From a63d4457725af58d27a1685fb35caf1ea491f816 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 6 Mar 2022 11:42:33 +0100 Subject: [PATCH 1/3] minidlna: 1.3.0 -> 1.3.1 Prevents DNS rebinding attacks through malicious remote web servers. https://www.openwall.com/lists/oss-security/2022/03/03/1 Fixes: CVE-2022-26505 --- pkgs/tools/networking/minidlna/default.nix | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/pkgs/tools/networking/minidlna/default.nix b/pkgs/tools/networking/minidlna/default.nix index c14b8c68479..ac4b70184e9 100644 --- a/pkgs/tools/networking/minidlna/default.nix +++ b/pkgs/tools/networking/minidlna/default.nix @@ -1,20 +1,25 @@ -{ lib, stdenv, fetchurl, ffmpeg, flac, libvorbis, libogg, libid3tag, libexif, libjpeg, sqlite, gettext }: +{ lib, stdenv, fetchgit, autoreconfHook, ffmpeg, flac, libvorbis, libogg, libid3tag, libexif, libjpeg, sqlite, gettext }: -let version = "1.3.0"; in - -stdenv.mkDerivation { +let pname = "minidlna"; - inherit version; + version = "1.3.1"; +in +stdenv.mkDerivation { + inherit pname version; - src = fetchurl { - url = "mirror://sourceforge/project/minidlna/minidlna/${version}/minidlna-${version}.tar.gz"; - sha256 = "0qrw5ny82p5ybccw4pp9jma8nwl28z927v0j2561m0289imv1na7"; + # tarball for 1.3.1 is missing + src = fetchgit { + url = "https://git.code.sf.net/p/${pname}/git"; + rev = "v${builtins.replaceStrings [ "." ] [ "_" ] version}"; + hash = "sha256-nbvz/QHSZBTZEqX/utOoOF5vorhrxGqIBA9qfpIZzyU="; }; preConfigure = '' export makeFlags="INSTALLPREFIX=$out" ''; + nativeBuildInputs = [ autoreconfHook ]; + buildInputs = [ ffmpeg flac libvorbis libogg libid3tag libexif libjpeg sqlite gettext ]; postInstall = '' From d5633c504fc1e96bfbae4d500e6fe86cc192fa15 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 6 Mar 2022 12:53:30 +0100 Subject: [PATCH 2/3] minidlna: add passthrough test --- pkgs/tools/networking/minidlna/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/networking/minidlna/default.nix b/pkgs/tools/networking/minidlna/default.nix index ac4b70184e9..00cd85a4273 100644 --- a/pkgs/tools/networking/minidlna/default.nix +++ b/pkgs/tools/networking/minidlna/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchgit, autoreconfHook, ffmpeg, flac, libvorbis, libogg, libid3tag, libexif, libjpeg, sqlite, gettext }: +{ lib, stdenv, fetchgit, autoreconfHook, ffmpeg, flac, libvorbis, libogg, libid3tag, libexif, libjpeg, sqlite, gettext, nixosTests }: let pname = "minidlna"; @@ -28,6 +28,8 @@ stdenv.mkDerivation { cp minidlnad.8 $out/share/man/man8 ''; + passthru.tests = { inherit (nixosTests) minidlna; }; + meta = with lib; { description = "Media server software"; longDescription = '' From 97572a798ce24879341bc38ddb8fb5f70509902e Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 6 Mar 2022 13:08:19 +0000 Subject: [PATCH 3/3] nixosTests.minidlna: fix by performing requests by IP a little ugly, but minidlna now checks requests Host: header and only accepts requests using an IPv4 address to avoid DNS-rebinding attacks. --- nixos/tests/minidlna.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nixos/tests/minidlna.nix b/nixos/tests/minidlna.nix index d852c7f60bc..104b79078fd 100644 --- a/nixos/tests/minidlna.nix +++ b/nixos/tests/minidlna.nix @@ -33,7 +33,9 @@ import ./make-test-python.nix ({ pkgs, ... }: { server.succeed("mkdir -p /tmp/stuff && chown minidlna: /tmp/stuff") server.wait_for_unit("minidlna") server.wait_for_open_port("8200") - server.succeed("curl --fail http://localhost:8200/") - client.succeed("curl --fail http://server:8200/") + # requests must be made *by IP* to avoid triggering minidlna's + # DNS-rebinding protection + server.succeed("curl --fail http://$(getent ahostsv4 localhost | head -n1 | cut -f 1 -d ' '):8200/") + client.succeed("curl --fail http://$(getent ahostsv4 server | head -n1 | cut -f 1 -d ' '):8200/") ''; })