Your message dated Sat, 24 Jun 2023 14:32:16 +0000
with message-id <e1qd4je-005zt9...@fasolo.debian.org>
and subject line Bug#1037052: fixed in minidlna 1.3.0+dfsg-2.2+deb12u1
has caused the Debian Bug report #1037052,
regarding minidlna: CVE-2023-33476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1037052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037052
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: minidlna
Version: 1.3.2+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for minidlna.
CVE-2023-33476[0]:
| ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable
| to Buffer Overflow. The vulnerability is caused by incorrect
| validation logic when handling HTTP requests using chunked transport
| encoding. This results in other code later using attacker-controlled
| chunk values that exceed the length of the allocated buffer, resulting
| in out-of-bounds read/write.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-33476
https://www.cve.org/CVERecord?id=CVE-2023-33476
[1] https://blog.coffinsec.com/0day/2023/05/31/minidlna-heap-overflow-rca.html
[2]
https://sourceforge.net/p/minidlna/git/ci/9bd58553fae5aef3e6dd22f51642d2c851225aec/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: minidlna
Source-Version: 1.3.0+dfsg-2.2+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
minidlna, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1037...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated minidlna package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Jun 2023 21:34:02 +0200
Source: minidlna
Architecture: source
Version: 1.3.0+dfsg-2.2+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Alexander GQ Gerasiov <g...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1037052
Changes:
minidlna (1.3.0+dfsg-2.2+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* upnphttp: Fix chunk length parsing (CVE-2023-33476) (Closes: #1037052)
Checksums-Sha1:
bbbb4464ffe7fe55f745e05aa9a1233a4ff4d50c 2222
minidlna_1.3.0+dfsg-2.2+deb12u1.dsc
7bb3e75cd7c64d7136b95dc138f71b6d55fb29ae 165464 minidlna_1.3.0+dfsg.orig.tar.xz
243544fe7d3ba9905ba13d99c5489eb38d8368ba 25044
minidlna_1.3.0+dfsg-2.2+deb12u1.debian.tar.xz
Checksums-Sha256:
6e98bd8af8483a481ba29c661dd9320415e98b1e8b08b1066dafc5a5bbcb498b 2222
minidlna_1.3.0+dfsg-2.2+deb12u1.dsc
0b536ff6c689973781f23fb9f9decb7f5ab902b39d57e1991789574de8d5ea5c 165464
minidlna_1.3.0+dfsg.orig.tar.xz
cdc849436dc6cac0dd368b808c34f81584e75835540905aaaf7534b4583cce45 25044
minidlna_1.3.0+dfsg-2.2+deb12u1.debian.tar.xz
Files:
68b7747431cdb9b9e0a8ca8a6f9daa2a 2222 net optional
minidlna_1.3.0+dfsg-2.2+deb12u1.dsc
d35382198df6ad1020d27fa6971b4795 165464 net optional
minidlna_1.3.0+dfsg.orig.tar.xz
32288decd7e5beff6f4b917f3a01df69 25044 net optional
minidlna_1.3.0+dfsg-2.2+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSQri1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EIJgP/2qthbFwJfK/CoFw5mh3OEKcy/ObUXyk
47Wy8aTR+2rPCn/uYGYZGI7XluZXoP8w61Myyt0TE25nZgcPeWvM+QKUnAgdm61E
JGWi9HQpVN0QDBUUg8sKP2BYfios8P6Yafk24h3CWuBj61055mQh/FS2khXBqkah
2doHDkxcQ/iTqhBnnwpbtaf4ot1U04krt9lvrfD/a4icNgmcLEVY0wyIldyGAwx1
A7KZtXODMHIu0bEAFeXhtaYSLORyVGy8ixrxtXUmSQxOSdakrWKsIe6c7gncfwum
BODgQSmeAzlQNVHG+HpXibDxpVLERSPEoHlwbbKeAtBDZdVlZmEYd9FwhZqAThSk
m9xI8kMsVRy6sXqIgzdq/XS5jRycCmzIC/KiyNVo/u6flZBOqHJcNDYpQLH5BF8T
MzMG1xYC+hMz0BW0DGfZKL7xaSyAP0uRjn5E9Z6wCz9l30hvA5nkOHeG6H54/FXF
gTL6fBZN7qekQsTOzMtAGZaZ0EKKbmevO0v6w93K27FvnkKl6zTcwUYa/y2yT52R
WgxI9pIrY+2AbNI0MsreDkhTRv0bc6uVF45ByXqgaqKfoAiZptMxphzT8hOyK4WC
Uol22FONTmQFbFgFS3uccwQDNdVyiG0fAtUGK5Cuy/gqUTuE40xY7bEERFU1pDl8
GXQi/ZsuHAfP
=Ry9Q
-----END PGP SIGNATURE-----
--- End Message ---
