[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfire-development
Subject: [PATCH] minidlna: Addition of patches to fix CVE-2022-26505
From: Adolf Belka <adolf.belka () ipfire ! org>
Date: 2022-04-30 17:34:58
Message-ID: 20220430173458.3520498-1-adolf.belka () ipfire ! org
[Download RAW message or body]
- CVE-2022-26505 A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before \
1.3.1 allows a remote web server to exfiltrate media files. CVE created on 6th March \
2022
- minidlna have created the patches to fix CVE-2022-26505 and have created a git tag \
for version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was \
raised on 14th March 2022 in the source forge support system asking to "Please \
publish a tarball for 1.3.1" but there was no reply from the developer so far.
- In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 \
but the link to the sourceforge page is only the patches applied for the fix
- I used those diff descriptions to create a patch to implement on the existing 1.3.0
version in IPFire and this patch submission applies that fix
- Incremented the lfs PAK_VER
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/minidlna | 3 +-
...x-DNS-rebinding-issue-CVE-2022-26505.patch | 44 +++++++++++++++++++
2 files changed, 46 insertions(+), 1 deletion(-)
create mode 100644 src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
diff --git a/lfs/minidlna b/lfs/minidlna
index 17cf76339..0fa7aec96 100644
--- a/lfs/minidlna
+++ b/lfs/minidlna
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = minidlna
-PAK_VER = 8
+PAK_VER = 9
DEPS = ffmpeg flac libexif libid3tag libogg
@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
$(UPDATE_AUTOMAKE)
+ cd $(DIR_APP) && patch -Np1 -i \
$(DIR_SRC)/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch \
cd $(DIR_APP) && ./configure --prefix=/usr cd $(DIR_APP) && make $(MAKETUNING) \
$(EXTRA_MAKE) cd $(DIR_APP) && make install
diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch \
b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch new file \
mode 100644 index 000000000..c28425811
--- /dev/null
+++ b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
@@ -0,0 +1,44 @@
+--- minidlna-1.3.0/upnphttp.c.orig 2020-11-24 19:53:50.000000000 +0100
++++ minidlna-1.3.0/upnphttp.c 2022-04-30 12:59:23.432073807 +0200
+@@ -273,6 +273,11 @@
+ p = colon + 1;
+ while(isspace(*p))
+ p++;
++ n = 0;
++ while(p[n] >= ' ')
++ n++;
++ h->req_Host = p;
++ h->req_HostLen = n;
+ for(n = 0; n < n_lan_addr; n++)
+ {
+ for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@
+ }
+
+ DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
++ if(h->req_Host && h->req_HostLen > 0) {
++ const char *ptr = h->req_Host;
++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
++ for(i = 0; i < h->req_HostLen; i++) {
++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", \
h->req_HostLen, h->req_Host); ++ Send404(h);/* 403 */
++ return;
++ }
++ ptr++;
++ }
++ }
+ if(strcmp("POST", HttpCommand) == 0)
+ {
+ h->req_command = EPost;
+--- minidlna-1.3.0/upnphttp.h.orig 2020-11-24 19:53:50.000000000 +0100
++++ minidlna-1.3.0/upnphttp.h 2022-04-30 13:00:22.619152312 +0200
+@@ -89,6 +89,8 @@
+ struct client_cache_s * req_client;
+ const char * req_soapAction;
+ int req_soapActionLen;
++ const char * req_Host; /* Host: header */
++ int req_HostLen;
+ const char * req_Callback; /* For SUBSCRIBE */
+ int req_CallbackLen;
+ const char * req_NT;
--
2.36.0
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic