Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1011629: minidlna: can't access localhost:8200 - DNS rebinding attack suspected
1,463 views
Skip to first unread message
Marcos Carot
May 25, 2022, 10:20:04 AM5/25/22
to
Package: minidlna
Version: 1.3.0+dfsg-2.2
Severity: important
X-Debbugs-Cc: marcos...@gmail.com
Dear Maintainer,
* What led up to the situation? browse localhost:8200
* What was the outcome of this action? "not found" page shown - logs show upnphttp.c:922: error: DNS rebinding attack suspected
* What outcome did you expect instead? page shown.
Please note, this seems to be a security issue: https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:es:en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages minidlna depends on:
ii adduser 3.121
ii init-system-helpers 1.62
ii libavformat58 7:4.4.2-1
ii libavutil56 7:4.4.2-1
ii libc6 2.33-7
ii libexif12 0.6.24-1
ii libflac8 1.3.4-1
ii libid3tag0 0.15.1b-14
ii libjpeg62-turbo 1:2.1.2-1
ii libogg0 1.3.4-0.1
ii libsqlite3-0 3.38.5-1
ii libvorbis0a 1.3.7-1
ii lsb-base 11.1.0
minidlna recommends no packages.
minidlna suggests no packages.
-- Configuration Files:
/etc/minidlna.conf changed [not included]
-- no debconf information
Version: 1.3.0+dfsg-2.2
Severity: important
X-Debbugs-Cc: marcos...@gmail.com
Dear Maintainer,
* What led up to the situation? browse localhost:8200
* What was the outcome of this action? "not found" page shown - logs show upnphttp.c:922: error: DNS rebinding attack suspected
* What outcome did you expect instead? page shown.
Please note, this seems to be a security issue: https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:es:en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages minidlna depends on:
ii adduser 3.121
ii init-system-helpers 1.62
ii libavformat58 7:4.4.2-1
ii libavutil56 7:4.4.2-1
ii libc6 2.33-7
ii libexif12 0.6.24-1
ii libflac8 1.3.4-1
ii libid3tag0 0.15.1b-14
ii libjpeg62-turbo 1:2.1.2-1
ii libogg0 1.3.4-0.1
ii libsqlite3-0 3.38.5-1
ii libvorbis0a 1.3.7-1
ii lsb-base 11.1.0
minidlna recommends no packages.
minidlna suggests no packages.
-- Configuration Files:
/etc/minidlna.conf changed [not included]
-- no debconf information
Diederik de Haas
Jul 8, 2022, 9:10:03 AM7/8/22
to
On 25 May 2022 22:13:27 +0800 Marcos Carot <marcos...@gmail.com> wrote:
> Package: minidlna
> Version: 1.3.0+dfsg-2.2
IIUC version 1.3.0+dfsg-2.2 was specifically to address that.
https://tracker.debian.org/news/1315039/accepted-minidlna-130dfsg-22-source-into-unstable/
Changes:
minidlna (1.3.0+dfsg-2.2) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2022-26505
Validate HTTP requests to protect against DNS rebinding, thus forbid
a remote web server to exfiltrate media files.
(Closes: #1006798)
https://salsa.debian.org/debian/minidlna/-/commit/9017019ac446b945c92a976a8dcebab3d7789927
is the commit in the salsa repo for this.
> Package: minidlna
> Version: 1.3.0+dfsg-2.2
>
> * What led up to the situation? browse localhost:8200
> * What was the outcome of this action? "not found" page shown -
> logs show upnphttp.c:922: error: DNS rebinding attack suspected
> * What outcome did you expect instead? page shown.
>
> Please note, this seems to be a security issue:
> https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090
Isn't that the result of the patch that addresses that specific issue?
> * What led up to the situation? browse localhost:8200
> * What was the outcome of this action? "not found" page shown -
> logs show upnphttp.c:922: error: DNS rebinding attack suspected
> * What outcome did you expect instead? page shown.
>
> Please note, this seems to be a security issue:
> https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090
IIUC version 1.3.0+dfsg-2.2 was specifically to address that.
https://tracker.debian.org/news/1315039/accepted-minidlna-130dfsg-22-source-into-unstable/
Changes:
minidlna (1.3.0+dfsg-2.2) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2022-26505
Validate HTTP requests to protect against DNS rebinding, thus forbid
a remote web server to exfiltrate media files.
(Closes: #1006798)
https://salsa.debian.org/debian/minidlna/-/commit/9017019ac446b945c92a976a8dcebab3d7789927
is the commit in the salsa repo for this.
Marcos Raúl Carot
Jul 8, 2022, 10:00:04 AM7/8/22
to
Oh, so there is no way now to access the web page from minidlna? Cheers.
Marcos R Carot
Diederik de Haas
Jul 8, 2022, 10:10:04 AM7/8/22
to
On vrijdag 8 juli 2022 15:50:32 CEST Marcos Raúl Carot wrote:
> On Fri, 8 Jul 2022 at 21:06, Diederik de Haas <didi....@cknow.org> wrote:
> > On 25 May 2022 22:13:27 +0800 Marcos Carot <marcos...@gmail.com> wrote:
> > > Please note, this seems to be a security issue:
> > > https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090
> >
> > Isn't that the result of the patch that addresses that specific issue?
> > IIUC version 1.3.0+dfsg-2.2 was specifically to address that.
>
> On Fri, 8 Jul 2022 at 21:06, Diederik de Haas <didi....@cknow.org> wrote:
> > On 25 May 2022 22:13:27 +0800 Marcos Carot <marcos...@gmail.com> wrote:
> > > Please note, this seems to be a security issue:
> > > https://security.snyk.io/vuln/SNYK-UNMANAGED-MINIDLNA-2419090
> >
> > Isn't that the result of the patch that addresses that specific issue?
> > IIUC version 1.3.0+dfsg-2.2 was specifically to address that.
>
> Oh, so there is no way now to access the web page from minidlna? Cheers.
I was only asking a question to make the issue more clear.
If that's the result, I can see that could be an unwanted side effect.
Oliver Freyermuth
Jul 12, 2022, 11:00:04 PM7/12/22
to
On Fri, 8 Jul 2022 21:50:32 +0800 =?UTF-8?Q?Marcos_Ra=C3=BAl_Carot?= <marcos...@gmail.com> wrote:
> Oh, so there is no way now to access the web page from minidlna? Cheers.
The code (as also used upstream[0]) validates that the hostname in the HTTP request consists only of numbers, dots or colons.
> Oh, so there is no way now to access the web page from minidlna? Cheers.
Given this change, it seems the only remaining functional way is to visit the IPv4 IP address of the minidlna server directly,
e.g. if your server is running at 192.168.178.32, you would visit:
http://192.168.178.32:8200
in your browser.
An upstream bug about this issue has reported already at:
https://sourceforge.net/p/minidlna/bugs/346/
[0] https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
Marcos Raúl Carot
Jul 13, 2022, 2:30:04 AM7/13/22
to
Thanks for that. Just tried and it works with only IP:8200
I was using localhost:8200
Cheers,
Marcos
Marcos R Carot
0 new messages