Bug 29085

Summary: gupnp new security issue CVE-2021-33516
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, nicolas.salguero, olav, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: gupnp-1.2.4-1.mga8.src.rpm CVE: CVE-2021-33516
Status comment:

Description David Walser 2021-06-06 20:00:08 CEST 
Ubuntu has issued an advisory on June 1:
https://ubuntu.com/security/notices/USN-4970-1

The issue is fixed upstream in 1.2.5.

Mageia 7 is also affected.
David Walser 2021-06-06 20:00:22 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 1.2.5

Comment 1 Lewis Smith 2021-06-06 20:19:56 CEST 
We already have 1.2.5, 1.2.6 & 1.2.7 in Cauldron.
Assigning this to Olave who committed all these (and more).

Assignee: bugsquad => olav

Comment 2 David Walser 2021-06-10 20:02:48 CEST 
RedHat has issued an advisory for this on June 9:
https://access.redhat.com/errata/RHSA-2021:2363

Severity: major => critical
CC: (none) => olav
Assignee: olav => pkg-bugs

Comment 3 Nicolas Salguero 2021-06-11 16:40:30 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc. (CVE-2021-33516)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33516
https://ubuntu.com/security/notices/USN-4970-1
https://access.redhat.com/errata/RHSA-2021:2363
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)gupnp1.2_0-1.2.3-1.1.mga7
lib(64)gupnp-devel-1.2.3-1.1.mga7
lib(64)gupnp-gir1.2-1.2.3-1.1.mga7

from SRPM:
gupnp-1.2.3-1.1.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)gupnp1.2_0-1.2.4-1.1.mga8
lib(64)gupnp-devel-1.2.4-1.1.mga8
lib(64)gupnp-gir1.2-1.2.4-1.1.mga8

from SRPM:
gupnp-1.2.4-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Nicolas Salguero 2021-06-11 16:40:42 CEST

Status comment: Fixed upstream in 1.2.5 => (none)
CVE: (none) => CVE-2021-33516

Comment 4 Herman Viaene 2021-06-12 17:18:18 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
At CLI:
$ gssdp-device-sniffer -i wlp9s0
opens a window which remains empty, no packets seen, no device info.....

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2021-06-12 17:19:23 CEST 
That was trying to reproduce the test in bug 26918
Comment 6 Herman Viaene 2021-06-19 14:33:28 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues
Same result as in Comment 4.
Comment 7 David Walser 2021-06-21 22:19:43 CEST 
This is a library, so the best way to test it is through a package that uses it:
caja-sendto-upnp
dleyna-server
gupnp-tools
rygel
Comment 8 Herman Viaene 2021-06-22 10:49:18 CEST 
Took the advice and installed gupnp-tools and tried a few commands
$ gssdp-discover 
Using network interface wlp9s0
Scanning for all resources
Showing "available" messages
...and then nothing.... I don't knw what to expect.
Aborting and another one
$ gupnp-network-light 

** (gupnp-network-light:22313): CRITICAL **: 10:40:13.249: Failed to find UDN elementin device description
Attaching to IP/Host 127.0.0.1 on port 39169
Attaching to IP/Host 192.168.2.5 on port 33543
That showed me the image of a light bulb, which I could switch on and off.
Quitting  gave feedback on the CLI:
Detaching from IP/Host 127.0.0.1 and port 39169
Detaching from IP/Host 192.168.

stracing shows call on libgupnp-1.2.so.0
So seems OK to me.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 9 David Walser 2021-07-08 23:11:18 CEST 
Repeated Herman's tests on Mageia 8, before and after the update, same results.

$ gssdp-discover 
Using network interface enp3s0
Scanning for all resources
Showing "available" messages
resource available
  USN:      uuid:<snip>
Location: http://<snip>

it found lots of things.

$ gupnp-network-light 

** (gupnp-network-light:1603957): CRITICAL **: 17:09:51.921: Failed to find UDN elementin device description
Attaching to IP/Host 127.0.0.1 on port 46251
Attaching to IP/Host 192.168.*.* on port 45929
Detaching from IP/Host 127.0.0.1 and port 46251
Detaching from IP/Host 192.168.*.* and port 45929

which gave the light bulb program.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 10 Aurelien Oudelet 2021-07-08 23:18:12 CEST 
Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 11 Mageia Robot 2021-07-09 00:45:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0321.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED