From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] minidlna: Addition of patches to fix CVE-2022-26505
Date: Sun, 01 May 2022 08:44:39 +0000
Message-ID: <05e00a8a-5e41-83c4-db3d-d37696bc7ee2@ipfire.org>
In-Reply-To: <20220430173458.3520498-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7438650821836023147=="
List-Id: <development.lists.ipfire.org>

--===============7438650821836023147==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>

> - CVE-2022-26505  A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) b=
efore 1.3.1
>    allows a remote web server to exfiltrate media files. CVE created on 6th=
 March 2022
> - minidlna have created the patches to fix CVE-2022-26505 and have created =
a git tag for
>    version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket =
was raised on
>    14th March 2022 in the source forge support system asking to "Please pub=
lish a tarball
>    for 1.3.1" but there was no reply from the developer so far.
> - In the NIST National Vulnerability Database it refers to a fix implemente=
d in 1.3.1 but
>    the link to the sourceforge page is only the patches applied for the fix
> - I used those diff descriptions to create a patch to implement on the exis=
ting 1.3.0
>    version in IPFire and this patch submission applies that fix
> - Incremented the lfs PAK_VER
>=20
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>  lfs/minidlna                                  |  3 +-
>  ...x-DNS-rebinding-issue-CVE-2022-26505.patch | 44 +++++++++++++++++++
>  2 files changed, 46 insertions(+), 1 deletion(-)
>  create mode 100644 src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-=
2022-26505.patch
>=20
> diff --git a/lfs/minidlna b/lfs/minidlna
> index 17cf76339..0fa7aec96 100644
> --- a/lfs/minidlna
> +++ b/lfs/minidlna
> @@ -34,7 +34,7 @@ DL_FROM    =3D $(URL_IPFIRE)
>  DIR_APP    =3D $(DIR_SRC)/$(THISAPP)
>  TARGET     =3D $(DIR_INFO)/$(THISAPP)
>  PROG       =3D minidlna
> -PAK_VER    =3D 8
> +PAK_VER    =3D 9
> =20
>  DEPS       =3D ffmpeg flac libexif libid3tag libogg
> =20
> @@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>  	$(UPDATE_AUTOMAKE)
> +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/minidlna-1.3.0-fix-=
DNS-rebinding-issue-CVE-2022-26505.patch
>  	cd $(DIR_APP) && ./configure --prefix=3D/usr
>  	cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
>  	cd $(DIR_APP) && make install
> diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26=
505.patch b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505=
.patch
> new file mode 100644
> index 000000000..c28425811
> --- /dev/null
> +++ b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.pat=
ch
> @@ -0,0 +1,44 @@
> +--- minidlna-1.3.0/upnphttp.c.orig	2020-11-24 19:53:50.000000000 +0100
> ++++ minidlna-1.3.0/upnphttp.c	2022-04-30 12:59:23.432073807 +0200
> +@@ -273,6 +273,11 @@
> + 				p =3D colon + 1;
> + 				while(isspace(*p))
> + 					p++;
> ++				    n =3D 0;
> ++				    while(p[n] >=3D ' ')
> ++					    n++;
> ++				    h->req_Host =3D p;
> ++				    h->req_HostLen =3D n;				=09
> + 				for(n =3D 0; n < n_lan_addr; n++)
> + 				{
> + 					for(i =3D 0; lan_addr[n].str[i]; i++)
> +@@ -909,6 +914,18 @@
> + 	}
> +=20
> + 	DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_b=
uf);
> ++	if(h->req_Host && h->req_HostLen > 0) {
> ++		const char *ptr =3D h->req_Host;
> ++		DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host=
);
> ++		for(i =3D 0; i < h->req_HostLen; i++) {
> ++			if(*ptr !=3D ':' && *ptr !=3D '.' && (*ptr > '9' || *ptr < '0')) {
> ++				DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)=
", h->req_HostLen, h->req_Host);
> ++				Send404(h);/* 403 */
> ++				return;
> ++			}
> ++			ptr++;
> ++		}
> ++	}=09
> + 	if(strcmp("POST", HttpCommand) =3D=3D 0)
> + 	{
> + 		h->req_command =3D EPost;
> +--- minidlna-1.3.0/upnphttp.h.orig	2020-11-24 19:53:50.000000000 +0100
> ++++ minidlna-1.3.0/upnphttp.h	2022-04-30 13:00:22.619152312 +0200
> +@@ -89,6 +89,8 @@
> + 	struct client_cache_s * req_client;
> + 	const char * req_soapAction;
> + 	int req_soapActionLen;
> ++	const char * req_Host;        /* Host: header */
> ++	int req_HostLen;
> + 	const char * req_Callback;	/* For SUBSCRIBE */
> + 	int req_CallbackLen;
> + 	const char * req_NT;

--===============7438650821836023147==--