Headline
Gentoo Linux Security Advisory 202311-12
Gentoo Linux Security Advisory 202311-12 - Multiple vulnerabilities have been discovered in MiniDLNA, the worst of which could lead to remote code execution. Versions greater than or equal to 1.3.3 are affected.
Gentoo Linux Security Advisory GLSA 202311-12
https://security.gentoo.org/
Severity: High
Title: MiniDLNA: Multiple Vulnerabilities
Date: November 25, 2023
Bugs: #834642, #907926
ID: 202311-12
Synopsis
Multiple vulnerabilities have been discovered in MiniDLNA, the worst of
which could lead to remove code execution.
Background
MiniDLNA is a simple media server software, with the aim of being fully
compliant with DLNA/UPnP-AV clients.
Affected packages
Package Vulnerable Unaffected
net-misc/minidlna < 1.3.3 >= 1.3.3
Description
Multiple vulnerabilities have been discovered in MiniDLNA. Please review
the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All MiniDLNA users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=net-misc/minidlna-1.3.3”
References
[ 1 ] CVE-2022-26505
https://nvd.nist.gov/vuln/detail/CVE-2022-26505
[ 2 ] CVE-2023-33476
https://nvd.nist.gov/vuln/detail/CVE-2023-33476
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202311-12
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Ubuntu Security Notice 6398-1 - It was discovered that ReadyMedia was vulnerable to DNS rebinding attacks. A remote attacker could possibly use this issue to trick the local DLNA server to leak information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that ReadyMedia incorrectly handled certain HTTP requests using chunked transport encoding. A remote attacker could possibly use this issue to cause buffer overflows, resulting in out-of-bounds reads and writes.
Ubuntu Security Notice 6398-1 - It was discovered that ReadyMedia was vulnerable to DNS rebinding attacks. A remote attacker could possibly use this issue to trick the local DLNA server to leak information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that ReadyMedia incorrectly handled certain HTTP requests using chunked transport encoding. A remote attacker could possibly use this issue to cause buffer overflows, resulting in out-of-bounds reads and writes.
Debian Linux Security Advisory 5434-1 - A heap-based buffer overflow vulnerability was found in the HTTP chunk parsing code of minidlna, a lightweight DLNA/UPnP-AV server, which may result in denial of service or the execution of arbitrary code.
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write.