This one is arguably an opinionated patch. Feel free to speak up if you don't like it.
On 2/23/26 20:18, Gyorgy Sarvari via lists.openembedded.org wrote: > Details: https://nvd.nist.gov/vuln/detail/CVE-2024-51442 > > The description of the vulnerability says "attacker [...] execute arbitrary > OS commands via a specially crafted minidlna.conf configuration file". > > There is no official fix for this CVE, and upstream seems to be inactive > for the past 3 years. > > The reason for ignoring this CVE is that the referenced minidlna.conf > file is in the /etc folder, and the file is not world-writable. Which > means that this vulnerability can be exploited only when someone is > root - but if the attacker is already root, they don't need to resort > to minidlna config-file modifications to execute any command they want. > > Signed-off-by: Gyorgy Sarvari <[email protected]> > --- > meta-multimedia/recipes-multimedia/minidlna/minidlna.inc | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc > b/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc > index cb2a1865e8..0dd297098c 100644 > --- a/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc > +++ b/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc > @@ -43,3 +43,4 @@ SYSTEMD_SERVICE:${PN} = "minidlna.service" > INITSCRIPT_NAME = "minidlna" > INITSCRIPT_PARAMS = "defaults 90" > > +CVE_STATUS[CVE-2024-51442] = "not-applicable-config: vulnerability requires > root access" > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124568): https://lists.openembedded.org/g/openembedded-devel/message/124568 Mute This Topic: https://lists.openembedded.org/mt/117963247/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
