Comment 1 Stefan Cornelius (RETIRED) 2006-05-16 12:40:56 UTC

sparc and x86, please test and stable - thanks

Does this run as root? If not, this is probably only B3

Comment 2 Gustavo Zacarias (RETIRED) 2006-05-16 12:46:07 UTC

sparc stable.

Comment 3 Joshua Jackson (RETIRED) 2006-05-16 21:51:11 UTC

all done on x86 as well ^.^

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2006-05-16 22:30:11 UTC

Thx Joshua, but please don't close security bugs.

Time for GLSA decision. Impact is rather vague so I tend to vote NO.

Comment 5 Raphael Marichez (Falco) (RETIRED) 2006-05-17 02:32:58 UTC

SA 20022 http://secunia.com/advisories/20022  shows details on the impact.

i think the buffer overflow comes from these lines of code :
http://0pointer.de/cgi-bin/viewcvs.cgi/trunk/avahi-core/rr.c?rev=1209&view=diff&r1=1209&r2=1208&p1=trunk/avahi-core/rr.c&p2=/trunk/avahi-core/rr.c

Remote exec of code is serious, but in this case, the official advisory says it is hardly remotely exploitable.
http://0pointer.de/cgi-bin/viewcvs.cgi/*checkout*/trunk/docs/NEWS?root=avahi
"We do not consider either of them major security threats. "
"The buffer overflow is hard to exploit remotely, only local users can
become the 'avahi' user. In addition the user is trapped inside a
chroot() environment (at least on Linux). "

Concerning the DoS issue (exploitable from a local network only), it is also possible to DoS avahi with inconsistent data. So the DoS issue is not very serious as for me.

I vote NO.

Comment 6 Stefan Cornelius (RETIRED) 2006-05-17 04:46:03 UTC

yet another no and closing. Of course, feel free to reopen if you disagree.