[Buildroot] [PATCH 1/3] package/libupnp18: security bump to version 1.14.0

Fabrice Fontaine fontaine.fabrice at gmail.com
Sun Aug 30 18:50:47 UTC 2020 

Le dim. 30 août 2020 à 20:34, Arnout Vandecappelle <arnout at mind.be> a écrit :
>
>
>
> On 21/08/2020 22:41, Fabrice Fontaine wrote:
> > Fix CallStranger a.k.a. CVE-2020-12695 as well as CVE-2020-13848
>
>  Again, although this bump indeed fixes those issues, it's a feature version
> bump so I'm not sure if it can be called "security bump".
>
>  In addition, the libupnp18 package exists because of API incompatibility with
> 1.6. Are we sure that this problem doesn't repeat itself for 1.14?
There is indeed an API incompatibility between 1.8 and 1.14 related to
CallStranger a.k.a. CVE-2020-12695: starting from 1.14, UpnpInit
function has been removed as this function can't be fixed against
CallStranger because this function takes an IP address and not an
interface name.
However, UpnpInit2 is available for more than 10 years and is used by
most of the applications (i.e. mpd and vlc) with the exception of
gmrender-resurrect (which is patched in this serie).
As soon as libupnp 1.14 is available, I'm planning to update the
applications that are still using the legacy libupnp 1.6.x version
(i.e. igd2-for-linux and ushare) and drop this unsecure version.
I would like to avoid adding a third version of libupnp (i.e. a
libupnp114 package) as from a security perspective, all packages
should use this version.
Still, I agree that this is not only a "security bump" so I would
advise to apply this serie to next and backport it to our LTS branches
in a few months.
>
>  Regards,
>  Arnout
>
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> > ---
> >  package/libupnp18/libupnp18.hash | 6 +++---
> >  package/libupnp18/libupnp18.mk   | 2 +-
> >  2 files changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/package/libupnp18/libupnp18.hash b/package/libupnp18/libupnp18.hash
> > index ba9ce1bcdf..cd693ef0eb 100644
> > --- a/package/libupnp18/libupnp18.hash
> > +++ b/package/libupnp18/libupnp18.hash
> > @@ -1,5 +1,5 @@
> > -# From https://sourceforge.net/projects/pupnp/files/pupnp/libupnp-1.8.7/libupnp-1.8.7.tar.bz2.sha1
> > -sha1  2ea3011180c58b0584f0cb73cc8e685a0a1c4ec8  libupnp-1.8.7.tar.bz2
> > +# From https://sourceforge.net/projects/pupnp/files/pupnp/libupnp-1.14.0/libupnp-1.14.0.tar.bz2.sha1
> > +sha1  b14cff9ddd7cfe7f0e4bf552387122a31770f51f  libupnp-1.14.0.tar.bz2
> >  # Locally computed:
> > -sha256  e38c69b2b67322e67cd53680db9b02c7c1f720a47a3cd626fd89d57d2dca93b8  libupnp-1.8.7.tar.bz2
> > +sha256  ecb23d4291968c8a7bdd4eb16fc2250dbacc16b354345a13342d67f571d35ceb  libupnp-1.14.0.tar.bz2
> >  sha256  c8b99423cad48bb44e2cf52a496361404290865eac259a82da6d1e4331ececb3  COPYING
> > diff --git a/package/libupnp18/libupnp18.mk b/package/libupnp18/libupnp18.mk
> > index f17a1a720d..fb6c548c47 100644
> > --- a/package/libupnp18/libupnp18.mk
> > +++ b/package/libupnp18/libupnp18.mk
> > @@ -4,7 +4,7 @@
> >  #
> >  ################################################################################
> >
> > -LIBUPNP18_VERSION = 1.8.7
> > +LIBUPNP18_VERSION = 1.14.0
> >  LIBUPNP18_SOURCE = libupnp-$(LIBUPNP18_VERSION).tar.bz2
> >  LIBUPNP18_SITE = http://downloads.sourceforge.net/project/pupnp/pupnp/libupnp-$(LIBUPNP18_VERSION)
> >  LIBUPNP18_CONF_ENV = ac_cv_lib_compat_ftime=no
> >
Best Regards,

Fabrice

More information about the buildroot mailing list