From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] minidlna: Addition of patches to fix CVE-2022-26505
Date: Sun, 01 May 2022 08:44:39 +0000 [thread overview]
Message-ID: <05e00a8a-5e41-83c4-db3d-d37696bc7ee2@ipfire.org> (raw)
In-Reply-To: <20220430173458.3520498-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4071 bytes --]
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> - CVE-2022-26505 A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
> allows a remote web server to exfiltrate media files. CVE created on 6th March 2022
> - minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for
> version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on
> 14th March 2022 in the source forge support system asking to "Please publish a tarball
> for 1.3.1" but there was no reply from the developer so far.
> - In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but
> the link to the sourceforge page is only the patches applied for the fix
> - I used those diff descriptions to create a patch to implement on the existing 1.3.0
> version in IPFire and this patch submission applies that fix
> - Incremented the lfs PAK_VER
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> lfs/minidlna | 3 +-
> ...x-DNS-rebinding-issue-CVE-2022-26505.patch | 44 +++++++++++++++++++
> 2 files changed, 46 insertions(+), 1 deletion(-)
> create mode 100644 src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
>
> diff --git a/lfs/minidlna b/lfs/minidlna
> index 17cf76339..0fa7aec96 100644
> --- a/lfs/minidlna
> +++ b/lfs/minidlna
> @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
> DIR_APP = $(DIR_SRC)/$(THISAPP)
> TARGET = $(DIR_INFO)/$(THISAPP)
> PROG = minidlna
> -PAK_VER = 8
> +PAK_VER = 9
>
> DEPS = ffmpeg flac libexif libid3tag libogg
>
> @@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
> $(UPDATE_AUTOMAKE)
> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
> cd $(DIR_APP) && ./configure --prefix=/usr
> cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
> cd $(DIR_APP) && make install
> diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
> new file mode 100644
> index 000000000..c28425811
> --- /dev/null
> +++ b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
> @@ -0,0 +1,44 @@
> +--- minidlna-1.3.0/upnphttp.c.orig 2020-11-24 19:53:50.000000000 +0100
> ++++ minidlna-1.3.0/upnphttp.c 2022-04-30 12:59:23.432073807 +0200
> +@@ -273,6 +273,11 @@
> + p = colon + 1;
> + while(isspace(*p))
> + p++;
> ++ n = 0;
> ++ while(p[n] >= ' ')
> ++ n++;
> ++ h->req_Host = p;
> ++ h->req_HostLen = n;
> + for(n = 0; n < n_lan_addr; n++)
> + {
> + for(i = 0; lan_addr[n].str[i]; i++)
> +@@ -909,6 +914,18 @@
> + }
> +
> + DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
> ++ if(h->req_Host && h->req_HostLen > 0) {
> ++ const char *ptr = h->req_Host;
> ++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
> ++ for(i = 0; i < h->req_HostLen; i++) {
> ++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
> ++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
> ++ Send404(h);/* 403 */
> ++ return;
> ++ }
> ++ ptr++;
> ++ }
> ++ }
> + if(strcmp("POST", HttpCommand) == 0)
> + {
> + h->req_command = EPost;
> +--- minidlna-1.3.0/upnphttp.h.orig 2020-11-24 19:53:50.000000000 +0100
> ++++ minidlna-1.3.0/upnphttp.h 2022-04-30 13:00:22.619152312 +0200
> +@@ -89,6 +89,8 @@
> + struct client_cache_s * req_client;
> + const char * req_soapAction;
> + int req_soapActionLen;
> ++ const char * req_Host; /* Host: header */
> ++ int req_HostLen;
> + const char * req_Callback; /* For SUBSCRIBE */
> + int req_CallbackLen;
> + const char * req_NT;
parent reply other threads:[~2022-05-01 8:44 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <20220430173458.3520498-1-adolf.belka@ipfire.org>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=05e00a8a-5e41-83c4-db3d-d37696bc7ee2@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox