bug#47140: libupnp package vulnerable to CVE-2021-28302

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47140: libupnp package vulnerable to CVE-2021-28302

From:	Mark H Weaver
Subject:	bug#47140: libupnp package vulnerable to CVE-2021-28302
Date:	Sun, 14 Mar 2021 17:29:06 -0400

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

       Mark

-------------------- Start of forwarded message --------------------
Subject: libupnp package vulnerable to CVE-2021-28302
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Sat, 13 Mar 2021 02:12:45 +0100

CVE-2021-28302  12.03.21 16:15
A stack overflow in pupnp 1.16.1 can cause the denial of service
through the Parser_parseDocument() function. ixmlNode_free() will
release a child node recursively, which will consume stack space and
lead to a crash.

Upstream did not provide a patch yet, see <
https://github.com/pupnp/pupnp/issues/249>.

I suggest we wait for the patch to be made and then update, to be
monitored.

signature.asc
Description: This is a digitally signed message part

-------------------- End of forwarded message --------------------

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47140: libupnp package vulnerable to CVE-2021-28302, Mark H Weaver <=

Prev by Date: bug#47115: Failure building grub-img.png when reconfiguring
Next by Date: bug#47141: Zabbix packages vulnerable to CVE-2021-27927
Previous by thread: bug#47131: pioneers: beep dependency
Next by thread: bug#47141: Zabbix packages vulnerable to CVE-2021-27927
Index(es):
- Date
- Thread