From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] minidlna: Update to version 1.3.2
Date: Fri, 19 May 2023 19:04:48 +0200 [thread overview]
Message-ID: <20230519170452.3469866-2-adolf.belka@ipfire.org> (raw)
In-Reply-To: <20230519170452.3469866-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4160 bytes --]
- Update from version 1.3.0 to 1.3.2
- Update of rootfile not required
- Patch for CVE-2022-26505 is now built into the source tarball
- Changelog
1.3.2 - Released 30-Aug-2022
- Improved DNS rebinding attack protection.
- Added Samsung Neo QLED series (2021) support.
- Added webm/rm/rmvb support.
1.3.1 - Released 11-Feb-2022
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
lfs/minidlna | 7 ++-
...x-DNS-rebinding-issue-CVE-2022-26505.patch | 44 -------------------
2 files changed, 3 insertions(+), 48 deletions(-)
delete mode 100644 src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
diff --git a/lfs/minidlna b/lfs/minidlna
index 1ef104743..d0422c08a 100644
--- a/lfs/minidlna
+++ b/lfs/minidlna
@@ -26,7 +26,7 @@ include Config
SUMMARY = DLNA compatible server
-VER = 1.3.0
+VER = 1.3.2
THISAPP = minidlna-$(VER)
DL_FILE = minidlna-$(VER).tar.gz
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = minidlna
-PAK_VER = 12
+PAK_VER = 13
DEPS = ffmpeg flac libexif libid3tag libogg
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 3574d48ee63f8c391d1beac653587b87460522178d9f100fe4b0e49f33398b8e527ee74af02d5ea36b23338f7ac73ef3c177edae6be8eed24e94f9db5c8323b0
+$(DL_FILE)_BLAKE2 = e35266be94e4585f399c80a6909318ce973d443506f6becdacdb00802ed0ce060ebf8401ff1b5dfef0b451f609d98f805c80b9a0c87e23d14084338047418620
install : $(TARGET)
@@ -84,7 +84,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
$(UPDATE_AUTOMAKE)
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
cd $(DIR_APP) && ./configure --prefix=/usr
cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP) && make install
diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
deleted file mode 100644
index c28425811..000000000
--- a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
+++ /dev/null
@@ -1,44 +0,0 @@
---- minidlna-1.3.0/upnphttp.c.orig 2020-11-24 19:53:50.000000000 +0100
-+++ minidlna-1.3.0/upnphttp.c 2022-04-30 12:59:23.432073807 +0200
-@@ -273,6 +273,11 @@
- p = colon + 1;
- while(isspace(*p))
- p++;
-+ n = 0;
-+ while(p[n] >= ' ')
-+ n++;
-+ h->req_Host = p;
-+ h->req_HostLen = n;
- for(n = 0; n < n_lan_addr; n++)
- {
- for(i = 0; lan_addr[n].str[i]; i++)
-@@ -909,6 +914,18 @@
- }
-
- DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
-+ if(h->req_Host && h->req_HostLen > 0) {
-+ const char *ptr = h->req_Host;
-+ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
-+ for(i = 0; i < h->req_HostLen; i++) {
-+ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
-+ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
-+ Send404(h);/* 403 */
-+ return;
-+ }
-+ ptr++;
-+ }
-+ }
- if(strcmp("POST", HttpCommand) == 0)
- {
- h->req_command = EPost;
---- minidlna-1.3.0/upnphttp.h.orig 2020-11-24 19:53:50.000000000 +0100
-+++ minidlna-1.3.0/upnphttp.h 2022-04-30 13:00:22.619152312 +0200
-@@ -89,6 +89,8 @@
- struct client_cache_s * req_client;
- const char * req_soapAction;
- int req_soapActionLen;
-+ const char * req_Host; /* Host: header */
-+ int req_HostLen;
- const char * req_Callback; /* For SUBSCRIBE */
- int req_CallbackLen;
- const char * req_NT;
--
2.40.1
next prev parent reply other threads:[~2023-05-19 17:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-19 17:04 [PATCH] fping: Update to version 5.1 Adolf Belka
2023-05-19 17:04 ` Adolf Belka [this message]
2023-05-19 17:04 ` [PATCH] mpfr: Update with latest bug patches Adolf Belka
2023-05-19 17:04 ` [PATCH] nginx: Update to version 1.24.0 Adolf Belka
2023-05-19 17:04 ` [PATCH] strace: Update to version 6.3 Adolf Belka
2023-05-19 17:04 ` [PATCH] stress: Update to version 1.0.7 Adolf Belka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230519170452.3469866-2-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox