I reviewed gupnp 1.2.1-1 as checked in to eoan. This isn't a full security audit, but rather a quick gauge of maintainability.
- gupnp is a gobject based library for implementing and consuming UPnP services, and is required by Rygel. - It's part of the GNOME project. - It's written in C. - One CVE in our database from 2009 (a DoS). Doesn't affect current releases, although it doesn't look like it was fixed in Ubuntu before the affected releases went EoL. - Build-dependencies in main except for libgssdp-doc and libgssdp-1.2-dev (bug 1799977). Also gnome-pkg-tools, meson, valac, gtk-doc-tools, docbook-xml, docbook-xsl - none of these create binary dependencies. - No maintainer scripts - No init scripts / systemd units. - No dbus services. - No setuid binaries. - Only binary is gupnp-binding-tool-1.2 in libgupnp-1.2-dev - No sudo fragments. - No udev rules. - There's a few tests that seem to run in the build. - No cron jobs. - Build logs clean other than some documentation warnings. - Lintian clean - Doesn't spawn any subprocesses. - Memory management looks ok - there is a g_malloc in strip_camel_case that allocates memory based on a multiplication that isn't overflow safe, but the source of this isn't attacker controlled and I don't think it can overflow anyway. - The only file IO it seems to do is using glib's GMappedFile API, which is used for providing file contents to libsoup for hosting local files. See below for how paths are looked up. - Not much logging - a few g_debugs (not enabled by default) and some g_message calls. It doesn't look like anything sensitive is logged. - Reads a couple of variables from the environment - GUPNP_DEBUG and GUPNP_DEBUG_NETLINK. The first one enables logging to stdout of headers + request/response bodies in libsoup, and enables reporting of warnings and errors in libxml when loading local XML files. The second one enables the dumping of netlink packets to stdout. - Doesn't call any privileged commands. - No crypto. - Doesn't use temporary files. - GUPnPContext creates a HTTP server using libsoup. There is one GUPnPContext per network interface, created and managed by GUPnPContextManager. The availability of services is advertised via SSDP (using gssdp - GUPnPContext sub-classes GSSDPClient for this) - The default handler just returns 404. - It provides a simple API for hosting local paths for read access. The default libsoup handler (host_path_handler) for this supports directory listing and automatic redirection to index.html for paths to directories. This API is used by root device instances to host device and service XML descriptions. - host_path_handler() uses construct_local_path() to build a local file path, which just appends the request path to the handler's base path. It's relying on a feature of libsoup to not be vulnerable to path traversal attacks, which I've tested and seems to work. - GUPnPContext provides a mechanism to register handler functions for specific server paths, which is used by service instances to implement action handlers. I believe rygel also uses this for hosting media files. - It provides a mechanism for applications to implement ACLs by registering an ACL handler, which is called before server handler functions are executed. The ACL handler can make access control decisions based on source IP / source user agent and request path. - The 2 handlers registered by each service instance can be protected with ACLs. - The control handler function for each service instance (control_server_handler) parses the HTTP body with xmlRecoverMemory. This doesn't perform replacement of entity references with content by default, which is good. It converts requests to gobject signals which are delivered to application code, or returns a 401 if the request doesn't have a corresponding gobject signal handler. - A service instance provides a way for clients to subscribe to events (via subscription_server_handler). A subscription is referenced by a SID, which is a uuid created by uuid_generate(). The SID is used in order to unsubscibe and provided in the event notification headers. Subscriptions timeout and are automatically removed after 5 minutes, unless the client resubscribes with the same SID. - The subscribe() handler calls gupnp_context_rewrite_url() on each callback URL, which are provided by the requesting client device. This function extracts the host from the URL, constructs a GInetAddress instance by calling g_inet_address_new_from_string() with this host string and then calls g_inet_address_get_is_link_local() without any null check. Won't g_inet_address_new_from_string() fail if the host isn't a valid IPV4 or IPV6 address though? - The default GUPnPContextManager implementation uses NETLINK_ROUTE for observing network interface changes to manage GUPnPContext instances. There is a network manager implementation, but it doesn't look like it's built. - No webkit. - No policykit. - No sql. - Parses XML - doesn't appear to use unsafe options such as XML_PARSE_NOENT. - No configuration files. - No fs capabilities. Security team ACK for promoting gupnp to main, although I'd like someone to take a look at the issue I mentioned with the subscribe() handler. ** Changed in: gupnp (Ubuntu) Assignee: Chris Coulson (chrisccoulson) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gupnp in Ubuntu. https://bugs.launchpad.net/bugs/1799974 Title: [MIR] gupnp Status in gupnp package in Ubuntu: New Bug description: * Availability Builds on all supported architectures in Ubuntu and on sync from Debian, the package was in main in the past and needs to be re- promoted * Rationale We would like to enable dlna sharing of media files, which is a GNOME upstream feature and relying on rygel which depends on the gupnp libraries * Security There is an old CVE recorded/fixed https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2174 * Quality assurance - the desktop-packages team is subscribed to the package - the bug lists in upstream, the Debian PTS and launchpad are empty - upstream has a testsuit which is used during build * Dependendies The package uses standard desktop libraries that are already in main * Standards compliance the package is using standard packaging (dh10), the standards-version is 4.2, the package is in sync from Debian * Maintainance Upstream is active and the desktop team is going to look after the package in ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gupnp/+bug/1799974/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp