Bug 27755 - minidlna new security issues CVE-2020-12695 and CVE-2020-28926
Summary: minidlna new security issues CVE-2020-12695 and CVE-2020-28926
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-06 02:07 CET by David Walser
Modified: 2020-12-31 15:34 CET (History)
4 users (show)

See Also:
Source RPM: minidlna-1.2.1-3.mga7.src.rpm
CVE:
Status comment: Patches available from Debian

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-12-06 02:07:10 CET 
openSUSE has issued an advisory on December 4:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/A2GHF3UJM6D2JSKELXMJY57IRWK3PJM3/

The issues are fixed upstream in 1.3.0.
Comment 1 David Walser 2020-12-09 23:30:19 CET 
Debian has issued an advisory for this on December 7:
https://www.debian.org/security/2020/dsa-4806
David Walser 2020-12-28 19:13:08 CET

Status comment: (none) => Patches available from Debian

Comment 2 Mike Rambo 2020-12-29 19:17:24 CET 
Patched package uploaded for Mageia 7.

Advisory:
========================

Updated minidlna package fixes security vulnerabilities:

* It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue (CVE-2020-12695).
* MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove (CVE-2020-28926).


References:
https://www.debian.org/security/2020/dsa-4806
https://nvd.nist.gov/vuln/detail/CVE-2020-28926
https://nvd.nist.gov/vuln/detail/CVE-2020-12695
========================

Updated packages in core/updates_testing:
========================
minidlna-1.2.1-3.1.mga7

from minidlna-1.2.1-3.1.mga7.src.rpm

Assignee: jani.valimaa => qa-bugs
CC: (none) => mrambo

Comment 3 PC LX 2020-12-31 03:04:02 CET 
Installed and tested without issues.

Tested using VLC on Mageia 7, VLC on Android and a TV with WebOS. No issues noticed.

System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q minidlna
minidlna-1.2.1-3.1.mga7
$ systemctl status minidlna.service 
● minidlna.service - MiniDLNA is a DLNA/UPnP-AV server software
   Loaded: loaded (/usr/lib/systemd/system/minidlna.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-12-31 01:44:57 WET; 5s ago
 Main PID: 9662 (minidlnad)
    Tasks: 2 (limit: 4684)
   Memory: 5.9M
   CGroup: /system.slice/minidlna.service
           └─9662 /usr/sbin/minidlnad -S

dez 31 01:44:58 marte minidlnad[9662]: getifaddr.c:338: info: Enabling interface 10.0.0.1/255.0.0.0

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

Comment 4 Aurelien Oudelet 2020-12-31 11:32:49 CET 
Validating.
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 5 Mageia Robot 2020-12-31 15:34:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0483.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.