Control: tags 1037052 + patch Control: tags 1037052 + pending
Dear maintainer, I've prepared an NMU for minidlna (versioned as 1.3.2+dfsg-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru minidlna-1.3.2+dfsg/debian/changelog minidlna-1.3.2+dfsg/debian/changelog --- minidlna-1.3.2+dfsg/debian/changelog 2023-04-12 13:01:40.000000000 +0200 +++ minidlna-1.3.2+dfsg/debian/changelog 2023-06-19 21:14:33.000000000 +0200 @@ -1,3 +1,10 @@ +minidlna (1.3.2+dfsg-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * upnphttp: Fix chunk length parsing (CVE-2023-33476) (Closes: #1037052) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 19 Jun 2023 21:14:33 +0200 + minidlna (1.3.2+dfsg-1) unstable; urgency=medium * New upstream release (Closes: #1005219, #1011629, #1017183, #1024905). diff -Nru minidlna-1.3.2+dfsg/debian/patches/12-upnphttp-Fix-chunk-length-parsing.patch minidlna-1.3.2+dfsg/debian/patches/12-upnphttp-Fix-chunk-length-parsing.patch --- minidlna-1.3.2+dfsg/debian/patches/12-upnphttp-Fix-chunk-length-parsing.patch 1970-01-01 01:00:00.000000000 +0100 +++ minidlna-1.3.2+dfsg/debian/patches/12-upnphttp-Fix-chunk-length-parsing.patch 2023-06-19 21:14:33.000000000 +0200 @@ -0,0 +1,27 @@ +From: Justin Maggard <jmagg...@arlo.com> +Date: Wed, 31 May 2023 00:40:03 -0700 +Subject: upnphttp: Fix chunk length parsing +Origin: https://sourceforge.net/p/minidlna/git/ci/9bd58553fae5aef3e6dd22f51642d2c851225aec/ +Bug-Debian: https://bugs.debian.org/1037052 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-33476 + +--- + upnphttp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/upnphttp.c b/upnphttp.c +index 05b202067f14..477ebef4caee 100644 +--- a/upnphttp.c ++++ b/upnphttp.c +@@ -432,7 +432,7 @@ next_header: + if (h->req_buflen <= h->req_contentoff) + return; + while( (line < (h->req_buf + h->req_buflen)) && +- (h->req_chunklen = strtol(line, &endptr, 16) > 0) && ++ ((h->req_chunklen = strtol(line, &endptr, 16)) > 0) && + (endptr != line) ) + { + endptr = strstr(endptr, "\r\n"); +-- +2.40.1 + diff -Nru minidlna-1.3.2+dfsg/debian/patches/series minidlna-1.3.2+dfsg/debian/patches/series --- minidlna-1.3.2+dfsg/debian/patches/series 2023-04-12 12:57:50.000000000 +0200 +++ minidlna-1.3.2+dfsg/debian/patches/series 2023-06-19 21:14:33.000000000 +0200 @@ -5,3 +5,4 @@ 08-Fix-testupnpdescgen-build.patch 10-do-not-close-socket-on-sighup.patch 11-improve-nl-translation.patch +12-upnphttp-Fix-chunk-length-parsing.patch
