Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 834642 (CVE-2022-26505) - <net-misc/minidlna-1.3.1: DNS rebinding vulnerability
Summary: <net-misc/minidlna-1.3.1: DNS rebinding vulnerability
Status: RESOLVED FIXED
Alias: CVE-2022-26505
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://sourceforge.net/p/minidlna/gi...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 842783
Blocks:
  Show dependency tree
 
Reported: 2022-03-06 03:05 UTC by peteru
Modified: 2023-11-25 10:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description peteru 2022-03-06 03:05:53 UTC
Upstream tagged a 1.3.1 minidlna release, which among other things includes a fix for Gentoo bug #768030 as well as security fixes and fixes for a number of resource leaks.

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 03:20:13 UTC
News:

1.3.1 - Released 11-Feb-2022
--------------------------------
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 06:08:31 UTC
(In reply to Sam James from comment #1)
> News:
> 
> 1.3.1 - Released 11-Feb-2022
> --------------------------------
> - Fixed a potential crash in SSDP request parsing.

Is this CVE-2021-27202 (bug 736226)?

> - Fixed a configure script failure on some platforms.
> - Protect against DNS rebinding attacks.
> - Fix an socket leakage issue on some platforms.
> - Minor bug fixes.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 16:40:45 UTC
CVE-2022-26505 (https://www.openwall.com/lists/oss-security/2022/03/03/1):

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-03-14 13:26:58 UTC
It seems that the release was never really published though: https://sourceforge.net/p/minidlna/support-requests/78/
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-06 13:20:07 UTC
cleanup done.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-10 15:59:00 UTC
Thanks!
Comment 7 Larry the Git Cow gentoo-dev 2023-11-25 10:21:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=366b6b3c7d9599739538780d8fd82308c8c20893

commit 366b6b3c7d9599739538780d8fd82308c8c20893
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-11-25 10:21:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-11-25 10:21:47 +0000

    [ GLSA 202311-12 ] MiniDLNA: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/834642
    Bug: https://bugs.gentoo.org/907926
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202311-12.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)