* [Buildroot] [PATCH 1/1] package/minidlna: fix CVE-2022-26505
@ 2022-03-13 11:41 Fabrice Fontaine
2022-03-18 22:17 ` Yann E. MORIN
2022-03-21 16:22 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-03-13 11:41 UTC (permalink / raw)
To: buildroot; +Cc: Bernd Kuhls, Simon Dawson, Fabrice Fontaine
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
allows a remote web server to exfiltrate media files.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...rotect-against-DNS-rebinding-attacks.patch | 66 +++++++++++++++++++
package/minidlna/minidlna.mk | 3 +
2 files changed, 69 insertions(+)
create mode 100644 package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
diff --git a/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
new file mode 100644
index 0000000000..6d601f53b9
--- /dev/null
+++ b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
@@ -0,0 +1,66 @@
+From c21208508dbc131712281ec5340687e5ae89e940 Mon Sep 17 00:00:00 2001
+From: Justin Maggard <jmaggard@arlo.com>
+Date: Wed, 9 Feb 2022 18:32:50 -0800
+Subject: [PATCH] upnphttp: Protect against DNS rebinding attacks
+
+Validate HTTP requests to protect against DNS rebinding.
+
+[Retrieved from:
+https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ upnphttp.c | 17 +++++++++++++++++
+ upnphttp.h | 2 ++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/upnphttp.c b/upnphttp.c
+index c8b5e99..62db89a 100644
+--- a/upnphttp.c
++++ b/upnphttp.c
+@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h)
+ p = colon + 1;
+ while(isspace(*p))
+ p++;
++ n = 0;
++ while(p[n] >= ' ')
++ n++;
++ h->req_Host = p;
++ h->req_HostLen = n;
+ for(n = 0; n < n_lan_addr; n++)
+ {
+ for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
+ }
+
+ DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
++ if(h->req_Host && h->req_HostLen > 0) {
++ const char *ptr = h->req_Host;
++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
++ for(i = 0; i < h->req_HostLen; i++) {
++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++ Send404(h);/* 403 */
++ return;
++ }
++ ptr++;
++ }
++ }
+ if(strcmp("POST", HttpCommand) == 0)
+ {
+ h->req_command = EPost;
+diff --git a/upnphttp.h b/upnphttp.h
+index e28a943..57eb2bb 100644
+--- a/upnphttp.h
++++ b/upnphttp.h
+@@ -89,6 +89,8 @@ struct upnphttp {
+ struct client_cache_s * req_client;
+ const char * req_soapAction;
+ int req_soapActionLen;
++ const char * req_Host; /* Host: header */
++ int req_HostLen;
+ const char * req_Callback; /* For SUBSCRIBE */
+ int req_CallbackLen;
+ const char * req_NT;
+--
+2.34.1
+
diff --git a/package/minidlna/minidlna.mk b/package/minidlna/minidlna.mk
index adea200f4f..01ee8d0028 100644
--- a/package/minidlna/minidlna.mk
+++ b/package/minidlna/minidlna.mk
@@ -12,6 +12,9 @@ MINIDLNA_CPE_ID_VENDOR = readymedia_project
MINIDLNA_CPE_ID_PRODUCT = readymedia
MINIDLNA_SELINUX_MODULES = minidlna
+# 0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
+MINIDLNA_IGNORE_CVES += CVE-2022-26505
+
MINIDLNA_DEPENDENCIES = \
$(TARGET_NLS_DEPENDENCIES) \
ffmpeg flac libvorbis libogg libid3tag libexif jpeg sqlite \
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/minidlna: fix CVE-2022-26505
2022-03-13 11:41 [Buildroot] [PATCH 1/1] package/minidlna: fix CVE-2022-26505 Fabrice Fontaine
@ 2022-03-18 22:17 ` Yann E. MORIN
2022-03-21 16:22 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2022-03-18 22:17 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Bernd Kuhls, Simon Dawson, buildroot
Fabrice, All,
On 2022-03-13 12:41 +0100, Fabrice Fontaine spake thusly:
> A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
> allows a remote web server to exfiltrate media files.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...rotect-against-DNS-rebinding-attacks.patch | 66 +++++++++++++++++++
> package/minidlna/minidlna.mk | 3 +
> 2 files changed, 69 insertions(+)
> create mode 100644 package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
>
> diff --git a/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
> new file mode 100644
> index 0000000000..6d601f53b9
> --- /dev/null
> +++ b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
> @@ -0,0 +1,66 @@
> +From c21208508dbc131712281ec5340687e5ae89e940 Mon Sep 17 00:00:00 2001
> +From: Justin Maggard <jmaggard@arlo.com>
> +Date: Wed, 9 Feb 2022 18:32:50 -0800
> +Subject: [PATCH] upnphttp: Protect against DNS rebinding attacks
> +
> +Validate HTTP requests to protect against DNS rebinding.
