Debian-LTS has issued an advisory on June 8: https://www.debian.org/lts/security/2020/dla-2238 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No registered or evident maintainer, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c. (CVE-2020-13848) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13848 https://www.debian.org/lts/security/2020/dla-2238 ======================== Updated packages in core/updates_testing: ======================== lib(64)upnp13-1.8.4-3.1.mga7 lib(64)ixml10-1.8.4-3.1.mga7 lib(64)upnp-devel-1.8.4-3.1.mga7 from SRPMS: libupnp-1.8.4-3.1.mga7.src.rpm
CVE: (none) => CVE-2020-13848Version: Cauldron => 7Source RPM: libupnp-1.12.1-1.mga8.src.rpm => libupnp-1.8.4-3.mga7.src.rpmAssignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroWhiteboard: MGA7TOO => (none)Status: NEW => ASSIGNED
Looking at earlier tests related to these packages it seems that ushare would be useful but can find it nowhere in mga7. RPMs are available in mageia6 and earlier incarnations.
CC: (none) => tarazed25
Nowhere near updating yet. Trying to run amule but getting nowhere. There is a local .aMule/amule.conf dated 2016 and another from today's installation on another node in the network which looks very different. amulegui launches but I have no idea what it is supposed to do. Have not managed to get a connection to the other machine. Have to give up on that. Earlier tests (2016) involved using ushare as a UPnP server to play vlc remotely and stream video content to the local machine - no ushare here now.
What about mediatomb?
Thanks David - overlooked that. Have to read some history.
Started Mediatomb on two nodes of the LAN. On one node set vlc playing a video. On the updates machine tried to get vlc to see the stream Struggling to enable UPnP in vlc. The plugin is installed. I tried menu -> open media -> open network stream Under Network added upnp://<...ip...>:49152/home/lcl/Videos/... and pressed play. The vlc log shows: [00007f9210001d40] upnp stream: Initializing libupnp on 'default' interface [00007f9210001d40] upnp stream error: No response from browse() action
Also fiddled with vlc settings at the other end. Not really sure how this is supposed to work. It succeeded some years ago so there must be something else to be done.
Hmm, looking at this: https://bugs.mageia.org/show_bug.cgi?id=14143#c9 it seems that some configuration is needed. Leaving this until tomorrow.
The link quoted in comment 9 refers to ushare. Mediatomb has an XML configuration file. Guidance needed to change or add anything there. The mediatomb web interface on machine B can be accessed via a browser on machine A using the http address but vlc cannot get a response using UPnP. So does anybody know if this format is correct for network streaming? upnp://<ip-address-on-LAN>:49152/home/user/Videos/whatever.mp4
More experiments. Tried this on the remote machine: $ mediatomb -i lcl .... 2020-06-15 09:18:32 INFO: Configuration check succeeded. 2020-06-15 09:18:32 ERROR: main: upnp error -208 2020-06-15 09:18:32 ERROR: Socket error. 2020-06-15 09:18:32 INFO: Please check if your network interface was configured for multicast! 2020-06-15 09:18:32 INFO: Refer to the README file for more information. 2020-06-15 09:18:32 ERROR: upnp_cleanup: UpnpUnRegisterRootDevice failed No idea how to get around that problem.
Same error at the "client" end.
Had a look at https://bugs.mageia.org/show_bug.cgi?id=19961 Comment 5 mentions a Plugins tab, which does not exist in the current vlc. There is a -> Playlist -> Services discovery -> UPnP tab accessible from Preferences -> Video -> Show settings All. That has IP channel list set to auto.
Installed and tested without issues. Tested using amuled and vlc with vlc-plugin-upnp to load videos from a minidlna server. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ cat /proc/18235/cmdline amuled--ec-config--log-stdout $ egrep -i '(upnp|ixml)' /proc/18235/maps 7f8aa8c9d000-7f8aa8ca0000 r--p 00000000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f8aa8ca0000-7f8aa8ca5000 r-xp 00003000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f8aa8ca5000-7f8aa8ca7000 r--p 00008000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f8aa8ca7000-7f8aa8ca8000 r--p 00009000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f8aa8ca8000-7f8aa8ca9000 rw-p 0000a000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f8aa8cab000-7f8aa8cb6000 r--p 00000000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f8aa8cb6000-7f8aa8cd1000 r-xp 0000b000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f8aa8cd1000-7f8aa8cdc000 r--p 00026000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f8aa8cdc000-7f8aa8cdd000 r--p 00030000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f8aa8cdd000-7f8aa8cde000 rw-p 00031000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 $ cat /proc/18355/cmdline /usr/bin/vlc--started-from-file $ egrep -i '(upnp|ixml)' /proc/18355/maps 7f909d299000-7f909d2a4000 r--p 00000000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f909d2a4000-7f909d2bf000 r-xp 0000b000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f909d2bf000-7f909d2ca000 r--p 00026000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f909d2ca000-7f909d2cb000 r--p 00030000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f909d2cb000-7f909d2cc000 rw-p 00031000 00:17 2018581 /usr/lib64/libupnp.so.13.0.0 7f909d3ff000-7f909d402000 r--p 00000000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f909d402000-7f909d407000 r-xp 00003000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f909d407000-7f909d409000 r--p 00008000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f909d409000-7f909d40a000 r--p 00009000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f909d40a000-7f909d40b000 rw-p 0000a000 00:17 2018578 /usr/lib64/libixml.so.10.0.1 7f909d40b000-7f909d40d000 r--p 00000000 00:17 1835159 /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so 7f909d40d000-7f909d416000 r-xp 00002000 00:17 1835159 /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so 7f909d416000-7f909d418000 r--p 0000b000 00:17 1835159 /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so 7f909d418000-7f909d419000 ---p 0000d000 00:17 1835159 /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so 7f909d419000-7f909d41a000 r--p 0000d000 00:17 1835159 /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so 7f909d41a000-7f909d41b000 rw-p 0000e000 00:17 1835159 /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so $ rpm -qf /usr/lib64/libupnp.so.13.0.0 /usr/lib64/libixml.so.10.0.1 /usr/lib64/vlc/plugins/services_discovery/libupnp_plugin.so lib64upnp13-1.8.4-3.1.mga7 lib64ixml10-1.8.4-3.1.mga7 vlc-plugin-upnp-3.0.10-1.mga7.tainted $ urpmq --whatrequires-recursive lib64upnp13 lib64ixml10 | sort -u amule amule-commandline amule-webserver lib64ixml10 lib64ring0 lib64ring-devel lib64upnp13 lib64upnp-devel libring-devel ring-client-gnome ring-daemon ring-kde vlc-plugin-upnp
CC: (none) => mageia
Len, PC LX's test looks plenty good enough to me. You OK with it? If so, we'll send this one on its way.
CC: (none) => andrewsfarm
Yes, thanks TJ; OK by me. Have updated the whiteboard.
Whiteboard: (none) => MGA7-64-OK
Cool. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0270.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED