Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 834642 (CVE-2022-26505)

Summary: <net-misc/minidlna-1.3.1: DNS rebinding vulnerability
Product: Gentoo Security Reporter: peteru <bugs.gentoo.org>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mgorny, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceforge.net/p/minidlna/git/ci/v1_3_1/tree/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=736226
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 842783    
Bug Blocks:    

Description peteru 2022-03-06 03:05:53 UTC 
Upstream tagged a 1.3.1 minidlna release, which among other things includes a fix for Gentoo bug #768030 as well as security fixes and fixes for a number of resource leaks.

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 03:20:13 UTC 
News:

1.3.1 - Released 11-Feb-2022
--------------------------------
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 06:08:31 UTC 
(In reply to Sam James from comment #1)
> News:
> 
> 1.3.1 - Released 11-Feb-2022
> --------------------------------
> - Fixed a potential crash in SSDP request parsing.

Is this CVE-2021-27202 (bug 736226)?

> - Fixed a configure script failure on some platforms.
> - Protect against DNS rebinding attacks.
> - Fix an socket leakage issue on some platforms.
> - Minor bug fixes.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 16:40:45 UTC 
CVE-2022-26505 (https://www.openwall.com/lists/oss-security/2022/03/03/1):

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-03-14 13:26:58 UTC 
It seems that the release was never really published though: https://sourceforge.net/p/minidlna/support-requests/78/
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-06 13:20:07 UTC 
cleanup done.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-10 15:59:00 UTC 
Thanks!
Comment 7 Larry the Git Cow gentoo-dev 2023-11-25 10:21:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=366b6b3c7d9599739538780d8fd82308c8c20893

commit 366b6b3c7d9599739538780d8fd82308c8c20893
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-11-25 10:21:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-11-25 10:21:47 +0000

    [ GLSA 202311-12 ] MiniDLNA: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/834642
    Bug: https://bugs.gentoo.org/907926
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202311-12.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)