Bug 757297 (CVE-2020-28926)

Summary:	<net-misc/minidlna-1.3.0: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Michał Górny <mgorny>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mgorny, neil.kettle
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.rootshellsecurity.net/remote-heap-corruption-bug-discovery-minidlna/
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	729302

Description Michał Górny archtester

2020-11-28 00:42:29 UTC

From release notes:

+- Disallow negative HTTP chunk lengths. [CVE-2020-28926]
+- Validate SUBSCRIBE callback URL. [CVE-2020-12695]

However, I'm not going to be able to test it properly tonight.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2020-11-28 13:34:30 UTC

x86 stable

Comment 2 Agostino Sarubbo gentoo-dev

2020-11-29 08:17:12 UTC

amd64 stable

Comment 3 Sam James archtester

2020-12-03 06:51:11 UTC

arm done

all arches done

Comment 4 Sam James archtester

2020-12-03 06:59:03 UTC

Please cleanup, thanks!

Comment 5 Larry the Git Cow gentoo-dev

2020-12-03 08:48:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22914d46aa0c30f41cbcf2718882a9839f4bd9ff

commit 22914d46aa0c30f41cbcf2718882a9839f4bd9ff
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-03 08:39:49 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-03 08:48:37 +0000

    net-misc/minidlna: Remove old
    
    Bug: https://bugs.gentoo.org/757297
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 net-misc/minidlna/Manifest                         |   1 -
 .../minidlna/files/minidlna-1.2.1-fno-common.patch |  45 --------
 net-misc/minidlna/minidlna-1.2.1-r1.ebuild         | 114 ---------------------
 3 files changed, 160 deletions(-)

Comment 6 NATTkA bot gentoo-dev

2021-01-31 09:20:54 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: net-misc/minidlna-1.3.0

Comment 7 NATTkA bot gentoo-dev

2021-04-01 20:12:11 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: net-misc/minidlna-1.3.0

Comment 8 NATTkA bot gentoo-dev

2021-07-29 17:25:13 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 17:33:46 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 17:41:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:49:48 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 18:05:42 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 18:14:01 UTC

Package list is empty or all packages have requested keywords.

Comment 14 Amel Hodzic 2022-02-12 00:49:26 UTC

Is there an issue with the bot or are we still waiting for something before this bug can be closed?

Thank you

Comment 15 John Helmert III archtester

2022-03-03 23:23:01 UTC

*** Bug 736226 has been marked as a duplicate of this bug. ***

Comment 16 John Helmert III archtester

2022-03-03 23:28:51 UTC

Sorry, CVE-2021-27202 is unfixed. GLSA vote: no. Closing.