diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-12-15 10:42:09 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-12-15 11:00:07 -0300 |
commit | c94343a5dc5bd0cfc7942ff40e49e79b37186500 (patch) | |
tree | a9063c66f60b27c0d867b2d36898817f5e4d3db4 | |
parent | 3fb286ae2a900f87a21fcfbfefbb640c5359e07e (diff) |
community/minidlna: fix CVE-2020-12695 and CVE-2020-28926
See: #12198
-rw-r--r-- | community/minidlna/APKBUILD | 16 | ||||
-rw-r--r-- | community/minidlna/CVE-2020-12695.patch | 68 | ||||
-rw-r--r-- | community/minidlna/CVE-2020-28926.patch | 29 |
3 files changed, 110 insertions, 3 deletions
diff --git a/community/minidlna/APKBUILD b/community/minidlna/APKBUILD index ced9db52092..6bbc5780e22 100644 --- a/community/minidlna/APKBUILD +++ b/community/minidlna/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Francesco Colista <francesco.colista@gmail.com> pkgname=minidlna pkgver=1.2.1 -pkgrel=1 +pkgrel=2 pkgdesc="A small dlna server" url="https://sourceforge.net/projects/minidlna/" arch="all" @@ -25,10 +25,18 @@ pkggroups="$pkgname" source="https://downloads.sourceforge.net/project/minidlna/minidlna/$pkgver/minidlna-$pkgver.tar.gz $pkgname.initd $pkgname.confd - 10-minidlna-nfo.patch" + 10-minidlna-nfo.patch + CVE-2020-28926.patch + CVE-2020-12695.patch + " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 1.2.1-r2: +# - CVE-2020-28926 +# - CVE-2020-12695 + build() { cd "$builddir" ./configure \ @@ -67,4 +75,6 @@ package() { sha512sums="17827155bfbfd2b51939bc86080e8724dcded138af8fede9c7715c225524e86d3c21bfd8d40dbf201861ef154189d9c5e223b719bf7695251212b26ec290462b minidlna-1.2.1.tar.gz e16961bb68c004297f1e26422b1d15bd8583ba2e0e36c88902a45573b685993fff88d2d0dae8c624eaeddb0deca614dbc13b8345f34b4c348961c00b05c0df30 minidlna.initd e209848af0d79069ac989ad61d3be610b4c0c2783a207a50463a25ec3811b04d1da3a2acde54749878bec44e1567874ede827b978d5472c00f6a855663e5cbf8 minidlna.confd -59a97ef0a36d3ae44dd2e182a0b106f84ce5c17e7dc14ee0459b17430b57ddc59a74e8e67fc0a90326fa451a505b97a0b719b438475efac144028dd012b44af1 10-minidlna-nfo.patch" +59a97ef0a36d3ae44dd2e182a0b106f84ce5c17e7dc14ee0459b17430b57ddc59a74e8e67fc0a90326fa451a505b97a0b719b438475efac144028dd012b44af1 10-minidlna-nfo.patch +883d06ba860264502b29bbdbbf469b145a97f59e6fc11d46fc199955696202b66f7ba1dc0708ef65cc3987ff5942024216b5274cbbf136558581e6a0cdac2750 CVE-2020-28926.patch +a8a5428c83ed8b2abe2c340ebc9d558417c4e8980f36d9dd19ff437025f9ec056caf58e606275fa3d74c4fc81342e7fec313353d50d70d1d787db2abc808542b CVE-2020-12695.patch" diff --git a/community/minidlna/CVE-2020-12695.patch b/community/minidlna/CVE-2020-12695.patch new file mode 100644 index 00000000000..4588ff4c74d --- /dev/null +++ b/community/minidlna/CVE-2020-12695.patch @@ -0,0 +1,68 @@ +--- a/upnphttp.c ++++ b/upnphttp.c +@@ -699,7 +699,7 @@ + static int + check_event(struct upnphttp *h) + { +- enum event_type type; ++ enum event_type type = E_INVALID; + + if (h->req_Callback) + { +@@ -707,7 +707,6 @@ + { + BuildResp2_upnphttp(h, 400, "Bad Request", + "<html><body>Bad request</body></html>", 37); +- type = E_INVALID; + } + else if (strncmp(h->req_Callback, "http://", 7) != 0 || + strncmp(h->req_NT, "upnp:event", h->req_NTLen) != 0) +@@ -716,10 +715,30 @@ + * If CALLBACK header is missing or does not contain a valid HTTP URL, + * the publisher must respond with HTTP error 412 Precondition Failed*/ + BuildResp2_upnphttp(h, 412, "Precondition Failed", 0, 0); +- type = E_INVALID; + } + else +- type = E_SUBSCRIBE; ++ { ++ /* Make sure callback URL points to the originating IP */ ++ struct in_addr addr; ++ char addrstr[16]; ++ int i = 0; ++ const char *p = h->req_Callback + 7; ++ while (!strchr("/:>", *p) && i < sizeof(addrstr) - 1 && ++ p < (h->req_Callback + h->req_CallbackLen)) ++ { ++ addrstr[i++] = *(p++); ++ } ++ addrstr[i] = '\0'; ++ ++ if (inet_pton(AF_INET, addrstr, &addr) <= 0 || ++ memcmp(&addr, &h->clientaddr, sizeof(struct in_addr))) ++ { ++ DPRINTF(E_ERROR, L_HTTP, "Bad callback IP (%s)\n", addrstr); ++ BuildResp2_upnphttp(h, 412, "Precondition Failed", 0, 0); ++ } ++ else ++ type = E_SUBSCRIBE; ++ } + } + else if (h->req_SID) + { +@@ -728,7 +747,6 @@ + { + BuildResp2_upnphttp(h, 400, "Bad Request", + "<html><body>Bad request</body></html>", 37); +- type = E_INVALID; + } + else + type = E_RENEW; +@@ -736,7 +754,6 @@ + else + { + BuildResp2_upnphttp(h, 412, "Precondition Failed", 0, 0); +- type = E_INVALID; + } + + return type; diff --git a/community/minidlna/CVE-2020-28926.patch b/community/minidlna/CVE-2020-28926.patch new file mode 100644 index 00000000000..50f8d5a8d1e --- /dev/null +++ b/community/minidlna/CVE-2020-28926.patch @@ -0,0 +1,29 @@ +--- a/upnphttp.c ++++ b/upnphttp.c +@@ -420,14 +420,14 @@ + return; + line += 2; + } +- if( h->reqflags & FLAG_CHUNKED ) ++ if (h->reqflags & FLAG_CHUNKED) + { + char *endptr; + h->req_chunklen = -1; +- if( h->req_buflen <= h->req_contentoff ) ++ if (h->req_buflen <= h->req_contentoff) + return; + while( (line < (h->req_buf + h->req_buflen)) && +- (h->req_chunklen = strtol(line, &endptr, 16)) && ++ (h->req_chunklen = strtol(line, &endptr, 16) > 0) && + (endptr != line) ) + { + endptr = strstr(endptr, "\r\n"); +@@ -888,7 +888,7 @@ + char *chunkstart, *chunk, *endptr, *endbuf; + chunk = endbuf = chunkstart = h->req_buf + h->req_contentoff; + +- while( (h->req_chunklen = strtol(chunk, &endptr, 16)) && (endptr != chunk) ) ++ while ((h->req_chunklen = strtol(chunk, &endptr, 16)) > 0 && (endptr != chunk) ) + { + endptr = strstr(endptr, "\r\n"); + if (!endptr) |