Bug#1009076: buster-pu: minidlna/1.2.1+dfsg-2+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for minidlna fixes CVE-2022-26505 in Buster. This
CVE has been marked as no-dsa by the security team.
The same fix has been already uploaded to Unstable.
Thorsten
diff -Nru minidlna-1.2.1+dfsg/debian/changelog minidlna-1.2.1+dfsg/debian/changelog
--- minidlna-1.2.1+dfsg/debian/changelog 2021-01-03 17:16:43.000000000 +0100
+++ minidlna-1.2.1+dfsg/debian/changelog 2022-03-24 22:03:02.000000000 +0100
@@ -1,3 +1,13 @@
+minidlna (1.2.1+dfsg-2+deb10u3) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2022-26505
+ Validate HTTP requests to protect against DNS rebinding, thus forbid
+ a remote web server to exfiltrate media files.
+ (Closes: #1006798)
+
+ -- Thorsten Alteholz <debian@alteholz.de> Thu, 24 Mar 2022 22:03:02 +0100
+
minidlna (1.2.1+dfsg-2+deb10u2) buster-security; urgency=medium
* d/minidlna.postrm: Do not fail on purge (Closes: #975372). This fixes the
diff -Nru minidlna-1.2.1+dfsg/debian/patches/CVE-2022-26505.patch minidlna-1.2.1+dfsg/debian/patches/CVE-2022-26505.patch
--- minidlna-1.2.1+dfsg/debian/patches/CVE-2022-26505.patch 1970-01-01 01:00:00.000000000 +0100
+++ minidlna-1.2.1+dfsg/debian/patches/CVE-2022-26505.patch 2022-03-24 22:03:02.000000000 +0100
@@ -0,0 +1,56 @@
+commit c21208508dbc131712281ec5340687e5ae89e940
+Author: Justin Maggard <jmaggard@arlo.com>
+Date: Wed Feb 9 18:32:50 2022 -0800
+
+ upnphttp: Protect against DNS rebinding attacks
+
+ Validate HTTP requests to protect against DNS rebinding.
+
+Index: minidlna-1.2.1+dfsg/upnphttp.c
+===================================================================
+--- minidlna-1.2.1+dfsg.orig/upnphttp.c 2022-03-25 00:26:07.789929728 +0100
++++ minidlna-1.2.1+dfsg/upnphttp.c 2022-03-25 00:28:13.477909761 +0100
+@@ -268,6 +268,11 @@
+ p = colon + 1;
+ while(isspace(*p))
+ p++;
++ n = 0;
++ while(p[n] >= ' ')
++ n++;
++ h->req_Host = p;
++ h->req_HostLen = n;
+ for(n = 0; n<n_lan_addr; n++)
+ {
+ for(i=0; lan_addr[n].str[i]; i++)
+@@ -904,6 +909,18 @@
+ }
+
+ DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
++ if(h->req_Host && h->req_HostLen > 0) {
++ const char *ptr = h->req_Host;
++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
++ for(i = 0; i < h->req_HostLen; i++) {
++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++ Send404(h);/* 403 */
++ return;
++ }
++ ptr++;
++ }
++ }
+ if(strcmp("POST", HttpCommand) == 0)
+ {
+ h->req_command = EPost;
+Index: minidlna-1.2.1+dfsg/upnphttp.h
+===================================================================
+--- minidlna-1.2.1+dfsg.orig/upnphttp.h 2022-03-25 00:26:07.789929728 +0100
++++ minidlna-1.2.1+dfsg/upnphttp.h 2022-03-25 00:26:07.789929728 +0100
+@@ -89,6 +89,8 @@
+ struct client_cache_s * req_client;
+ const char * req_soapAction;
+ int req_soapActionLen;
++ const char * req_Host; /* Host: header */
++ int req_HostLen;
+ const char * req_Callback; /* For SUBSCRIBE */
+ int req_CallbackLen;
+ const char * req_NT;
diff -Nru minidlna-1.2.1+dfsg/debian/patches/series minidlna-1.2.1+dfsg/debian/patches/series
--- minidlna-1.2.1+dfsg/debian/patches/series 2020-12-22 08:53:42.000000000 +0100
+++ minidlna-1.2.1+dfsg/debian/patches/series 2022-03-24 22:03:02.000000000 +0100
@@ -10,3 +10,5 @@
15-use-newer-ip_multicast_if-api.patch
0011-upnphttp-Disallow-negative-HTTP-chunk-lengths.patch
0012-upnphttp-Validate-SUBSCRIBE-callback-URL.patch
+
+CVE-2022-26505.patch
Reply to: