Created attachment 653476 [details]
proof of concepts
A couple of issues are present in the latest version of minidlna. The root cause are signedness bugs in parsing HTTP chunked encoding requests.
Attached two proof-of-concepts for the issues.
$ sudo gdb /usr/sbin/minidlnad -p 23412
GNU gdb (Gentoo 9.1 vanilla) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/minidlnad...
(No debugging symbols found in /usr/sbin/minidlnad)
Attaching to program: /usr/sbin/minidlnad, process 23412
[New LWP 23419]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
0x00007fd1866f9274 in select () from /lib64/libc.so.6
The program being debugged has been started already.
Start it from the beginning? (y or n) n
Program not restarted.
Thread 1 "minidlnad" received signal SIGSEGV, Segmentation fault.
0x00007fd1867427cd in ?? () from /lib64/libc.so.6
#0 0x00007fd1867427cd in ?? () from /lib64/libc.so.6
#1 0x0000556cc21c6471 in ?? ()
#2 0x0000556cc21c8236 in ?? ()
#3 0x0000556cc21c2c5b in ?? ()
#4 0x00007fd186625ebc in __libc_start_main () from /lib64/libc.so.6
#5 0x0000556cc21c2f8a in ?? ()
(gdb) x/i $rip
=> 0x7fd1867427cd: movdqu 0x20(%rsi),%xmm2
(gdb) i r rsi
rsi 0x556cc3f66fd9 93925632536537
Have you reported this issue upstream? (https://sourceforge.net/projects/minidlna/)
Disclosing new vulnerabilities is preferred via email and/or a private bug. But we are not the maintainers of minidlna.
While we can help, it'd be best to at least report the issue upstream and we can work with you & them here. Can you do that (privately, if possible) and keep us informed?
We can then act within Gentoo if you receive no response.
Upstream fixed the issues in version 1.3.0.
(In reply to Neil Kettle from comment #2)
> Upstream fixed the issues in version 1.3.0.
Can you point out specifically what the fixes were?
Simply put, the author added validation checks on the values to correct negative values as well as integer overflow.
However, having said that, further issues are still present in the current build.
(In reply to Neil Kettle from comment #4)
> Simply put, the author added validation checks on the values to correct
> negative values as well as integer overflow.
> However, having said that, further issues are still present in the current
Did you request a CVE for any of these issues? Or report to upstream's bug tracker?
Ah, sorry, these are CVE-2020-28926 and CVE-2021-27202.
*** This bug has been marked as a duplicate of bug 757297 ***
CVE-2021-27202 is still unfixed. Sorry for the mess. Still apparently waiting on a public upstream report.