Upstream has announced a security issue on June 23: https://mail.gnome.org/archives/gupnp-list/2020-June/msg00000.html The issue is fixed in 1.2.3.
No evident maintainer for either of these packages, so having to assign this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. (CVE-2020-12695) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695 https://mail.gnome.org/archives/gupnp-list/2020-June/msg00000.html ======================== Updated packages in core/updates_testing: ======================== gssdp-1.2.3-1.mga7 lib(64)gssdp1.2_0-1.2.3-1.mga7 lib(64)gssdp-devel-1.2.3-1.mga7 lib(64)gssdp-gir1.2-1.2.3-1.mga7 lib(64)gupnp1.2_0-1.2.3-1.mga7 lib(64)gupnp-devel-1.2.3-1.mga7 lib(64)gupnp-gir1.2-1.2.3-1.mga7 from SRPMS: gssdp-1.2.3-1.mga7.src.rpm gupnp-1.2.3-1.mga7.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroCVE: (none) => CVE-2020-12695Assignee: pkg-bugs => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues At CLI: $ gssdp-device-sniffer opens a window which lists packages sniffed on the network. Selecting one of those gives below more details such as: Received on: Sun Jul 26 14:12:44 2020 Headers: LOCATION: http://192.168.2.15:49000/MediaServerDevDesc.xml Server:<my router> UPnP/1.0 AVM FRITZ!Box 7490 113.07.01 CACHE-CONTROL: max-age=1800 EXT: ST: urn:schemas-upnp-org:device:MediaServer:1 USN: uuid:fa095ecc-e13e-40e7-8e6c-3431c480a9b4::urn:schemas-upnp-org:device:MediaServer:1 As farr as I understand this, looks OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0304.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
mga8, x86_64 Before updating checked out rygel which on launch performs an autonomous search through the user's directories for music, video and picture files to be shared on different networks. Updated the packages. Ran rygel under strace and let it run the harvesting process. It hangs after that. Launched Rygel preferences from the system tools menu. The user's multimedia directories were registered in one panel of the gui. Below that was the networks panel, waiting for input. Have to pass on that. The trace showed: openat(AT_FDCWD, "/lib64/libgupnp-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libgupnp-av-1.0.so.2", O_RDONLY|O_CLOEXEC) = 26 openat(AT_FDCWD, "/lib64/libgupnp-dlna-2.0.so.3", O_RDONLY|O_CLOEXEC) = 30 openat(AT_FDCWD, "/usr/share/gupnp-dlna-2.0/dlna-profiles", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) Good enough.
CC: (none) => tarazed25