From: "Peter Müller" <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. e1e94ae75b5cb4835d9a35a7c054db66778a8114
Date: Sun, 01 May 2022 08:45:20 +0000 [thread overview]
Message-ID: <4Krftn0DCQz2xjF@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4921 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via e1e94ae75b5cb4835d9a35a7c054db66778a8114 (commit)
from 53736cfe67a21848b095746b123119c96b2d5dac (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e1e94ae75b5cb4835d9a35a7c054db66778a8114
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sat Apr 30 19:34:58 2022 +0200
minidlna: Addition of patches to fix CVE-2022-26505
- CVE-2022-26505 A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
allows a remote web server to exfiltrate media files. CVE created on 6th March 2022
- minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for
version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on
14th March 2022 in the source forge support system asking to "Please publish a tarball
for 1.3.1" but there was no reply from the developer so far.
- In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but
the link to the sourceforge page is only the patches applied for the fix
- I used those diff descriptions to create a patch to implement on the existing 1.3.0
version in IPFire and this patch submission applies that fix
- Incremented the lfs PAK_VER
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
lfs/minidlna | 3 +-
....0-fix-DNS-rebinding-issue-CVE-2022-26505.patch | 44 ++++++++++++++++++++++
2 files changed, 46 insertions(+), 1 deletion(-)
create mode 100644 src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
Difference in files:
diff --git a/lfs/minidlna b/lfs/minidlna
index 17cf76339..0fa7aec96 100644
--- a/lfs/minidlna
+++ b/lfs/minidlna
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = minidlna
-PAK_VER = 8
+PAK_VER = 9
DEPS = ffmpeg flac libexif libid3tag libogg
@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
$(UPDATE_AUTOMAKE)
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
cd $(DIR_APP) && ./configure --prefix=/usr
cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP) && make install
diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
new file mode 100644
index 000000000..c28425811
--- /dev/null
+++ b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
@@ -0,0 +1,44 @@
+--- minidlna-1.3.0/upnphttp.c.orig 2020-11-24 19:53:50.000000000 +0100
++++ minidlna-1.3.0/upnphttp.c 2022-04-30 12:59:23.432073807 +0200
+@@ -273,6 +273,11 @@
+ p = colon + 1;
+ while(isspace(*p))
+ p++;
++ n = 0;
++ while(p[n] >= ' ')
++ n++;
++ h->req_Host = p;
++ h->req_HostLen = n;
+ for(n = 0; n < n_lan_addr; n++)
+ {
+ for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@
+ }
+
+ DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
++ if(h->req_Host && h->req_HostLen > 0) {
++ const char *ptr = h->req_Host;
++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
++ for(i = 0; i < h->req_HostLen; i++) {
++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++ Send404(h);/* 403 */
++ return;
++ }
++ ptr++;
++ }
++ }
+ if(strcmp("POST", HttpCommand) == 0)
+ {
+ h->req_command = EPost;
+--- minidlna-1.3.0/upnphttp.h.orig 2020-11-24 19:53:50.000000000 +0100
++++ minidlna-1.3.0/upnphttp.h 2022-04-30 13:00:22.619152312 +0200
+@@ -89,6 +89,8 @@
+ struct client_cache_s * req_client;
+ const char * req_soapAction;
+ int req_soapActionLen;
++ const char * req_Host; /* Host: header */
++ int req_HostLen;
+ const char * req_Callback; /* For SUBSCRIBE */
+ int req_CallbackLen;
+ const char * req_NT;
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2022-05-01 8:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4Krftn0DCQz2xjF@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox