Your message dated Sat, 24 Jun 2023 19:48:05 +0000
with message-id <e1qd9er-006hqi...@fasolo.debian.org>
and subject line Bug#1037052: fixed in minidlna 1.3.0+dfsg-2+deb11u2
has caused the Debian Bug report #1037052,
regarding minidlna: CVE-2023-33476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1037052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037052
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: minidlna
Version: 1.3.2+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for minidlna.
CVE-2023-33476[0]:
| ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable
| to Buffer Overflow. The vulnerability is caused by incorrect
| validation logic when handling HTTP requests using chunked transport
| encoding. This results in other code later using attacker-controlled
| chunk values that exceed the length of the allocated buffer, resulting
| in out-of-bounds read/write.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-33476
https://www.cve.org/CVERecord?id=CVE-2023-33476
[1] https://blog.coffinsec.com/0day/2023/05/31/minidlna-heap-overflow-rca.html
[2]
https://sourceforge.net/p/minidlna/git/ci/9bd58553fae5aef3e6dd22f51642d2c851225aec/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: minidlna
Source-Version: 1.3.0+dfsg-2+deb11u2
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
minidlna, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1037...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated minidlna package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Jun 2023 21:40:21 +0200
Source: minidlna
Architecture: source
Version: 1.3.0+dfsg-2+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Alexander GQ Gerasiov <g...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1037052
Changes:
minidlna (1.3.0+dfsg-2+deb11u2) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* upnphttp: Fix chunk length parsing (CVE-2023-33476) (Closes: #1037052)
Checksums-Sha1:
55113d3da854c43f6a5b6115db29f9b5a0c6a837 2214 minidlna_1.3.0+dfsg-2+deb11u2.dsc
00ff222b4e2a3ea3267e04a06d64e69fa2fd25c6 24540
minidlna_1.3.0+dfsg-2+deb11u2.debian.tar.xz
Checksums-Sha256:
f8f61dcb58ede35ea0ef742332cf130cf7df45b2d4f2aa051eead313898665e9 2214
minidlna_1.3.0+dfsg-2+deb11u2.dsc
5ab753036173c19f61e7cb6c0033b6c30f104bf68ffcfd9a7dc6f32ae8d2fdae 24540
minidlna_1.3.0+dfsg-2+deb11u2.debian.tar.xz
Files:
20b900186e0a8d00a3e5a0c5a5511b6b 2214 net optional
minidlna_1.3.0+dfsg-2+deb11u2.dsc
b0d272b4a2c52a9d3658ab3de90fc142 24540 net optional
minidlna_1.3.0+dfsg-2+deb11u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSQsvpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EyMAP/22S5br+oY0iC5UWjEnm/XWYC4hhj2Ww
MlvjIWNGQWcPdv+OSz8ce/c2ClfYQLewNKtLlOpPxaQbd0M6z6L4zxD0RmJk44bU
VkeiWufFIM+f6xD46CDWP2EjoKLLz584/6Xn1al6Fo4lnZt3q4EDT9RQDR1BQ5tE
qFM+efv3kVR/r5unHEOXZPhNxa/LZJyZyeuwZ/dJt95DEdbBfNG2Fs15SOHF3CH1
P6kOz2jSihyo2DHEvUQvsUO7TQ/lX1amhYEYx+HkixZbIib9bLjQROaASKtPHzuA
6Wg1H144QEFdgRn5yKvaJAZpAEvd42vl8ibFtZtNcZ64ibbS2G3LPArh/wyO1WD8
O4Oye8lQqj/x0JvcZPgQRSkpXoxajKpShX0XVQdf5gjpYfi2eQ++RHC6nmXSqhgQ
AohFlWEVTpyOGCtshwncXgDwvt/UmPitblsgh9ghbo4GvOnC3Pzd0SweZDlVcdPq
fdLe316o/v/Pio99+udshfsfVvhWdbo0QxLVNxOG4MHA2+LKdMf/GYg6QtYjZr8I
SOJczw9WSTDgOTMMV28Jmr27YQW+4lk8waIFKKvIgT2wjsY2iJjRc99rHmBMR4z8
yiRj9T6J4EQXb44juMY4vpvcwoTJN/2tmnNEywPfyV7WAPDi6B2VAOreFGHU7Gjh
ASpCWCgYIR3G
=kXml
-----END PGP SIGNATURE-----
--- End Message ---
