Bug 32041 - minidlna new security issue CVE-2023-33476
Summary: minidlna new security issue CVE-2023-33476
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-06-22 20:44 CEST by David Walser
Modified: 2023-07-07 07:56 CEST (History)
7 users (show)

See Also:
Source RPM: minidlna-1.3.2-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-06-22 20:44:26 CEST 
Debian has issued an advisory on June 21:
https://www.debian.org/security/2023/dsa-5434

The issue is fixed upstream in 1.3.3.

Mageia 8 is also affected.
David Walser 2023-06-22 20:44:46 CEST

Status comment: (none) => Fixed upstream in 1.3.3
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-06-22 21:03:45 CEST 
Not obvious who might do this, so assigning it globally. CC'ing NicolasS who put up the current version.

CC: (none) => nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2023-06-25 18:38:53 CEST 
Done for both mga8 and cauldron!

CC: (none) => geiger.david68210

Comment 3 David Walser 2023-06-25 18:43:26 CEST 
minidlna-1.3.3-1.mga8

from minidlna-1.3.3-1.mga8.src.rpm

Freeze move requested for Cauldron I assume.
Comment 4 David GEIGER 2023-06-26 18:17:37 CEST 
Fixed for cauldron now!

Assigning to QA.

Status comment: Fixed upstream in 1.3.3 => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

PC LX 2023-06-28 11:53:16 CEST

CC: (none) => mageia

Comment 5 Herman Viaene 2023-06-29 16:40:13 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 30115 edited /etc/minidlna.conf the media_dir and network_interface.
# systemctl restart minidlna.service 
[root@mach7 ~]# systemctl status minidlna.service 
● minidlna.service - MiniDLNA is a DLNA/UPnP-AV server software
     Loaded: loaded (/usr/lib/systemd/system/minidlna.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2023-06-29 16:04:30 CEST; 3s ago
   Main PID: 21859 (minidlnad)
      Tasks: 2 (limit: 4364)
     Memory: 4.0M
        CPU: 97ms
     CGroup: /system.slice/minidlna.service
             └─21859 /usr/sbin/minidlnad -S

Jun 29 16:04:30 mach7.hviaene.thuis systemd[1]: Started MiniDLNA is a DLNA/UPnP-AV server software.
Jun 29 16:04:32 mach7.hviaene.thuis minidlnad[21859]: [2023/06/29 16:04:32] minidlna.c:669: error: Media directory "/h>
Jun 29 16:04:32 mach7.hviaene.thuis minidlnad[21859]: minidlna.c:1134: warn: Starting MiniDLNA version 1.3.3.
Jun 29 16:04:32 mach7.hviaene.thuis minidlnad[21859]: minidlna.c:1182: warn: HTTP listening on port 8200

Then tried to access it from VLC, at first without success, googling found out I have to open on the firewall 8200/tcp and 1900/udp.
Then I see in VLV the minidlna server and the media_dir given above, but I cann't get it to display the wav files in it. I've never got the hang of using playlist, so I give this minidlna the OK, not withholding it for VLC-issues.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-06-30 02:33:06 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-06 23:12:34 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-07-07 07:56:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0224.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.