Fixes the following vulnerability:
- CVE-2025-50681:
igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a
denial of service (application crash) via a crafted IGMPv3 membership
report packet with a malicious source address. Due to insufficient
validation in the `recv_igmp()` function in src/igmpproxy.c, an
invalid group record type can trigger a NULL pointer dereference when
logging the address using `inet_fmtsrc()`. This vulnerability can be
exploited by sending malformed multicast traffic to a host running
igmpproxy, leading to a crash. igmpproxy is used in various embedded
networking environments and consumer-grade IoT devices (such as home
routers and media gateways) to handle multicast traffic for IPTV and
other streaming services. Affected devices that rely on unpatched
versions of igmpproxy may be vulnerable to remote denial-of-service
attacks across a LAN .
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-50681
- https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Perale
3c305f32ba