Bug 26752 - libupnp new security issue CVE-2020-13848
Summary: libupnp new security issue CVE-2020-13848
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-06-09 19:31 CEST by David Walser
Modified: 2020-07-05 00:48 CEST (History)
6 users (show)

See Also:
Source RPM: libupnp-1.8.4-3.mga7.src.rpm
CVE: CVE-2020-13848
Status comment:


Attachments

Description David Walser 2020-06-09 19:31:57 CEST
Debian-LTS has issued an advisory on June 8:
https://www.debian.org/lts/security/2020/dla-2238

Mageia 7 is also affected.
David Walser 2020-06-09 19:32:03 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-06-09 20:52:29 CEST
No registered or evident maintainer, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-06-12 10:47:58 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c. (CVE-2020-13848)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13848
https://www.debian.org/lts/security/2020/dla-2238
========================

Updated packages in core/updates_testing:
========================
lib(64)upnp13-1.8.4-3.1.mga7
lib(64)ixml10-1.8.4-3.1.mga7
lib(64)upnp-devel-1.8.4-3.1.mga7

from SRPMS:
libupnp-1.8.4-3.1.mga7.src.rpm

CVE: (none) => CVE-2020-13848
Version: Cauldron => 7
Source RPM: libupnp-1.12.1-1.mga8.src.rpm => libupnp-1.8.4-3.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Whiteboard: MGA7TOO => (none)
Status: NEW => ASSIGNED

Comment 3 Len Lawrence 2020-06-14 18:18:08 CEST
Looking at earlier tests related to these packages it seems that ushare would be useful but can find it nowhere in mga7.  RPMs are available in mageia6 and earlier incarnations.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2020-06-14 19:01:12 CEST
Nowhere near updating yet.  Trying to run amule but getting nowhere.  There is a local .aMule/amule.conf dated 2016 and another from today's installation on another node in the network which looks very different.  amulegui launches but I have no idea what it is supposed to do.  Have not managed to get a connection to the other machine.  Have to give up on that.

Earlier tests (2016) involved using ushare as a UPnP server to play vlc remotely and stream video content to the local machine - no ushare here now.
Comment 5 David Walser 2020-06-14 19:07:03 CEST
What about mediatomb?
Comment 6 Len Lawrence 2020-06-14 22:28:48 CEST
Thanks David - overlooked that.  Have to read some history.
Comment 7 Len Lawrence 2020-06-14 23:00:44 CEST
Started Mediatomb on two nodes of the LAN.  On one node set vlc playing a video.
On the updates machine tried to get vlc to see the stream
Struggling to enable UPnP in vlc.  The plugin is installed.
I tried menu -> open media -> open network stream
Under Network added
upnp://<...ip...>:49152/home/lcl/Videos/...
and pressed play.  The vlc log shows:
[00007f9210001d40] upnp stream: Initializing libupnp on 'default' interface
[00007f9210001d40] upnp stream error: No response from browse() action
Comment 8 Len Lawrence 2020-06-14 23:18:20 CEST
Also fiddled with vlc settings at the other end.  Not really sure how this is supposed to work.  It succeeded some years ago so there must be something else to be done.
Comment 9 Len Lawrence 2020-06-14 23:22:02 CEST
Hmm, looking at this:
https://bugs.mageia.org/show_bug.cgi?id=14143#c9
it seems that some configuration is needed.
Leaving this until tomorrow.
Comment 10 Len Lawrence 2020-06-15 08:59:59 CEST
The link quoted in comment 9 refers to ushare.  Mediatomb has an XML configuration file.  Guidance needed to change or add anything there.

The mediatomb web interface on machine B can be accessed via a browser on machine A using the http address but vlc cannot get a response using UPnP.
So does anybody know if this format is correct for network streaming?
upnp://<ip-address-on-LAN>:49152/home/user/Videos/whatever.mp4
Comment 11 Len Lawrence 2020-06-15 10:22:40 CEST
More experiments.  Tried this on the remote machine:

$ mediatomb -i lcl
....
2020-06-15 09:18:32    INFO: Configuration check succeeded.
2020-06-15 09:18:32   ERROR: main: upnp error -208
2020-06-15 09:18:32   ERROR: Socket error.
2020-06-15 09:18:32    INFO: Please check if your network interface was configured for multicast!
2020-06-15 09:18:32    INFO: Refer to the README file for more information.
2020-06-15 09:18:32   ERROR: upnp_cleanup: UpnpUnRegisterRootDevice failed

No idea how to get around that problem.
Comment 12 Len Lawrence 2020-06-15 10:23:56 CEST
Same error at the "client" end.
Comment 13 Len Lawrence 2020-06-15 10:59:34 CEST
Had a look at https://bugs.mageia.org/show_bug.cgi?id=19961
Comment 5 mentions a Plugins tab, which does not exist in the current vlc.  There is a -> Playlist -> Services discovery -> UPnP tab accessible from Preferences -> Video -> Show settings All.  That has IP channel list set to auto.
Comment 14 PC LX 2020-06-16 17:01:44 CEST
Installed and tested without issues.


