Hi Alexander, On Tue, Apr 02, 2024 at 10:27:40PM +0300, Alexander Gerasiov wrote: > On Sun, 31 Mar 2024 22:00:58 +0200 > Salvatore Bonaccorso <car...@debian.org> wrote: > > > Source: minidlna > > Version: 1.3.3+dfsg-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://sourceforge.net/p/minidlna/bugs/361/ > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for minidlna. > > > > CVE-2023-47430[0]: > > | Stack-buffer-overflow vulnerability in ReadyMedia (MiniDLNA) v1.3.3 > > | allows attackers to cause a denial of service via via the > > | SendContainer() function at tivo_commands.c. > > > > Correct me if I'm wrong, but I didn't enable TiVo support in minidlna > in Debian. > So none of Debian releases are vulnerable. > There was version 1.3.3+dfsg-0.2 which enables this flag, but I rolled > this back in 1.3.3+dfsg-1
Ah you are right. I got tricked into the assessment seeing tivo_commands.c. But there is a guard in the code [...] 18 #include "config.h" 19 #ifdef TIVO_SUPPORT [...] 786 #endif // TIVO_SUPPORT So yes, while the source package has the code, the binary packages produced in Debian so have not the the issue. Regards, Salvatore
