
Comment 4 John Helmert III gentoo-dev Security 2021-05-25 20:20:34 UTC
Thanks! Please proceed with stabilization when ready
Comment 5 NATTkA bot gentoo-dev 2021-05-26 22:24:22 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-05-26 22:28:41 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-05-26 23:24:19 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-05-26 23:28:21 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-05-27 02:55:08 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-05-27 19:24:27 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-05-28 04:24:23 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-05-28 16:00:29 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-05-28 16:42:51 UTC Comment hidden (obsolete)
Comment 14 Larry the Git Cow gentoo-dev 2021-05-31 02:00:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65473d0a664a8a4b72482e9503f200b2a10dffee

commit 65473d0a664a8a4b72482e9503f200b2a10dffee
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2021-05-30 23:53:01 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2021-05-31 01:58:18 +0000

    net-libs/gupnp: Drop old versions
    
    Bug: https://bugs.gentoo.org/792063
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 net-libs/gupnp/Manifest           |  1 -
 net-libs/gupnp/gupnp-1.2.4.ebuild | 84 ---------------------------------------
 2 files changed, 85 deletions(-)
Comment 15 NATTkA bot gentoo-dev 2021-07-26 07:16:58 UTC
Unable to check for sanity:

> no match for package: net-libs/gupnp-1.2.6