Tested using amuled and vlc with vlc-plugin-upnp to load videos from a minidlna server.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ cat /proc/18235/cmdline 
amuled--ec-config--log-stdout
$ egrep -i '(upnp|ixml)' /proc/18235/maps 
7f8aa8c9d000-7f8aa8ca0000 r--p 00000000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f8aa8ca0000-7f8aa8ca5000 r-xp 00003000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f8aa8ca5000-7f8aa8ca7000 r--p 00008000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f8aa8ca7000-7f8aa8ca8000 r--p 00009000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f8aa8ca8000-7f8aa8ca9000 rw-p 0000a000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f8aa8cab000-7f8aa8cb6000 r--p 00000000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f8aa8cb6000-7f8aa8cd1000 r-xp 0000b000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f8aa8cd1000-7f8aa8cdc000 r--p 00026000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f8aa8cdc000-7f8aa8cdd000 r--p 00030000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f8aa8cdd000-7f8aa8cde000 rw-p 00031000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
$ cat /proc/18355/cmdline 
/usr/bin/vlc--started-from-file
$ egrep -i '(upnp|ixml)' /proc/18355/maps 
7f909d299000-7f909d2a4000 r--p 00000000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f909d2a4000-7f909d2bf000 r-xp 0000b000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f909d2bf000-7f909d2ca000 r--p 00026000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f909d2ca000-7f909d2cb000 r--p 00030000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f909d2cb000-7f909d2cc000 rw-p 00031000 00:17 2018581                    /usr/lib64/libupnp.so.13.0.0
7f909d3ff000-7f909d402000 r--p 00000000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f909d402000-7f909d407000 r-xp 00003000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f909d407000-7f909d409000 r--p 00008000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f909d409000-7f909d40a000 r--p 00009000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f909d40a000-7f909d40b000 rw-p 0000a000 00:17 2018578                    /usr/lib64/libixml.so.10.0.1
7f909d40b000-7f909d40d000 r--p 00000000 00:17 1835159                    /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so
7f909d40d000-7f909d416000 r-xp 00002000 00:17 1835159                    /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so
7f909d416000-7f909d418000 r--p 0000b000 00:17 1835159                    /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so
7f909d418000-7f909d419000 ---p 0000d000 00:17 1835159                    /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so
7f909d419000-7f909d41a000 r--p 0000d000 00:17 1835159                    /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so
7f909d41a000-7f909d41b000 rw-p 0000e000 00:17 1835159                    /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so
$ rpm -qf /usr/lib64/libupnp.so.13.0.0 /usr/lib64/libixml.so.10.0.1 /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so
lib64upnp13-1.8.4-3.1.mga7
lib64ixml10-1.8.4-3.1.mga7
vlc-plugin-upnp-3.0.10-1.mga7.tainted
$ urpmq --whatrequires-recursive lib64upnp13 lib64ixml10 | sort -u
amule
amule-commandline
amule-webserver
lib64ixml10
lib64ring0
lib64ring-devel
lib64upnp13
lib64upnp-devel
libring-devel
ring-client-gnome
ring-daemon
ring-kde
vlc-plugin-upnp

CC: (none) => mageia

Comment 15 Thomas Andrews 2020-06-28 18:09:02 CEST
Len, PC LX's test looks plenty good enough to me. You OK with it? If so, we'll send this one on its way.

CC: (none) => andrewsfarm

Comment 16 Len Lawrence 2020-06-29 07:44:07 CEST
Yes, thanks TJ; OK by me.  Have updated the whiteboard.

Whiteboard: (none) => MGA7-64-OK

Comment 17 Thomas Andrews 2020-06-29 12:42:49 CEST
Cool. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Nicolas Lécureuil 2020-07-04 23:50:14 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 18 Mageia Robot 2020-07-05 00:48:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0270.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.