Message ID | 20220313114118.1127008-1-fontaine.fabrice@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] package/minidlna: fix CVE-2022-26505 | expand |
Fabrice, All, On 2022-03-13 12:41 +0100, Fabrice Fontaine spake thusly: > A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 > allows a remote web server to exfiltrate media files. > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > ...rotect-against-DNS-rebinding-attacks.patch | 66 +++++++++++++++++++ > package/minidlna/minidlna.mk | 3 + > 2 files changed, 69 insertions(+) > create mode 100644 package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch > > diff --git a/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch > new file mode 100644 > index 0000000000..6d601f53b9 > --- /dev/null > +++ b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch > @@ -0,0 +1,66 @@ > +From c21208508dbc131712281ec5340687e5ae89e940 Mon Sep 17 00:00:00 2001 > +From: Justin Maggard <jmaggard@arlo.com> > +Date: Wed, 9 Feb 2022 18:32:50 -0800 > +Subject: [PATCH] upnphttp: Protect against DNS rebinding attacks > + > +Validate HTTP requests to protect against DNS rebinding. > + > +[Retrieved from: > +https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/] > +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > +--- > + upnphttp.c | 17 +++++++++++++++++ > + upnphttp.h | 2 ++ > + 2 files changed, 19 insertions(+) > + > +diff --git a/upnphttp.c b/upnphttp.c > +index c8b5e99..62db89a 100644 > +--- a/upnphttp.c > ++++ b/upnphttp.c > +@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h) > + p = colon + 1; > + while(isspace(*p)) > + p++; > ++ n = 0; > ++ while(p[n] >= ' ') > ++ n++; > ++ h->req_Host = p; > ++ h->req_HostLen = n; > + for(n = 0; n < n_lan_addr; n++) > + { > + for(i = 0; lan_addr[n].str[i]; i++) > +@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h) > + } > + > + DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf); > ++ if(h->req_Host && h->req_HostLen > 0) { > ++ const char *ptr = h->req_Host; > ++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host); > ++ for(i = 0; i < h->req_HostLen; i++) { > ++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) { > ++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host); > ++ Send404(h);/* 403 */ > ++ return; > ++ } > ++ ptr++; > ++ } > ++ } > + if(strcmp("POST", HttpCommand) == 0) > + { > + h->req_command = EPost; > +diff --git a/upnphttp.h b/upnphttp.h > +index e28a943..57eb2bb 100644 > +--- a/upnphttp.h > ++++ b/upnphttp.h > +@@ -89,6 +89,8 @@ struct upnphttp { > + struct client_cache_s * req_client; > + const char * req_soapAction; > + int req_soapActionLen; > ++ const char * req_Host; /* Host: header */ > ++ int req_HostLen; > + const char * req_Callback; /* For SUBSCRIBE */ > + int req_CallbackLen; > + const char * req_NT; > +-- > +2.34.1 > + > diff --git a/package/minidlna/minidlna.mk b/package/minidlna/minidlna.mk > index adea200f4f..01ee8d0028 100644 > --- a/package/minidlna/minidlna.mk > +++ b/package/minidlna/minidlna.mk > @@ -12,6 +12,9 @@ MINIDLNA_CPE_ID_VENDOR = readymedia_project > MINIDLNA_CPE_ID_PRODUCT = readymedia > MINIDLNA_SELINUX_MODULES = minidlna > > +# 0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch > +MINIDLNA_IGNORE_CVES += CVE-2022-26505 > + > MINIDLNA_DEPENDENCIES = \ > $(TARGET_NLS_DEPENDENCIES) \ > ffmpeg flac libvorbis libogg libid3tag libexif jpeg sqlite \ > -- > 2.34.1 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 > allows a remote web server to exfiltrate media files. > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2021.02.x, 2021.11.x and 2022.02.x, thanks.
diff --git a/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch new file mode 100644 index 0000000000..6d601f53b9 --- /dev/null +++ b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch @@ -0,0 +1,66 @@ +From c21208508dbc131712281ec5340687e5ae89e940 Mon Sep 17 00:00:00 2001 +From: Justin Maggard <jmaggard@arlo.com> +Date: Wed, 9 Feb 2022 18:32:50 -0800 +Subject: [PATCH] upnphttp: Protect against DNS rebinding attacks + +Validate HTTP requests to protect against DNS rebinding. + +[Retrieved from: +https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/] +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> +--- + upnphttp.c | 17 +++++++++++++++++ + upnphttp.h | 2 ++ + 2 files changed, 19 insertions(+) + +diff --git a/upnphttp.c b/upnphttp.c +index c8b5e99..62db89a 100644 +--- a/upnphttp.c ++++ b/upnphttp.c +@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h) + p = colon + 1; + while(isspace(*p)) + p++; ++ n = 0; ++ while(p[n] >= ' ') ++ n++; ++ h->req_Host = p; ++ h->req_HostLen = n; + for(n = 0; n < n_lan_addr; n++) + { + for(i = 0; lan_addr[n].str[i]; i++) +@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h) + } + + DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf); ++ if(h->req_Host && h->req_HostLen > 0) { ++ const char *ptr = h->req_Host; ++ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host); ++ for(i = 0; i < h->req_HostLen; i++) { ++ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) { ++ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host); ++ Send404(h);/* 403 */ ++ return; ++ } ++ ptr++; ++ } ++ } + if(strcmp("POST", HttpCommand) == 0) + { + h->req_command = EPost; +diff --git a/upnphttp.h b/upnphttp.h +index e28a943..57eb2bb 100644 +--- a/upnphttp.h ++++ b/upnphttp.h +@@ -89,6 +89,8 @@ struct upnphttp { + struct client_cache_s * req_client; + const char * req_soapAction; + int req_soapActionLen; ++ const char * req_Host; /* Host: header */ ++ int req_HostLen; + const char * req_Callback; /* For SUBSCRIBE */ + int req_CallbackLen; + const char * req_NT; +-- +2.34.1 + diff --git a/package/minidlna/minidlna.mk b/package/minidlna/minidlna.mk index adea200f4f..01ee8d0028 100644 --- a/package/minidlna/minidlna.mk +++ b/package/minidlna/minidlna.mk @@ -12,6 +12,9 @@ MINIDLNA_CPE_ID_VENDOR = readymedia_project MINIDLNA_CPE_ID_PRODUCT = readymedia MINIDLNA_SELINUX_MODULES = minidlna +# 0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch +MINIDLNA_IGNORE_CVES += CVE-2022-26505 + MINIDLNA_DEPENDENCIES = \ $(TARGET_NLS_DEPENDENCIES) \ ffmpeg flac libvorbis libogg libid3tag libexif jpeg sqlite \
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- ...rotect-against-DNS-rebinding-attacks.patch | 66 +++++++++++++++++++ package/minidlna/minidlna.mk | 3 + 2 files changed, 69 insertions(+) create mode 100644 package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch