Bugzilla – Bug 1222007
VUL-0: CVE-2023-33476: minidlna -- security update
Last modified: 2024-03-29 02:04:55 UTC
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33476 https://www.cve.org/CVERecord?id=CVE-2023-33476 https://blog.coffinsec.com/0day/2023/05/31/minidlna-heap-overflow-rca.html https://sourceforge.net/p/minidlna/git/ci/9bd58553fae5aef3e6dd22f51642d2c851225aec/ https://sourceforge.net/projects/minidlna/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037052 https://security-tracker.debian.org/tracker/DSA-5434-1 https://lists.debian.org/debian-lts-announce/2023/06/msg00027.html https://www.debian.org/security/2023/dsa-5434 https://security.gentoo.org/glsa/202311-12
devel project (multimedia:apps) and openSUSE:Factory have version 1.3.3 openSUSE:Backports:SLE-15-SP6 has 1.3.3 backports 15.5 created request id 1162295 backports 15.4 tells me it is unmaintained built in home:oertel:branches:openSUSE:Backports:SLE-15-SP4:Update/minidlna
This is an autogenerated message for OBS integration: This bug (1222007) was mentioned in https://build.opensuse.org/request/show/1162295 Backports:SLE-15-SP5 / minidlna
openSUSE-SU-2024:0093-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1222007 CVE References: CVE-2023-33476 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): minidlna-1.3.3-bp155.2.3.1