Bug 30115

Summary: minidlna new DNS rebinding security issue (CVE-2022-26505)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, mhrambo3501, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: minidlna-1.3.0-1.mga8.src.rpm CVE: CVE-2022-26505
Status comment:

Description David Walser 2022-03-04 19:06:14 CET 
A security issue fixed upstream in 1.3.1 has been announced on March 3:
https://www.openwall.com/lists/oss-security/2022/03/03/1

Mageia 8 is also affected.
David Walser 2022-03-04 19:06:33 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => jani.valimaa, mhrambo3501
Status comment: (none) => Fixed upstream in 1.3.1

Comment 1 David Walser 2022-03-07 17:51:36 CET 
CVE-2022-26505 has been assigned:
https://www.openwall.com/lists/oss-security/2022/03/06/1

Summary: minidlna new DNS rebinding security issue => minidlna new DNS rebinding security issue (CVE-2022-26505)

Comment 2 Lewis Smith 2022-03-07 20:44:04 CET 
This SRPM is officially with Jani, who is active on it, so assigning appropriately.

CC: jani.valimaa => (none)
Assignee: bugsquad => jani.valimaa

Comment 3 David Walser 2022-03-11 21:43:19 CET 
openSUSE has issued an advisory for this on March 10:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXEFRXJEYR7QPAMYNWTJIYKTVX5OEQ7O/
Comment 4 David Walser 2022-04-10 16:18:21 CEST 
Debian-LTS has issued an advisory for this on April 9:
https://www.debian.org/lts/security/2022/dla-2973
Comment 5 Jani Välimaa 2022-04-10 17:43:27 CEST 
There's no 1.3.1 release tarball available.

https://sourceforge.net/p/minidlna/support-requests/78/
Comment 6 David Walser 2022-04-10 17:52:42 CEST 
Probably have to use the Git feature to download a snapshot.
Comment 7 Nicolas Salguero 2022-10-19 16:30:48 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. (CVE-2022-26505)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26505
https://www.openwall.com/lists/oss-security/2022/03/03/1
https://www.openwall.com/lists/oss-security/2022/03/06/1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VXEFRXJEYR7QPAMYNWTJIYKTVX5OEQ7O/
https://www.debian.org/lts/security/2022/dla-2973
========================

Updated package in core/updates_testing:
========================
minidlna-1.3.2-1.mga8

from SRPM:
minidlna-1.3.2-1.mga8.src.rpm

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.3.1 => (none)
Version: Cauldron => 8
Assignee: jani.valimaa => qa-bugs
CVE: (none) => CVE-2022-26505

Comment 8 Herman Viaene 2022-10-25 14:13:58 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tried bug 27755 for more info on how this works, but .....
Found https://www.smarthomebeginner.com/install-minidlna-on-ubuntu-ultimate-guide/ and tried to follow the recommendations there, more or less.
I have in /etc/minidlna.conf added the line
media_dir=/home/tester8/Music
but when trying to start , I get error (from # systemctl -l status minidlna)

Oct 25 14:02:19 mach7.hviaene.thuis minidlnad[5907]: [2022/10/25 14:02:19] minidlna.c:669: error: Media directory "/home/tester8/Music" not accessible [Permission denied]
but of course
# cd /home/tester8/Music
# ls
'13beste strangers'/
So I have no clue where this comes from or what it really means.

CC: (none) => herman.viaene

Comment 9 David Walser 2022-10-25 15:08:26 CEST 
Probably your home directory is inaccessible to the service.  Try chmod o+x /home/tester8
Comment 10 Herman Viaene 2022-10-25 15:41:00 CEST 
That get rid of this error, but there are more, and I don't feel like to dable in the conf options to get where????
Giving up on this one.
Comment 11 Dave Hodgins 2022-10-25 16:00:59 CEST 
Added the line with "media_dir=/home/dave/Music" to /etc/minidlna.conf and
started the server. No other changes.

[root@x3 ~]# systemctl status minidlna.service 
* minidlna.service - MiniDLNA is a DLNA/UPnP-AV server software
     Loaded: loaded (/usr/lib/systemd/system/minidlna.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-10-25 09:58:31 EDT; 10s ago
   Main PID: 95574 (minidlnad)
      Tasks: 2 (limit: 19118)
     Memory: 2.9M
        CPU: 14ms
     CGroup: /system.slice/minidlna.service
             `-95574 /usr/sbin/minidlnad -S

Oct 25 09:58:31 x3.hodgins.homeip.net systemd[1]: Started MiniDLNA is a DLNA/UPnP-AV server software.
Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:523: warn: Using unsupported non-utf8 locale 'en_CA'
Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:1134: warn: Starting MiniDLNA version 1.3.1.
Oct 25 09:58:31 x3.hodgins.homeip.net minidlnad[95574]: minidlna.c:1182: warn: HTTP listening on port 8200

Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2022-10-28 03:49:22 CEST

Keywords: (none) => advisory

Comment 12 Mageia Robot 2022-10-28 08:55:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0391.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED