Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 907926 (CVE-2023-33476) - <net-misc/minidlna-1.3.3: remote code execution
Summary: <net-misc/minidlna-1.3.3: remote code execution
Status: RESOLVED FIXED
Alias: CVE-2023-33476
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://blog.coffinsec.com/0day/2023/...
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 907937
Blocks:
  Show dependency tree
 
Reported: 2023-06-06 03:53 UTC by John Helmert III
Modified: 2023-11-25 10:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-06 03:53:44 UTC 
CVE-2023-33476:

ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write.

Patch is in 1.3.3: https://sourceforge.net/p/minidlna/git/ci/9bd58553fae5aef3e6dd22f51642d2c851225aec/
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-06-06 18:46:26 UTC 
cleanup done.
Comment 2 Larry the Git Cow gentoo-dev 2023-11-25 10:21:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=366b6b3c7d9599739538780d8fd82308c8c20893

commit 366b6b3c7d9599739538780d8fd82308c8c20893
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-11-25 10:21:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-11-25 10:21:47 +0000

    [ GLSA 202311-12 ] MiniDLNA: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/834642
    Bug: https://bugs.gentoo.org/907926
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202311-12.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)