- CVE-2022-26505 A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. CVE created on 6th March 2022 - minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on 14th March 2022 in the source forge support system asking to "Please publish a tarball for 1.3.1" but there was no reply from the developer so far. - In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but the link to the sourceforge page is only the patches applied for the fix - I used those diff descriptions to create a patch to implement on the existing 1.3.0 version in IPFire and this patch submission applies that fix - Incremented the lfs PAK_VER
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/minidlna | 3 +- ...x-DNS-rebinding-issue-CVE-2022-26505.patch | 44 +++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
diff --git a/lfs/minidlna b/lfs/minidlna index 17cf76339..0fa7aec96 100644 --- a/lfs/minidlna +++ b/lfs/minidlna @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = minidlna -PAK_VER = 8 +PAK_VER = 9
DEPS = ffmpeg flac libexif libid3tag libogg
@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) $(UPDATE_AUTOMAKE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch cd $(DIR_APP) && ./configure --prefix=/usr cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP) && make install diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch new file mode 100644 index 000000000..c28425811 --- /dev/null +++ b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch @@ -0,0 +1,44 @@ +--- minidlna-1.3.0/upnphttp.c.orig 2020-11-24 19:53:50.000000000 +0100 ++++ minidlna-1.3.0/upnphttp.c 2022-04-30 12:59:23.432073807 +0200 +@@ -273,6 +273,11 @@ + p = colon + 1; + while(isspace(*p)) + p++; ++ n = 0; ++ while(p[n] >= ' ') ++ n++; ++ h->req_Host = p; ++ h->req_HostLen = n; + for(n = 0; n < n_lan_addr; n++) + { + for(i = 0; lan_addr[n].str[i]; i++) +@@ -909,6 +914,18 @@ + } + + DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf); ++ if(h->req_Host && h->req_HostLen > 0) { ++ const char *ptr = h->req_Host; ++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host); ++ for(i = 0; i < h->req_HostLen; i++) { ++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) { ++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host); ++ Send404(h);/* 403 */ ++ return; ++ } ++ ptr++; ++ } ++ } + if(strcmp("POST", HttpCommand) == 0) + { + h->req_command = EPost; +--- minidlna-1.3.0/upnphttp.h.orig 2020-11-24 19:53:50.000000000 +0100 ++++ minidlna-1.3.0/upnphttp.h 2022-04-30 13:00:22.619152312 +0200 +@@ -89,6 +89,8 @@ + struct client_cache_s * req_client; + const char * req_soapAction; + int req_soapActionLen; ++ const char * req_Host; /* Host: header */ ++ int req_HostLen; + const char * req_Callback; /* For SUBSCRIBE */ + int req_CallbackLen; + const char * req_NT;