[Buildroot] [PATCH 1/1] package/minidlna: security bump to version 1.3.2
Fabrice Fontaine
fontaine.fabrice at gmail.com
Sun Sep 4 21:04:48 UTC 2022
- Improved DNS rebinding attack protection.
- Fixed a potential crash in SSDP request parsing.
- Drop patch (already in version)
https://sourceforge.net/projects/minidlna/files/minidlna/1.3.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
---
...rotect-against-DNS-rebinding-attacks.patch | 66 -------------------
package/minidlna/minidlna.hash | 6 +-
package/minidlna/minidlna.mk | 5 +-
3 files changed, 4 insertions(+), 73 deletions(-)
delete mode 100644 package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
diff --git a/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch b/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
deleted file mode 100644
index 6d601f53b9..0000000000
--- a/package/minidlna/0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From c21208508dbc131712281ec5340687e5ae89e940 Mon Sep 17 00:00:00 2001
-From: Justin Maggard <jmaggard at arlo.com>
-Date: Wed, 9 Feb 2022 18:32:50 -0800
-Subject: [PATCH] upnphttp: Protect against DNS rebinding attacks
-
-Validate HTTP requests to protect against DNS rebinding.
-
-[Retrieved from:
-https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
----
- upnphttp.c | 17 +++++++++++++++++
- upnphttp.h | 2 ++
- 2 files changed, 19 insertions(+)
-
-diff --git a/upnphttp.c b/upnphttp.c
-index c8b5e99..62db89a 100644
---- a/upnphttp.c
-+++ b/upnphttp.c
-@@ -273,6 +273,11 @@ ParseHttpHeaders(struct upnphttp * h)
- p = colon + 1;
- while(isspace(*p))
- p++;
-+ n = 0;
-+ while(p[n] >= ' ')
-+ n++;
-+ h->req_Host = p;
-+ h->req_HostLen = n;
- for(n = 0; n < n_lan_addr; n++)
- {
- for(i = 0; lan_addr[n].str[i]; i++)
-@@ -909,6 +914,18 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
- }
-
- DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
-+ if(h->req_Host && h->req_HostLen > 0) {
-+ const char *ptr = h->req_Host;
-+ DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
-+ for(i = 0; i < h->req_HostLen; i++) {
-+ if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
-+ DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
-+ Send404(h);/* 403 */
-+ return;
-+ }
-+ ptr++;
-+ }
-+ }
- if(strcmp("POST", HttpCommand) == 0)
- {
- h->req_command = EPost;
-diff --git a/upnphttp.h b/upnphttp.h
-index e28a943..57eb2bb 100644
---- a/upnphttp.h
-+++ b/upnphttp.h
-@@ -89,6 +89,8 @@ struct upnphttp {
- struct client_cache_s * req_client;
- const char * req_soapAction;
- int req_soapActionLen;
-+ const char * req_Host; /* Host: header */
-+ int req_HostLen;
- const char * req_Callback; /* For SUBSCRIBE */
- int req_CallbackLen;
- const char * req_NT;
---
-2.34.1
-
diff --git a/package/minidlna/minidlna.hash b/package/minidlna/minidlna.hash
index 175fe67304..e55e5473d3 100644
--- a/package/minidlna/minidlna.hash
+++ b/package/minidlna/minidlna.hash
@@ -1,6 +1,6 @@
-# From https://sourceforge.net/projects/minidlna/files/minidlna/1.3.0/
-sha1 6563a881884879b2aef52611934e08bb42985964 minidlna-1.3.0.tar.gz
+# From https://sourceforge.net/projects/minidlna/files/minidlna/1.3.2/
+sha1 71750adadc34490d52f0b9a930c2731a47f9772d minidlna-1.3.2.tar.gz
# Locally computed
-sha256 47d9b06b4c48801a4c1112ec23d24782728b5495e95ec2195bbe5c81bc2d3c63 minidlna-1.3.0.tar.gz
+sha256 222ce45a1a60c3ce3de17527955d38e5ff7a4592d61db39577e6bf88e0ae1cb0 minidlna-1.3.2.tar.gz
sha256 79146b7f558e56510b9a714ff75318c05ab93aeccfd6597497b9bce212cf92ea COPYING
sha256 94876d7886116e176e702b4902bd9f19731a6883db5f229ac2a7058a22aa6529 LICENCE.miniupnpd
diff --git a/package/minidlna/minidlna.mk b/package/minidlna/minidlna.mk
index 01ee8d0028..6ca72d9240 100644
--- a/package/minidlna/minidlna.mk
+++ b/package/minidlna/minidlna.mk
@@ -4,7 +4,7 @@
#
################################################################################
-MINIDLNA_VERSION = 1.3.0
+MINIDLNA_VERSION = 1.3.2
MINIDLNA_SITE = https://downloads.sourceforge.net/project/minidlna/minidlna/$(MINIDLNA_VERSION)
MINIDLNA_LICENSE = GPL-2.0, BSD-3-Clause
MINIDLNA_LICENSE_FILES = COPYING LICENCE.miniupnpd
@@ -12,9 +12,6 @@ MINIDLNA_CPE_ID_VENDOR = readymedia_project
MINIDLNA_CPE_ID_PRODUCT = readymedia
MINIDLNA_SELINUX_MODULES = minidlna
-# 0001-upnphttp-Protect-against-DNS-rebinding-attacks.patch
-MINIDLNA_IGNORE_CVES += CVE-2022-26505
-
MINIDLNA_DEPENDENCIES = \
$(TARGET_NLS_DEPENDENCIES) \
ffmpeg flac libvorbis libogg libid3tag libexif jpeg sqlite \
--
2.35.1
More information about the buildroot
mailing list