Bug#1009077: bullseye-pu: minidlna/1.3.0+dfsg-2+deb11u1

2022-05-30 Thread Thorsten Alteholz 




On Sat, 28 May 2022, Adam D. Barratt wrote:

Please go ahead, thanks.


Great, thanks, ... and uploaded.

  Thorsten

Bug#1009077: bullseye-pu: minidlna/1.3.0+dfsg-2+deb11u1

2022-05-28 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2022-04-06 at 21:48 +, Thorsten Alteholz wrote:
> The attached debdiff for minidlna fixes CVE-2022-26505 in Bullseye.
> This 
> CVE has been marked as no-dsa by the security team.
> 

Please go ahead, thanks.

Regards,

Adam

Bug#1009077: bullseye-pu: minidlna/1.3.0+dfsg-2+deb11u1

2022-04-06 Thread Thorsten Alteholz 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for minidlna fixes CVE-2022-26505 in Bullseye. This 
CVE has been marked as no-dsa by the security team.


The same fix has been already uploaded to Unstable.

  Thorsten
diff -Nru minidlna-1.3.0+dfsg/debian/changelog 
minidlna-1.3.0+dfsg/debian/changelog
--- minidlna-1.3.0+dfsg/debian/changelog2021-01-31 16:56:14.0 
+0100
+++ minidlna-1.3.0+dfsg/debian/changelog2022-03-24 22:03:02.0 
+0100
@@ -1,3 +1,13 @@
+minidlna (1.3.0+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2022-26505
+Validate HTTP requests to protect against DNS rebinding, thus forbid
+a remote web server to exfiltrate media files.
+(Closes: #1006798)
+
+ -- Thorsten Alteholz   Thu, 24 Mar 2022 22:03:02 +0100
+
 minidlna (1.3.0+dfsg-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch 
minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch
--- minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch 1970-01-01 
01:00:00.0 +0100
+++ minidlna-1.3.0+dfsg/debian/patches/CVE-2022-26505.patch 2022-03-24 
22:03:02.0 +0100
@@ -0,0 +1,56 @@
+commit c21208508dbc131712281ec5340687e5ae89e940
+Author: Justin Maggard 
+Date:   Wed Feb 9 18:32:50 2022 -0800
+
+upnphttp: Protect against DNS rebinding attacks
+
+Validate HTTP requests to protect against DNS rebinding.
+
+diff --git a/upnphttp.c b/upnphttp.c
+index c8b5e99..62db89a 100644
+--- a/upnphttp.c
 b/upnphttp.c
+@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h)
+   p = colon + 1;
+   while(isspace(*p))
+   p++;
++  n = 0;
++  while(p[n] >= ' ')
++  n++;
++  h->req_Host = p;
++  h->req_HostLen = n;
+   for(n = 0; n < n_lan_addr; n++)
+   {
+   for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
+   }
+ 
+   DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, 
h->req_buf);
++  if(h->req_Host && h->req_HostLen > 0) {
++  const char *ptr = h->req_Host;
++  DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, 
h->req_Host);
++  for(i = 0; i < h->req_HostLen; i++) {
++  if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < 
'0')) {
++  DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack 
suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++  Send404(h);/* 403 */
++  return;
++  }
++  ptr++;
++  }
++  }
+   if(strcmp("POST", HttpCommand) == 0)
+   {
+   h->req_command = EPost;
+diff --git a/upnphttp.h b/upnphttp.h
+index e28a943..57eb2bb 100644
+--- a/upnphttp.h
 b/upnphttp.h
+@@ -89,6 +89,8 @@ struct upnphttp {
+   struct client_cache_s * req_client;
+   const char * req_soapAction;
+   int req_soapActionLen;
++  const char * req_Host;/* Host: header */
++  int req_HostLen;
+   const char * req_Callback;  /* For SUBSCRIBE */
+   int req_CallbackLen;
+   const char * req_NT;
diff -Nru minidlna-1.3.0+dfsg/debian/patches/series 
minidlna-1.3.0+dfsg/debian/patches/series
--- minidlna-1.3.0+dfsg/debian/patches/series   2021-01-31 16:53:51.0 
+0100
+++ minidlna-1.3.0+dfsg/debian/patches/series   2022-03-24 22:03:02.0 
+0100
@@ -5,3 +5,5 @@
 08-Fix-testupnpdescgen-build.patch
 09-do-not-disable-logs-with-systemd.patch
 10-do-not-close-socket-on-sighup.patch
+
+CVE-2022-26505.patch