CallStranger a.k.a. CVE-2020-12695
Brought to you by:
jmaggard
minidlna is affected by CallStranger a.k.a. CVE-2020-12695 because it uses a very old version of miniupnpd source code which does not embed the checkCallbackURL function. This function has been added to miniupnpd in 2011/06/27. It must be used in ProcessHTTPSubscribe_upnphttp to check that the callback URL is on the same IP as the request, and not on the internet.
I checked that minidlna in version 1.2.1 was affected by this vulnerability thanks to https://github.com/yunuscadirci/CallStranger
The attached patch fixes this issue.
For anyone else finding this, it was fixed in https://sourceforge.net/p/minidlna/git/ci/06ee114731612462eb1eb1266f0431ccf59269d2, and released in 1.3.0, while some distros may have backported the fix to 1.2.1 (Debian)