Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 834642 (CVE-2022-26505) - <net-misc/minidlna-1.3.1: DNS rebinding vulnerability
Summary: <net-misc/minidlna-1.3.1: DNS rebinding vulnerability
Status: IN_PROGRESS
Alias: CVE-2022-26505
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://sourceforge.net/p/minidlna/gi...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 842783
Blocks:
  Show dependency tree
 
Reported: 2022-03-06 03:05 UTC by peteru
Modified: 2022-05-10 15:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description peteru 2022-03-06 03:05:53 UTC 
Upstream tagged a 1.3.1 minidlna release, which among other things includes a fix for Gentoo bug #768030 as well as security fixes and fixes for a number of resource leaks.

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 03:20:13 UTC 
News:

1.3.1 - Released 11-Feb-2022
--------------------------------
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 06:08:31 UTC 
(In reply to Sam James from comment #1)
> News:
> 
> 1.3.1 - Released 11-Feb-2022
> --------------------------------
> - Fixed a potential crash in SSDP request parsing.

Is this CVE-2021-27202 (bug 736226)?

> - Fixed a configure script failure on some platforms.
> - Protect against DNS rebinding attacks.
> - Fix an socket leakage issue on some platforms.
> - Minor bug fixes.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 16:40:45 UTC 
CVE-2022-26505 (https://www.openwall.com/lists/oss-security/2022/03/03/1):

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-03-14 13:26:58 UTC 
It seems that the release was never really published though: https://sourceforge.net/p/minidlna/support-requests/78/
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-06 13:20:07 UTC 
cleanup done.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-10 15:59:00 UTC 
Thanks!