Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 736226 (CVE-2021-27202) - net-misc/minidlna: remote DoS and memory corruption
Summary: net-misc/minidlna: remote DoS and memory corruption
Status: CONFIRMED
Alias: CVE-2021-27202
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-07 08:09 UTC by Neil Kettle
Modified: 2022-03-06 03:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
proof of concepts (Archive.zip,2.23 KB, application/zip)
2020-08-07 08:09 UTC, Neil Kettle
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Neil Kettle 2020-08-07 08:09:07 UTC
Created attachment 653476 [details]
proof of concepts

A couple of issues are present in the latest version of minidlna. The root cause are signedness bugs in parsing HTTP chunked encoding requests.

Attached two proof-of-concepts for the issues.

$ sudo gdb /usr/sbin/minidlnad -p 23412
GNU gdb (Gentoo 9.1 vanilla) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/minidlnad...
(No debugging symbols found in /usr/sbin/minidlnad)
Attaching to program: /usr/sbin/minidlnad, process 23412
[New LWP 23419]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
0x00007fd1866f9274 in select () from /lib64/libc.so.6
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) n
Program not restarted.
(gdb) c
Continuing.

Thread 1 "minidlnad" received signal SIGSEGV, Segmentation fault.
0x00007fd1867427cd in ?? () from /lib64/libc.so.6
(gdb) bt
#0  0x00007fd1867427cd in ?? () from /lib64/libc.so.6
#1  0x0000556cc21c6471 in ?? ()
#2  0x0000556cc21c8236 in ?? ()
#3  0x0000556cc21c2c5b in ?? ()
#4  0x00007fd186625ebc in __libc_start_main () from /lib64/libc.so.6
#5  0x0000556cc21c2f8a in ?? ()
(gdb) x/i $rip
=> 0x7fd1867427cd:	movdqu 0x20(%rsi),%xmm2
(gdb) i r rsi
rsi            0x556cc3f66fd9      93925632536537
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-07 12:24:04 UTC
Have you reported this issue upstream? (https://sourceforge.net/projects/minidlna/)

Disclosing new vulnerabilities is preferred via email and/or a private bug. But we are not the maintainers of minidlna.

While we can help, it'd be best to at least report the issue upstream and we can work with you & them here. Can you do that (privately, if possible) and keep us informed?

We can then act within Gentoo if you receive no response.
Comment 2 Neil Kettle 2020-11-26 13:16:21 UTC
Upstream fixed the issues in version 1.3.0.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-13 01:46:15 UTC
(In reply to Neil Kettle from comment #2)
> Upstream fixed the issues in version 1.3.0.

Can you point out specifically what the fixes were?
Comment 4 Neil Kettle 2021-06-14 09:09:00 UTC
Simply put, the author added validation checks on the values to correct negative values as well as integer overflow.

However, having said that, further issues are still present in the current build.
https://www.rootshellsecurity.net/rootshell-discover-second-remotely-exploitable-bug-minidlna-software/
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-16 01:47:19 UTC
(In reply to Neil Kettle from comment #4)
> Simply put, the author added validation checks on the values to correct
> negative values as well as integer overflow.
> 
> However, having said that, further issues are still present in the current
> build.
> https://www.rootshellsecurity.net/rootshell-discover-second-remotely-
> exploitable-bug-minidlna-software/

Did you request a CVE for any of these issues? Or report to upstream's bug tracker?
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-16 01:50:07 UTC
Ah, sorry, these are CVE-2020-28926 and CVE-2021-27202.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-03 23:23:01 UTC

*** This bug has been marked as a duplicate of bug 757297 ***
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-05 18:12:38 UTC
CVE-2021-27202 is still unfixed. Sorry for the mess. Still apparently waiting on a public upstream report.