GNU bug report logs - #47140
libupnp package vulnerable to CVE-2021-28302

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Sun, 14 Mar 2021 21:31:02 UTC

Severity: normal

Tags: security

Done: Léo Le Bouter <lle-bout <at> zaclys.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47140 in the body.
You can then email your comments to 47140 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47140; Package guix. (Sun, 14 Mar 2021 21:31:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Mark H Weaver <mhw <at> netris.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 14 Mar 2021 21:31:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: bug-guix <at> gnu.org
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: libupnp package vulnerable to CVE-2021-28302
Date: Sun, 14 Mar 2021 17:29:06 -0400

[Message part 1 (text/plain, inline)]
I'm forwarding this to bug-guix <at> gnu.org so that it won't be forgotten.

       Mark

-------------------- Start of forwarded message --------------------
Subject: libupnp package vulnerable to CVE-2021-28302
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: guix-devel <at> gnu.org
Date: Sat, 13 Mar 2021 02:12:45 +0100


[Message part 2 (text/plain, inline)]
CVE-2021-28302	12.03.21 16:15
A stack overflow in pupnp 1.16.1 can cause the denial of service
through the Parser_parseDocument() function. ixmlNode_free() will
release a child node recursively, which will consume stack space and
lead to a crash.

Upstream did not provide a patch yet, see <
https://github.com/pupnp/pupnp/issues/249>.

I suggest we wait for the patch to be made and then update, to be
monitored.

[signature.asc (application/pgp-signature, inline)]
[Message part 4 (text/plain, inline)]
-------------------- End of forwarded message --------------------
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 15 Mar 2021 13:44:03 GMT) Full text and rfc822 format available.
Added indication that bug 47140 blocks47297 Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Wed, 24 Mar 2021 04:07:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#47140; Package guix. (Mon, 05 Apr 2021 20:52:02 GMT) Full text and rfc822 format available.

Message #12 received at 47140 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47140 <at> debbugs.gnu.org
Subject: libupnp package vulnerable to CVE-2021-28302
Date: Mon, 05 Apr 2021 22:50:56 +0200

[Message part 1 (text/plain, inline)]
Upstream created and merged a probable patch: 
https://github.com/pupnp/pupnp/pull/306

Reporter still needs to confirm if it fixes the issue.

[signature.asc (application/pgp-signature, inline)]
Reply sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
You have taken responsibility. (Fri, 09 Apr 2021 01:17:02 GMT) Full text and rfc822 format available.
Notification sent to Mark H Weaver <mhw <at> netris.org>:
bug acknowledged by developer. (Fri, 09 Apr 2021 01:17:02 GMT) Full text and rfc822 format available.

Message #17 received at 47140-done <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47140-done <at> debbugs.gnu.org
Subject: libupnp package vulnerable to CVE-2021-28302
Date: Fri, 09 Apr 2021 03:16:11 +0200

[Message part 1 (text/plain, inline)]
Fixed by 2b605ef3b145ec136530f08ee7aa27382aa64b46

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 07 May 2021 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 348 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.