From patchwork Sat Apr 30 17:34:58 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 5580
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KrGhR5C4Gz3x1v
	for <patchwork@web04.haj.ipfire.org>; Sat, 30 Apr 2022 17:35:03 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4KrGhQ71Yyz4N7;
	Sat, 30 Apr 2022 17:35:02 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KrGhQ6gzrz2yTT;
	Sat, 30 Apr 2022 17:35:02 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KrGhQ1f0Tz2xGC
 for <development@lists.ipfire.org>; Sat, 30 Apr 2022 17:35:02 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4KrGhQ0KbRz4N7;
 Sat, 30 Apr 2022 17:35:02 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1651340102;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=XMVp7t9OqQlAuRe4F1VFDEQnl24txgsCRRe5g/+Qtwo=;
 b=vDgHRYin0MlvQpAbTgxi8Mh1lRBkQMImJ0veHwuacYXZhafIANs8vDtnKMlVLOhRcSgasY
 ETsrxoYc+eJr8CCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1651340102;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=XMVp7t9OqQlAuRe4F1VFDEQnl24txgsCRRe5g/+Qtwo=;
 b=A7C90hLzh3HqnGMRI6L2OMozXopkB1ofNI+VkReEo5BQZZKN16TqHbSFJr53LnBQUMxzG7
 AlU9wjkNK1hcfngoqRJ6D3kiaj8ZYLQaav8vBX/cXa2CGS350dFaOLxIoTdHnArTbL3IbL
 boxeo3swTzy8pK2M17aMTJV2CWwrJAGISgrn55RBAySAFPa0llmlQ00j59wvAVvX62Mzwv
 0Atch5qDwIWSioIVQ3C4Vn1b0c2S/0EYyVGYxvf0AuPotVtFsGIVOzbIM8wfaMGGqIFymx
 N7ZJQiHuwr1ZE6aA13gm2qD0aZPTitRHR+lrdQIXjUHK3lGqkQkkjQetIpAV0g==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] minidlna: Addition of patches to fix CVE-2022-26505
Date: Sat, 30 Apr 2022 19:34:58 +0200
Message-Id: <20220430173458.3520498-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- CVE-2022-26505  A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
   allows a remote web server to exfiltrate media files. CVE created on 6th March 2022
- minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for
   version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on
   14th March 2022 in the source forge support system asking to "Please publish a tarball
   for 1.3.1" but there was no reply from the developer so far.
- In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but
   the link to the sourceforge page is only the patches applied for the fix
- I used those diff descriptions to create a patch to implement on the existing 1.3.0
   version in IPFire and this patch submission applies that fix
- Incremented the lfs PAK_VER

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/minidlna                                  |  3 +-
 ...x-DNS-rebinding-issue-CVE-2022-26505.patch | 44 +++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch

diff --git a/lfs/minidlna b/lfs/minidlna
index 17cf76339..0fa7aec96 100644
--- a/lfs/minidlna
+++ b/lfs/minidlna
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = minidlna
-PAK_VER    = 8
+PAK_VER    = 9
 
 DEPS       = ffmpeg flac libexif libid3tag libogg
 
@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	$(UPDATE_AUTOMAKE)
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
 	cd $(DIR_APP) && ./configure --prefix=/usr
 	cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
 	cd $(DIR_APP) && make install
diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
new file mode 100644
index 000000000..c28425811
--- /dev/null
+++ b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
@@ -0,0 +1,44 @@
+--- minidlna-1.3.0/upnphttp.c.orig	2020-11-24 19:53:50.000000000 +0100
++++ minidlna-1.3.0/upnphttp.c	2022-04-30 12:59:23.432073807 +0200
+@@ -273,6 +273,11 @@
+ 				p = colon + 1;
+ 				while(isspace(*p))
+ 					p++;
++				    n = 0;
++				    while(p[n] >= ' ')
++					    n++;
++				    h->req_Host = p;
++				    h->req_HostLen = n;					
+ 				for(n = 0; n < n_lan_addr; n++)
+ 				{
+ 					for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@
+ 	}
+ 
+ 	DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
++	if(h->req_Host && h->req_HostLen > 0) {
++		const char *ptr = h->req_Host;
++		DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
++		for(i = 0; i < h->req_HostLen; i++) {
++			if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
++				DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++				Send404(h);/* 403 */
++				return;
++			}
++			ptr++;
++		}
++	}	
+ 	if(strcmp("POST", HttpCommand) == 0)
+ 	{
+ 		h->req_command = EPost;
+--- minidlna-1.3.0/upnphttp.h.orig	2020-11-24 19:53:50.000000000 +0100
++++ minidlna-1.3.0/upnphttp.h	2022-04-30 13:00:22.619152312 +0200
+@@ -89,6 +89,8 @@
+ 	struct client_cache_s * req_client;
+ 	const char * req_soapAction;
+ 	int req_soapActionLen;
++	const char * req_Host;        /* Host: header */
++	int req_HostLen;
+ 	const char * req_Callback;	/* For SUBSCRIBE */
+ 	int req_CallbackLen;
+ 	const char * req_NT;