Bug#1009077: marked as done (bullseye-pu: minidlna/1.3.0+dfsg-2+deb11u1)

Debian Bug Tracking System Sat, 09 Jul 2022 03:52:18 -0700

Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id 
<2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1009077,
regarding bullseye-pu: minidlna/1.3.0+dfsg-2+deb11u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1009077: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009077
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu

The attached debdiff for minidlna fixes CVE-2022-26505 in Bullseye. ThisCVE has been marked as no-dsa by the security team.


The same fix has been already uploaded to Unstable.

  Thorsten

diff -Nru minidlna-1.3.0+dfsg/debian/changelog 
minidlna-1.3.0+dfsg/debian/changelog
--- minidlna-1.3.0+dfsg/debian/changelog        2021-01-31 16:56:14.000000000 
+0100
+++ minidlna-1.3.0+dfsg/debian/changelog        2022-03-24 22:03:02.000000000 
+0100
@@ -1,3 +1,13 @@
+minidlna (1.3.0+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2022-26505
+    Validate HTTP requests to protect against DNS rebinding, thus forbid
+    a remote web server to exfiltrate media files.
+    (Closes: #1006798)
+
+ -- Thorsten Alteholz <[email protected]>  Thu, 24 Mar 2022 22:03:02 +0100
+
 minidlna (1.3.0+dfsg-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch 
minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch
--- minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch     1970-01-01 
01:00:00.000000000 +0100
+++ minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch     2022-03-24 
22:03:02.000000000 +0100
@@ -0,0 +1,56 @@
+commit c21208508dbc131712281ec5340687e5ae89e940
+Author: Justin Maggard <[email protected]>
+Date:   Wed Feb 9 18:32:50 2022 -0800
+
+    upnphttp: Protect against DNS rebinding attacks
+    
+    Validate HTTP requests to protect against DNS rebinding.
+
+diff --git a/upnphttp.c b/upnphttp.c
+index c8b5e99..62db89a 100644
+--- a/upnphttp.c
++++ b/upnphttp.c
+@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h)
+                               p = colon + 1;
+                               while(isspace(*p))
+                                       p++;
++                              n = 0;
++                              while(p[n] >= ' ')
++                                      n++;
++                              h->req_Host = p;
++                              h->req_HostLen = n;
+                               for(n = 0; n < n_lan_addr; n++)
+                               {
+                                       for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
+       }
+ 
+       DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, 
h->req_buf);
++      if(h->req_Host && h->req_HostLen > 0) {
++              const char *ptr = h->req_Host;
++              DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, 
h->req_Host);
++              for(i = 0; i < h->req_HostLen; i++) {
++                      if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < 
'0')) {
++                              DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack 
suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++                              Send404(h);/* 403 */
++                              return;
++                      }
++                      ptr++;
++              }
++      }
+       if(strcmp("POST", HttpCommand) == 0)
+       {
+               h->req_command = EPost;
+diff --git a/upnphttp.h b/upnphttp.h
+index e28a943..57eb2bb 100644
+--- a/upnphttp.h
++++ b/upnphttp.h
+@@ -89,6 +89,8 @@ struct upnphttp {
+       struct client_cache_s * req_client;
+       const char * req_soapAction;
+       int req_soapActionLen;
++      const char * req_Host;        /* Host: header */
++      int req_HostLen;
+       const char * req_Callback;      /* For SUBSCRIBE */
+       int req_CallbackLen;
+       const char * req_NT;
diff -Nru minidlna-1.3.0+dfsg/debian/patches/series 
minidlna-1.3.0+dfsg/debian/patches/series
--- minidlna-1.3.0+dfsg/debian/patches/series   2021-01-31 16:53:51.000000000 
+0100
+++ minidlna-1.3.0+dfsg/debian/patches/series   2022-03-24 22:03:02.000000000 
+0100
@@ -5,3 +5,5 @@
 08-Fix-testupnpdescgen-build.patch
 09-do-not-disable-logs-with-systemd.patch
 10-do-not-close-socket-on-sighup.patch
+
+CVE-2022-26505.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 11.4

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam

--- End Message ---

Bug#1009077: marked as done (bullseye-pu: minidlna/1.3.0+dfsg-2+deb11u1)

Reply via email to