[Buildroot] [PATCH 1/3] package/libupnp18: security bump to version 1.14.0

Fabrice Fontaine fontaine.fabrice at gmail.com
Mon Aug 31 20:20:40 UTC 2020


Le lun. 31 août 2020 à 22:14, Peter Korsgaard <peter at korsgaard.com> a écrit :
>
> >>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
>
>  > Le dim. 30 août 2020 à 20:34, Arnout Vandecappelle <arnout at mind.be> a écrit :
>  >>
>  >>
>  >>
>  >> On 21/08/2020 22:41, Fabrice Fontaine wrote:
>  >> > Fix CallStranger a.k.a. CVE-2020-12695 as well as CVE-2020-13848
>  >>
>  >> Again, although this bump indeed fixes those issues, it's a feature version
>  >> bump so I'm not sure if it can be called "security bump".
>  >>
>  >> In addition, the libupnp18 package exists because of API incompatibility with
>  >> 1.6. Are we sure that this problem doesn't repeat itself for 1.14?
>  > There is indeed an API incompatibility between 1.8 and 1.14 related to
>  > CallStranger a.k.a. CVE-2020-12695: starting from 1.14, UpnpInit
>  > function has been removed as this function can't be fixed against
>  > CallStranger because this function takes an IP address and not an
>  > interface name.
>  > However, UpnpInit2 is available for more than 10 years and is used by
>  > most of the applications (i.e. mpd and vlc) with the exception of
>  > gmrender-resurrect (which is patched in this serie).
>  > As soon as libupnp 1.14 is available, I'm planning to update the
>  > applications that are still using the legacy libupnp 1.6.x version
>  > (i.e. igd2-for-linux and ushare) and drop this unsecure version.
>  > I would like to avoid adding a third version of libupnp (i.e. a
>  > libupnp114 package) as from a security perspective, all packages
>  > should use this version.
>
> So we would end up with package/libupnp = 1.14.0? Sounds sensible.
Yes ideally, we should have package/libupnp = 1.14.0. Would it be
acceptable/reasonable to bump libupnp from 1.6.x to 1.14.x and remove
libupnp18?
If this is acceptable, I'll send a v2 of this serie (with the drop of
libupnp18 and the update of ushare/igd2-for-linux).
>
>  > Still, I agree that this is not only a "security bump" so I would
>  > advise to apply this serie to next and backport it to our LTS branches
>  > in a few months.
>
> Ok. I was still hesitating if I should apply this for 2020.08, but I
> think you are right - Lets get 2020.08 out the door, merge next and let
> this stabilize a bit before backporting to 2020.08.x / 2020.02.x.
>
> --
> Bye, Peter Korsgaard
Best Regards,

Fabrice



More information about the buildroot mailing list