CVE-2020-12695

Name	CVE-2020-12695
Description	The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2315-1, DLA-2318-1, DLA-2489-1, DSA-4806-1, DSA-4898-1, ELA-240-1, ELA-258-1
Debian Bugs	976106, 976594, 983206

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
gupnp (PTS)	jessie, jessie (lts)	0.20.12-1+deb8u1	fixed
	stretch (security), stretch (lts), stretch	1.0.1-1+deb9u1	fixed
	buster	1.0.5-0+deb10u1	fixed
	bullseye	1.2.4-1	fixed
	bookworm	1.6.3-1	fixed
	trixie, sid	1.6.6-1	fixed
libupnp (PTS)	jessie, jessie (lts)	1:1.6.19+git20141001-1+deb8u2	vulnerable
	stretch (security), stretch (lts), stretch	1:1.6.19+git20160116-1.2+deb9u1	vulnerable
minidlna (PTS)	jessie, jessie (lts)	1.1.2+dfsg-1.1+deb8u1	vulnerable
	stretch (security), stretch (lts), stretch	1.1.6+dfsg-1+deb9u2	fixed
	buster	1.2.1+dfsg-2+deb10u3	fixed
	buster (security)	1.2.1+dfsg-2+deb10u4	fixed
	bullseye (security), bullseye	1.3.0+dfsg-2+deb11u2	fixed
	bookworm (security), bookworm	1.3.0+dfsg-2.2+deb12u1	fixed
	trixie, sid	1.3.3+dfsg-1	fixed
pupnp (PTS)	trixie	1:1.14.18-1	fixed
	sid	1:1.14.18-1.1	fixed
pupnp-1.8 (PTS)	buster, bullseye, bookworm	1:1.8.4-2	vulnerable
wpa (PTS)	jessie, jessie (lts)	2.3-1+deb8u14	fixed
	stretch (security)	2:2.4-1+deb9u9	fixed
	stretch (lts), stretch	2:2.4-1+deb9u10	fixed
	buster	2:2.7+git20190128+0c1e29f-6+deb10u3	fixed
	buster (security)	2:2.7+git20190128+0c1e29f-6+deb10u4	fixed
	bullseye	2:2.9.0-21	fixed
	bookworm	2:2.10-12	fixed
	trixie, sid	2:2.10-21	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
gupnp	source	wheezy	(unfixed)	end-of-life
gupnp	source	jessie	0.20.12-1+deb8u1		ELA-258-1
gupnp	source	stretch	1.0.1-1+deb9u1		DLA-2315-1
gupnp	source	buster	1.0.5-0+deb10u1
gupnp	source	(unstable)	1.2.3-1
libupnp	source	jessie	(unfixed)	end-of-life
libupnp	source	(unstable)	(unfixed)
minidlna	source	jessie	(unfixed)	end-of-life
minidlna	source	stretch	1.1.6+dfsg-1+deb9u1		DLA-2489-1
minidlna	source	buster	1.2.1+dfsg-2+deb10u1		DSA-4806-1
minidlna	source	(unstable)	1.2.1+dfsg-3			976594
pupnp	source	(unstable)	(not affected)
pupnp-1.8	source	(unstable)	(unfixed)			983206
wpa	source	wheezy	(unfixed)	end-of-life
wpa	source	jessie	2.3-1+deb8u11		ELA-240-1
wpa	source	stretch	2:2.4-1+deb9u7		DLA-2318-1
wpa	source	buster	2:2.7+git20190128+0c1e29f-6+deb10u3		DSA-4898-1
wpa	source	(unstable)	2:2.9.0-16			976106

Notes

- pupnp <not-affected> (Fixed before initial upload to Debian after source package rename)
[bookworm] - pupnp-1.8 <no-dsa> (Minor issue)
[bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
[buster] - pupnp-1.8 <no-dsa> (Minor issue)
[stretch] - libupnp <no-dsa> (Invasive change, hard to backport; chances of regression)
https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt
https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
https://sourceforge.net/p/minidlna/git/ci/06ee114731612462eb1eb1266f0431ccf59269d2 (v1_3_0)
https://github.com/pupnp/pupnp/commit/5f76bf2858dd601bd985bf37a1db9f262c0ff7bf (release-1.14.0)
https://github.com/pupnp/pupnp/commit/7b3f0f5f497f9f493c82307af495b87fa9ebdacb (release-1.14.0)