Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Mageia: 2020-0483 Moderate Remote Code Execution Risk in Minidlna

mageia
Calendar Grey December 31, 2020
Dist Mageia Esm H88
Recent minidlna updates address security vulnerabilities, particularly those that could lead to remote code execution. Check the official release notes for details and impacts
It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscript...

Summary

It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue (CVE-2020-12695).
Minidlna before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove (CVE-2020-28926).

References

- https://bugs.mageia.org/show_bug.cgi?id=27755

- https://lists.debian.org/debian-security-announce/2020/msg00213.html

- https://www.cve.org/CVERecord?id=CVE-2020-12695

- https://www.cve.org/CVERecord?id=CVE-2020-28926

Topics%20covered

Topics Covered

security advisory moderate security issue buffer overflow remote code execution Mageia minidlna CallStranger

Resolution

SRPMS

- 7/core/minidlna-1.2.1-3.1.mga7

Publication date: 31 Dec 2020
URL: https://advisories.mageia.org/MGASA-2020-0483.html
Type: security
CVE: CVE-2020-12695, CVE-2020-28926

Topics%20covered

Topics Covered

security advisory moderate security issue buffer overflow remote code execution Mageia minidlna CallStranger

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here