[Buildroot] [PATCH 1/1] package/minidlna: fix CVE-2022-26505

* [Buildroot] [PATCH 1/1] package/minidlna: fix CVE-2022-26505
@ 2022-03-13 11:41 Fabrice Fontaine
  2022-03-18 22:17 ` Yann E. MORIN
  2022-03-21 16:22 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-03-13 11:41 UTC (permalink / raw)
  To: buildroot; +Cc: Bernd Kuhls, Simon Dawson, Fabrice Fontaine

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
allows a remote web server to exfiltrate media files.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...rotect-against-DNS-rebinding-attacks.patch | 66 +++++++++++++++++++
 package/minidlna/minidlna.mk                  |  3 +
 2 files changed, 69 insertions(+)
 create mode 100644 package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch

diff --git a/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
new file mode 100644
index 0000000000..6d601f53b9
--- /dev/null
+++ b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
@@ -0,0 +1,66 @@
+From c21208508dbc131712281ec5340687e5ae89e940 Mon Sep 17 00:00:00 2001
+From: Justin Maggard <jmaggard@arlo.com>
+Date: Wed, 9 Feb 2022 18:32:50 -0800
+Subject: [PATCH] upnphttp: Protect against DNS rebinding attacks
+
+Validate HTTP requests to protect against DNS rebinding.
+
+[Retrieved from:
+https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ upnphttp.c | 17 +++++++++++++++++
+ upnphttp.h |  2 ++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/upnphttp.c b/upnphttp.c
+index c8b5e99..62db89a 100644
+--- a/upnphttp.c
++++ b/upnphttp.c
+@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h)
+ 				p = colon + 1;
+ 				while(isspace(*p))
+ 					p++;
++				n = 0;
++				while(p[n] >= ' ')
++					n++;
++				h->req_Host = p;
++				h->req_HostLen = n;
+ 				for(n = 0; n < n_lan_addr; n++)
+ 				{
+ 					for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
+ 	}
+ 
+ 	DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
++	if(h->req_Host && h->req_HostLen > 0) {
++		const char *ptr = h->req_Host;
++		DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
++		for(i = 0; i < h->req_HostLen; i++) {
++			if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
++				DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++				Send404(h);/* 403 */
++				return;
++			}
++			ptr++;
++		}
++	}
+ 	if(strcmp("POST", HttpCommand) == 0)
+ 	{
+ 		h->req_command = EPost;
+diff --git a/upnphttp.h b/upnphttp.h
+index e28a943..57eb2bb 100644
+--- a/upnphttp.h
++++ b/upnphttp.h
+@@ -89,6 +89,8 @@ struct upnphttp {
+ 	struct client_cache_s * req_client;
+ 	const char * req_soapAction;
+ 	int req_soapActionLen;
++	const char * req_Host;        /* Host: header */
++	int req_HostLen;
+ 	const char * req_Callback;	/* For SUBSCRIBE */
+ 	int req_CallbackLen;
+ 	const char * req_NT;
+-- 
+2.34.1
+
diff --git a/package/minidlna/minidlna.mk b/package/minidlna/minidlna.mk
index adea200f4f..01ee8d0028 100644
--- a/package/minidlna/minidlna.mk
+++ b/package/minidlna/minidlna.mk
@@ -12,6 +12,9 @@ MINIDLNA_CPE_ID_VENDOR = readymedia_project
 MINIDLNA_CPE_ID_PRODUCT = readymedia
 MINIDLNA_SELINUX_MODULES = minidlna
 
+# 0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
+MINIDLNA_IGNORE_CVES += CVE-2022-26505
+
 MINIDLNA_DEPENDENCIES = \
 	$(TARGET_NLS_DEPENDENCIES) \
 	ffmpeg flac libvorbis libogg libid3tag libexif jpeg sqlite \
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread