Bug 28923

Summary: libupnp new security issue CVE-2021-29462
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, brtians1, geiger.david68210, herman.viaene, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: libupnp-1.14.5-1.mga9.src.rpm CVE: CVE-2021-29462
Status comment:

Description David Walser 2021-05-14 23:57:57 CEST 
Upstream has issued an advisory on April 20:
https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg

The issue is fixed upstream in 1.14.6.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-14 23:58:11 CEST

Status comment: (none) => Fixed upstream in 1.14.6
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-05-15 19:58:00 CEST 
Assigning to DavidG, as you did most recent versions 1.14.2, 1.14.5.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2021-05-15 21:07:13 CEST 
Done for Cauldron and mga8!

It is more complicated for mga7 as we are on 1.8 branch :(
Comment 3 David Walser 2021-05-15 21:18:11 CEST 
Packages list:
libupnp17-1.14.6-1.mga8
libupnp-devel-1.14.6-1.mga8
libixml11-1.14.6-1.mga8

from libupnp-1.14.6-1.mga8.src.rpm


Maybe another distro has backported a fix for this.  I'm over two months behind tracking distro advisories, so I'm not sure who has fixed this.

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 4 David Walser 2021-06-27 21:03:31 CEST 
Advisory:
========================

Updated libupnp packages fix security vulnerability:

The Portable SDK for UPnP Devices is an SDK for development of UPnP device and
control point applications. The server part of pupnp (libupnp) appears to be
vulnerable to DNS rebinding attacks because it does not check the value of the
'Host' header. This can be mitigated by using DNS revolvers which block
DNS-rebinding attacks. The vulnerability is fixed in version 1.14.6 and later
(CVE-2021-29462).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29462
https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg
========================

Updated packages in core/updates_testing:
========================
libupnp13-1.8.4-3.2.mga7
libixml10-1.8.4-3.2.mga7
libupnp-devel-1.8.4-3.2.mga7
libupnp17-1.14.6-1.mga8
libupnp-devel-1.14.6-1.mga8
libixml11-1.14.6-1.mga8

from SRPMS:
libupnp-1.8.4-3.2.mga7.src.rpm
libupnp-1.14.6-1.mga8.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 1.14.6 => (none)
CC: (none) => geiger.david68210

Comment 5 Herman Viaene 2021-06-29 14:07:51 CEST 
MGA7-64 Plasma n Lenovo B50
No installation issues.
No ill effects on the system.Did some reading on dependent packages like amule and ring, and decided this is out of my league. Abandoning here

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2021-07-06 22:28:20 CEST 
MGA7

The following 3 packages are going to be installed:

- lib64ixml10-1.8.4-3.2.mga7.x86_64
- lib64upnp-devel-1.8.4-3.2.mga7.x86_64
- lib64upnp13-1.8.4-3.2.mga7.x86_64


mediatomb is listed as using this product.

--installing mediatomb


The following 4 packages are going to be installed:

- lib64ffmpegthumbnailer4-2.2.0-5.mga7.x86_64
- lib64mozjs185_1.0-1.85-13.mga7.x86_64
- mediatomb-0.12.1-24.mga7.x86_64
- youtube-dl-2020.05.29-1.mga7.noarch


----

I run mediatomb from command line

link to audio/video through browser http://10.0.2.15:49153/

----

mediatomb kind-a-sort-a works.

CC: (none) => brtians1
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 7 Brian Rockwell 2021-07-07 05:18:38 CEST 
MGA8 - this time Gerbera is used

Note a the system was updated, but picked up some additional items

The following 25 packages are going to be installed:

- gcc-10.3.0-1.mga8.x86_64
- gcc-cpp-10.3.0-1.mga8.x86_64
- gerbera-1.6.4-3.mga8.x86_64
- gerbera-data-1.6.4-3.mga8.noarch
- isl-0.18-2.mga8.x86_64
- lib64duktape206-2.6.0-1.mga8.x86_64
- lib64ebml5-1.4.2-1.mga8.x86_64
- lib64ffmpegthumbnailer4-2.2.2-1.mga8.x86_64
- lib64fmt-devel-7.1.3-1.mga8.x86_64
- lib64fmt7-7.1.3-1.mga8.x86_64
- lib64isl15-0.18-2.mga8.x86_64
- lib64ixml11-1.14.6-1.mga8.x86_64
- lib64matroska7-1.6.2-1.mga8.x86_64
- lib64pugixml1-1.11.4-1.mga8.x86_64
- lib64rpm9-4.16.1.3-1.1.mga8.x86_64
- lib64spdlog1-1.8.2-1.mga8.x86_64
- lib64upnp-devel-1.14.6-1.mga8.x86_64
- lib64upnp17-1.14.6-1.mga8.x86_64
- libstdc++-devel-10.3.0-1.mga8.x86_64
- libstdc++-python-devel-10.3.0-1.mga8.x86_64
- python3-rpm-4.16.1.3-1.1.mga8.x86_64
- rpm-4.16.1.3-1.1.mga8.x86_64
- rpm-plugin-ima-4.16.1.3-1.1.mga8.x86_64
- rpm-plugin-syslog-4.16.1.3-1.1.mga8.x86_64
- rpm-plugin-systemd-inhibit-4.16.1.3-1.1.mga8.x86_64


lib64upnp picked up, added the dev libraries to confirm they installed.

No issues on install

Gerbera worked much better than mediatomb.

this is functional

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 8 Thomas Andrews 2021-07-07 22:55:57 CEST 
Looks like you kinda sorta tested rpm, too.

Thanks, Brian. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-07-08 22:22:50 CEST

CC: (none) => ouaurelien
CVE: (none) => CVE-2021-29462
Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-07-09 00:44:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0319.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED