ArchLinux: 202105-26: gupnp: information disclosure
Summary
An issue was discovered in GUPnP before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tampering, etc.
Resolution
Upgrade to 1.2.6-1.
# pacman -Syu "gupnp>=1.2.6-1"
The problem has been fixed upstream in version 1.2.6.
References
https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536 https://gitlab.gnome.org/GNOME/gupnp/-/issues/24 https://gitlab.gnome.org/GNOME/gupnp/-/merge_requests/13 https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac https://security.archlinux.org/CVE-2021-33516
Workaround
None.