Re: [PATCH] minidlna: Addition of patches to fix CVE-2022-26505

Reviewed-by: Peter Müller peter.mueller@ipfire.org

• CVE-2022-26505 A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. CVE created on 6th March 2022
• minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on 14th March 2022 in the source forge support system asking to "Please publish a tarball for 1.3.1" but there was no reply from the developer so far.
• In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but the link to the sourceforge page is only the patches applied for the fix
• I used those diff descriptions to create a patch to implement on the existing 1.3.0 version in IPFire and this patch submission applies that fix
• Incremented the lfs PAK_VER

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

lfs/minidlna | 3 +- ...x-DNS-rebinding-issue-CVE-2022-26505.patch | 44 +++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch

diff --git a/lfs/minidlna b/lfs/minidlna index 17cf76339..0fa7aec96 100644 --- a/lfs/minidlna +++ b/lfs/minidlna @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = minidlna -PAK_VER = 8 +PAK_VER = 9

DEPS = ffmpeg flac libexif libid3tag libogg

@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) $(UPDATE_AUTOMAKE)

• cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch cd $(DIR_APP) && ./configure --prefix=/usr cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP) && make install

diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch new file mode 100644 index 000000000..c28425811 --- /dev/null +++ b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch @@ -0,0 +1,44 @@ +--- minidlna-1.3.0/upnphttp.c.orig 2020-11-24 19:53:50.000000000 +0100 ++++ minidlna-1.3.0/upnphttp.c 2022-04-30 12:59:23.432073807 +0200 +@@ -273,6 +273,11 @@

• 		p = colon + 1;
  

• 		while(isspace(*p))
  

• 			p++;
  

++ n = 0; ++ while(p[n] >= ' ') ++ n++; ++ h->req_Host = p; ++ h->req_HostLen = n;

• 		for(n = 0; n < n_lan_addr; n++)
  

• 		{
  

• 			for(i = 0; lan_addr[n].str[i]; i++)
  

+@@ -909,6 +914,18 @@

• }
• DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);

++ if(h->req_Host && h->req_HostLen > 0) { ++ const char *ptr = h->req_Host; ++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host); ++ for(i = 0; i < h->req_HostLen; i++) { ++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) { ++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host); ++ Send404(h);/* 403 */ ++ return; ++ } ++ ptr++; ++ } ++ }

• if(strcmp("POST", HttpCommand) == 0)
• {

• h->req_command = EPost;
  

+--- minidlna-1.3.0/upnphttp.h.orig 2020-11-24 19:53:50.000000000 +0100 ++++ minidlna-1.3.0/upnphttp.h 2022-04-30 13:00:22.619152312 +0200 +@@ -89,6 +89,8 @@

• struct client_cache_s * req_client;
• const char * req_soapAction;
• int req_soapActionLen;

++ const char * req_Host; /* Host: header */ ++ int req_HostLen;

• const char * req_Callback; /* For SUBSCRIBE */
• int req_CallbackLen;
• const char * req_NT;