Ubuntu has issued an advisory on June 1: https://ubuntu.com/security/notices/USN-4970-1 The issue is fixed upstream in 1.2.5. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 1.2.5
We already have 1.2.5, 1.2.6 & 1.2.7 in Cauldron. Assigning this to Olave who committed all these (and more).
Assignee: bugsquad => olav
RedHat has issued an advisory for this on June 9: https://access.redhat.com/errata/RHSA-2021:2363
Severity: major => criticalCC: (none) => olavAssignee: olav => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc. (CVE-2021-33516) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33516 https://ubuntu.com/security/notices/USN-4970-1 https://access.redhat.com/errata/RHSA-2021:2363 ======================== Updated packages in 7/core/updates_testing: ======================== lib(64)gupnp1.2_0-1.2.3-1.1.mga7 lib(64)gupnp-devel-1.2.3-1.1.mga7 lib(64)gupnp-gir1.2-1.2.3-1.1.mga7 from SRPM: gupnp-1.2.3-1.1.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)gupnp1.2_0-1.2.4-1.1.mga8 lib(64)gupnp-devel-1.2.4-1.1.mga8 lib(64)gupnp-gir1.2-1.2.4-1.1.mga8 from SRPM: gupnp-1.2.4-1.1.mga8.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.2.5 => (none)CVE: (none) => CVE-2021-33516
MGA7-64 Plasma on Lenovo B50 No installation issues At CLI: $ gssdp-device-sniffer -i wlp9s0 opens a window which remains empty, no packets seen, no device info.....
CC: (none) => herman.viaene
That was trying to reproduce the test in bug 26918
MGA8-64 Plasma on Lenovo B50 No installation issues Same result as in Comment 4.
This is a library, so the best way to test it is through a package that uses it: caja-sendto-upnp dleyna-server gupnp-tools rygel
Took the advice and installed gupnp-tools and tried a few commands $ gssdp-discover Using network interface wlp9s0 Scanning for all resources Showing "available" messages ...and then nothing.... I don't knw what to expect. Aborting and another one $ gupnp-network-light ** (gupnp-network-light:22313): CRITICAL **: 10:40:13.249: Failed to find UDN elementin device description Attaching to IP/Host 127.0.0.1 on port 39169 Attaching to IP/Host 192.168.2.5 on port 33543 That showed me the image of a light bulb, which I could switch on and off. Quitting gave feedback on the CLI: Detaching from IP/Host 127.0.0.1 and port 39169 Detaching from IP/Host 192.168. stracing shows call on libgupnp-1.2.so.0 So seems OK to me.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Repeated Herman's tests on Mageia 8, before and after the update, same results. $ gssdp-discover Using network interface enp3s0 Scanning for all resources Showing "available" messages resource available USN: uuid:<snip> Location: http://<snip> it found lots of things. $ gupnp-network-light ** (gupnp-network-light:1603957): CRITICAL **: 17:09:51.921: Failed to find UDN elementin device description Attaching to IP/Host 127.0.0.1 on port 46251 Attaching to IP/Host 192.168.*.* on port 45929 Detaching from IP/Host 127.0.0.1 and port 46251 Detaching from IP/Host 192.168.*.* and port 45929 which gave the light bulb program.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0321.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED