Re: Security fix releases GUPnP 1.0.7 and GUPnP 1.2.5

From: Jens Georg <mail jensge org>
To: gnome-announce-list <gnome-announce-list gnome org>
Cc: distributor-list <distributor-list gnome org>
Subject: Re: Security fix releases GUPnP 1.0.7 and GUPnP 1.2.5
Date: Mon, 24 May 2021 16:26:51 +0200

Sorry,

I accidentally made GUPnP depend on GSSDP 1.2.4 which is not released
yet. This is not necessary, I will publish a 1.0.8 which lowers the
requirement again.

Hello everyone,

GUPnP 1.0.7 and GUPnP 1.2.5 fix a potential DNS rebind issue.

An impact of this would be that for example a user could be tricked
into opening a malicious web page that could scan the local network
for
UPnP media servers and download the user's shared files, or, if
enabled, even delete them.

Upgrade to 1.2.5 (or where that is not possible, 1.0.7) is strongly
recommended.

GUPnP 1.2.5 is also a maintainence release containing a number of
fixes, noted below:

GUPnP 1.2.5
===========
- Fix introspection annotation for send_action_list
- Fix potential fd leak in linux CM
- Fix potential NULL pointer dereference when evaluating
  unset ServiceProxyActions
- Fix leaking the message string if an action is never
  sent
- Fix leaking the ServiceProxyAction if sending fails
  in call_action
- Fix introspection annotation for send_action and
  call_action_finish to prevent a double-free
- Make ServiceIntrospection usable from
  gobject-introspection
- Add Python examle
- Add C example
- Fix JavaScript example
- Fix potential use-after-free if service proxy is
  destroxed before libsoup request finishes in control
  point
- Fix potential data leak due to being vulnerable to DNS
  rebind attacs

Bugs fixed in this release:
 - https://gitlab.gnome.org/GNOME/gupnp/issues/47
 - https://gitlab.gnome.org/GNOME/gupnp/issues/46
 - https://gitlab.gnome.org/GNOME/gupnp/issues/23
 - https://gitlab.gnome.org/GNOME/gupnp/issues/24

All contributors to this release:
 - Jens Georg <mail jensge org>
 - Doug Nazar <nazard nazar ca>
 - Andre Klapper <a9016009 gmx de>


_______________________________________________
gnome-announce-list mailing list
gnome-announce-list gnome org
https://mail.gnome.org/mailman/listinfo/gnome-announce-list

References:
- Security fix releases GUPnP 1.0.7 and GUPnP 1.2.5
  - From: Jens Georg

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]