Fixes CVE-2023-33476:
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable
to Buffer Overflow. The vulnerability is caused by incorrect
validation logic when handling HTTP requests using chunked transport
encoding. This results in other code later using attacker-controlled
chunk values that exceed the length of the allocated buffer,
resulting in out-of-bounds read/write.
Signed-off-by: Robert Högberg <robert.hogberg@gmail.com>
- Updated to latest version
- Removed upstreamed patches
- Refreshed patches
Project changelog:
1.3.2 - Released 30-Aug-2022
--------------------------------
- Improved DNS rebinding attack protection.
- Added Samsung Neo QLED series (2021) support.
- Added webm/rm/rmvb support.
1.3.1 - Released 11-Feb-2022
--------------------------------
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Signed-off-by: Andrew Sim <andrewsimz@gmail.com>
Fixes two CVEs relating to UPnP.
Removed libuuid dependency. It is not used.
Remove clock_gettime hack. It seems to have been fixed.
Removed upstream patches.
Refreshed the other ones.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Diffrent file use its own setjmp_buffer, thus
we have two global variables called setjmp_buffer
I am not sure if we should use only one instance of it.
The patch sent upstream uses a similar approach.
https://sourceforge.net/p/minidlna/bugs/327/
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
Restore service triggers which got wrongly removed in commit
733aae9584 ("fix issues").
Without triggers, changing settings from LuCI or calling reload_config
from the cli won't have any effect.
Also adjust the uci commit call to only commit the minidlna configuration
when setting a UUID, to avoid committing unrelated user changes in other
config files.
Ref: https://github.com/openwrt/luci/issues/4194
Fixes: 733aae958 ("minidlna: fix issues")
Fixes: 37367bdc8 ("minidlna: create UUID in config if it is empty")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Removed cover resizing patch. It doesn't work right.
Removed SIGHUP reload. While minidlna handles it, it needs work to
function properly.
Removed service_triggers. They don't work for similar reasons as above.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Removed inactive maintainer.
Cleaned up Makefile to remove old options.
Switched to PKG_INSTALL for consistency.
Added PKG_BUILD_PARALLEL for faster compilation.
Fixed license info.
Removed '' from enabled for consistency.
Ran init script through shellcheck. Batched config file writes.
Switched it to use procd. The -S parameter changes it to foreground. It
stands for systemd.
Added a sysctl tweak to get rid of warning.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
better solution than using a static UUID by default
keep the default uuid empty then generate and save
a unique UUID on first start of minidlna service.
Signed-off-by: Alberto Bursi <bobafetthotmail@gmail.com>
minidlna uses UUID to uniquely identify the media server
by default, if the "uuid" option is not specified in
its setting file it will try to autogenerate it by
reading MAC address.
This seems to fail on some devices resulting in random
UUID on reboot, and this causes confusion and issues as
for clients this is a new server and must be added to
the list.
In OpenWrt there are also devices where the system can't
read the true MAC address and it is therefore randomized
on reboot.
So, add a static UUID in the settings file.
Since each mindlna server should have a different UUID,
if the user has more than one OpenWrt device with
minidlna, he should change the UUID of the
additional devices.
Signed-off-by: Alberto Bursi <bobafetthotmail@gmail.com>
Update minidlna to latest commit
Cherry pick commits from https://github.com/xavery/minidlna
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
- run as an unprivileged user by default
- move generated config to /var/run (/tmp/run in fact)
- disable service until it's configured: there is no way to reliably guess
where files to be shared are located
Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
Some clients do not close connections properly or do not keep
it alive, so each time the connection times out a corresponding
log entry is written into a log. These messages may spam the log
really hard.
This may be an issue if log is placed on internal flash - it may
prematurely wear a flash chip. This also prevents hdd from spinning
down if the log is located on hdd and the dlna capable tv is online.
Set the log level to "error" by default.
MAN:
Set this to change the verbosity of the information that is logged
each section can use a different level: off, fatal, error, warn,
info, or debug
Example
log_level=general,artwork,database,inotify,scanner,metadata,http,ssdp,tivo=warn
Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
Some users might create a minidlna root with symlinks
to shared locations. While this could potentially create
a vulnerability, the option should be available to allow
users to do this should they choose to.
wide_links=no : (default) no content served + error message
[timestamp] upnphttp.c:1366: error: Rejecting wide link X
wide_links=yes : content served, no error messages
Signed-off-by: James Christopher Adduono <jc@adduono.com>
Unfortunately this is breaking sorting and causes some
issues with starting streams on various non-Panasonic
clients. Tested on 5 different models of 2014-2017
Samsung Smart TVs and BubbleUPnP for Android.
Removing this patch fixes sorting by filename and
clients no longer sometimes fail to load the streams.
Signed-off-by: James Christopher Adduono <jc@adduono.com>
1.2.1 - Released 24-Aug-2017
--------------------------------
- Added Movian client detection and subtitle support.
- Fixed an issue with discovery on non-Linux systems.
- Fixed Bonjour discovery compatibility with TiVo Bolt.
- Fixed NFO file parsing, and added change monitoring support for them.
- Added a workaround for video thumbnails on some Samsung clients.
- Added DoS protection for event subscriptions.
- Fixed content browsing issues with some Samsung TVs.
- Improved non-destructive update scan support.
Signed-off-by: James Christopher Adduono <jc@adduono.com>
Update minidlna to 1.2.0
Switch to tarball
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Updated to latest commit upstream as the latest tagged version didn't get
a tarball release at all. Includes various fixes and also support for
never versions of ffmpeg.
Also added a sorting patch for Panasonic TVs.
Source: c8245740c3
Various improvements to package Makefile.
Source/Template: c389dcdc02/multimedia/minidlna/Makefile
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
The Philips TV patch was included upstream.
Rename the minidlnad binary to minidlna instead of tweaking automake files.
Signed-off-by: Ian Leonard <antonlacon@gmail.com>
Fabrice Fontaine