search

hzeller / gmrender-resurrect

Resource efficient UPnP/DLNA renderer, optimal for Raspberry Pi, CuBox or a general MediaServer. Fork of GMediaRenderer to add some features to make it usable.
GNU General Public License v2.0
841 stars 204 forks source link

Drop UpnpInit #214

Closed ffontaine closed 3 years ago

ffontaine commented 4 years ago

UpnpInit has been dropped from libupnp 1.14.x as it can't be fixed against CallStranger a.k.a. CVE-2020-12695 so replace it by UpnpInit2 which is available since version 1.6.7 and pupnp/pupnp@2bcbdff

Signed-off-by: Fabrice Fontaine fontaine.fabrice@gmail.com

mill1000 commented 4 years ago

How far back is UpnpInit2 available? I think there are a number of users who still build against libupnp 1.6.

ffontaine commented 4 years ago

UpnpInit2 is available since version 1.6.7 and https://github.com/pupnp/pupnp/commit/2bcbdffd89a70364147d345ec5e70a3fce5cbc29 but more importantly without this change (and the use of pupnp version 1.14.x), users are not protected against CallStranger which has a High CVE score: https://nvd.nist.gov/vuln/detail/CVE-2020-12695.

whyman commented 3 years ago

Can we get this merged? Most distros are dropping libupnp <0.14.0