SB2026061834 - Multiple vulnerabilities in PUPnP

Description

This security bulletin contains information about 4 vulnerabilities.

1) Integer overflow (CVE-ID: N/A)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer truncation in HTTP Content-Length parsing in raw_to_int() in httpparser.c when handling crafted Content-Length headers. A remote attacker can send a specially crafted HTTP request to cause a denial of service.

Only 64-bit platforms where sizeof(long) is greater than sizeof(int) are affected.

2) Inconsistent interpretation of HTTP requests (CVE-ID: N/A)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to smuggle HTTP requests.

The vulnerability exists due to integer truncation in HTTP Content-Length parsing in raw_to_int() in httpparser.c when handling crafted Content-Length headers. A remote attacker can send a specially crafted HTTP request to smuggle HTTP requests.

Only 64-bit platforms where sizeof(long) is greater than sizeof(int) are affected.

3) NULL pointer dereference (CVE-ID: N/A)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to null pointer dereference in ixmlNode_compare when comparing DOM nodes with NULL fields. A remote attacker can trigger comparison of crafted attribute objects to cause a denial of service.

The issue is reachable through removeAttributeNode during processing of attacker-controlled XML.

4) Resource exhaustion (CVE-ID: N/A)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in the libupnp HTTP entity parser when processing chunked HTTP request or response bodies. A remote attacker can send a specially crafted chunked HTTP message to cause a denial of service.

The issue occurs because decoded chunked entity data can grow beyond the configured maximum entity size limit enforced for numeric Content-Length values.

Remediation

Install update from vendor's website.

References

• https://github.com/pupnp/pupnp/security/advisories/GHSA-g6c2-x4r9-352g
• https://github.com/pupnp/pupnp/security/advisories/GHSA-q54q-vx78-v9rq
• https://github.com/pupnp/pupnp/security/advisories/GHSA-gcj7-j9f7-q84c