Fixes CVE-2023-33476:
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable
to Buffer Overflow. The vulnerability is caused by incorrect
validation logic when handling HTTP requests using chunked transport
encoding. This results in other code later using attacker-controlled
chunk values that exceed the length of the allocated buffer,
resulting in out-of-bounds read/write.
Signed-off-by: Robert Högberg <robert.hogberg@gmail.com>
- Updated to latest version
- Removed upstreamed patches
- Refreshed patches
Project changelog:
1.3.2 - Released 30-Aug-2022
--------------------------------
- Improved DNS rebinding attack protection.
- Added Samsung Neo QLED series (2021) support.
- Added webm/rm/rmvb support.
1.3.1 - Released 11-Feb-2022
--------------------------------
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Signed-off-by: Andrew Sim <andrewsimz@gmail.com>
Fixes two CVEs relating to UPnP.
Removed libuuid dependency. It is not used.
Remove clock_gettime hack. It seems to have been fixed.
Removed upstream patches.
Refreshed the other ones.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Diffrent file use its own setjmp_buffer, thus
we have two global variables called setjmp_buffer
I am not sure if we should use only one instance of it.
The patch sent upstream uses a similar approach.
https://sourceforge.net/p/minidlna/bugs/327/
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
Removed cover resizing patch. It doesn't work right.
Removed SIGHUP reload. While minidlna handles it, it needs work to
function properly.
Removed service_triggers. They don't work for similar reasons as above.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Removed inactive maintainer.
Cleaned up Makefile to remove old options.
Switched to PKG_INSTALL for consistency.
Added PKG_BUILD_PARALLEL for faster compilation.
Fixed license info.
Removed '' from enabled for consistency.
Ran init script through shellcheck. Batched config file writes.
Switched it to use procd. The -S parameter changes it to foreground. It
stands for systemd.
Added a sysctl tweak to get rid of warning.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Update minidlna to latest commit
Cherry pick commits from https://github.com/xavery/minidlna
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Unfortunately this is breaking sorting and causes some
issues with starting streams on various non-Panasonic
clients. Tested on 5 different models of 2014-2017
Samsung Smart TVs and BubbleUPnP for Android.
Removing this patch fixes sorting by filename and
clients no longer sometimes fail to load the streams.
Signed-off-by: James Christopher Adduono <jc@adduono.com>
Update minidlna to 1.2.0
Switch to tarball
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Updated to latest commit upstream as the latest tagged version didn't get
a tarball release at all. Includes various fixes and also support for
never versions of ffmpeg.
Also added a sorting patch for Panasonic TVs.
Source: c8245740c3
Various improvements to package Makefile.
Source/Template: c389dcdc02/multimedia/minidlna/Makefile
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
The Philips TV patch was included upstream.
Rename the minidlnad binary to minidlna instead of tweaking automake files.
Signed-off-by: Ian Leonard <antonlacon@gmail.com>