> +
> +[Retrieved from:
> +https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + upnphttp.c | 17 +++++++++++++++++
> + upnphttp.h | 2 ++
> + 2 files changed, 19 insertions(+)
> +
> +diff --git a/upnphttp.c b/upnphttp.c
> +index c8b5e99..62db89a 100644
> +--- a/upnphttp.c
> ++++ b/upnphttp.c
> +@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h)
> + p = colon + 1;
> + while(isspace(*p))
> + p++;
> ++ n = 0;
> ++ while(p[n] >= ' ')
> ++ n++;
> ++ h->req_Host = p;
> ++ h->req_HostLen = n;
> + for(n = 0; n < n_lan_addr; n++)
> + {
> + for(i = 0; lan_addr[n].str[i]; i++)
> +@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
> + }
> +
> + DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
> ++ if(h->req_Host && h->req_HostLen > 0) {
> ++ const char *ptr = h->req_Host;
> ++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
> ++ for(i = 0; i < h->req_HostLen; i++) {
> ++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
> ++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
> ++ Send404(h);/* 403 */
> ++ return;
> ++ }
> ++ ptr++;
> ++ }
> ++ }
> + if(strcmp("POST", HttpCommand) == 0)
> + {
> + h->req_command = EPost;
> +diff --git a/upnphttp.h b/upnphttp.h
> +index e28a943..57eb2bb 100644
> +--- a/upnphttp.h
> ++++ b/upnphttp.h
> +@@ -89,6 +89,8 @@ struct upnphttp {
> + struct client_cache_s * req_client;
> + const char * req_soapAction;
> + int req_soapActionLen;
> ++ const char * req_Host; /* Host: header */
> ++ int req_HostLen;
> + const char * req_Callback; /* For SUBSCRIBE */
> + int req_CallbackLen;
> + const char * req_NT;
> +--
> +2.34.1
> +
> diff --git a/package/minidlna/minidlna.mk b/package/minidlna/minidlna.mk
> index adea200f4f..01ee8d0028 100644
> --- a/package/minidlna/minidlna.mk
> +++ b/package/minidlna/minidlna.mk
> @@ -12,6 +12,9 @@ MINIDLNA_CPE_ID_VENDOR = readymedia_project
> MINIDLNA_CPE_ID_PRODUCT = readymedia
> MINIDLNA_SELINUX_MODULES = minidlna
>
> +# 0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
> +MINIDLNA_IGNORE_CVES += CVE-2022-26505
> +
> MINIDLNA_DEPENDENCIES = \
> $(TARGET_NLS_DEPENDENCIES) \
> ffmpeg flac libvorbis libogg libid3tag libexif jpeg sqlite \
> --
> 2.34.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/minidlna: fix CVE-2022-26505
2022-03-13 11:41 [Buildroot] [PATCH 1/1] package/minidlna: fix CVE-2022-26505 Fabrice Fontaine
2022-03-18 22:17 ` Yann E. MORIN
@ 2022-03-21 16:22 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-03-21 16:22 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Bernd Kuhls, Simon Dawson, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
> allows a remote web server to exfiltrate media files.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x, 2021.11.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-21 16:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-13 11:41 [Buildroot] [PATCH 1/1] package/minidlna: fix CVE-2022-26505 Fabrice Fontaine
2022-03-18 22:17 ` Yann E. MORIN
2022-03-21 16:22 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.