Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 159306 - net-dns/avahi 0.6.16 fixes 100% CPU DoS (CVE-2006-6870)
Summary: net-dns/avahi 0.6.16 fixes 100% CPU DoS (CVE-2006-6870)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-28 13:45 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2007-02-11 10:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-12-28 13:45:06 UTC
http://avahi.org/#December2006

December 2006

* 2006-12-29: We have released Avahi 0.6.16! This is a bugfix release, it fixes 1 security sensitive bug (100% CPU DoS) and 1 regression from the last release. All users are recommended to upgrade ASAP, especially given the DoS and regression which can often cause Avahi not to work correctly.
Comment 1 Sven Wegener gentoo-dev 2006-12-28 14:02:24 UTC
I'm away from my computer equipment until the evening of the 1st of January. It should be a straight forward version bump, the dbus-fixes patch can be dropped. If someone wants to commit the bump before I'm back at home, go ahead.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-29 05:14:03 UTC
I talked to Sven and bumped to 0.6.16, also ppc stable
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-29 06:09:46 UTC
Sven told me that 0.6.16.1 or 0.6.17 is probably to be released on short notice, we might want to wait with calling arches for stabling.
Comment 4 Priit Laes (IRC: plaes) 2006-12-30 00:09:42 UTC
While this is till open, could you please make ebuild to install the NEWS file? :)
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-04 12:02:03 UTC
Tobias, any news on this one?

Priit, security bugs are not feature requests, please open a new bug.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-04 12:53:54 UTC
(In reply to comment #5)
> Tobias, any news on this one?

Sven is back again, i was just proxying. But as far as i know there aren't news.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-06 12:29:08 UTC
Do we want to wait for the upcoming release or mark 0.6.16 stable.
Comment 8 Sven Wegener gentoo-dev 2007-01-06 12:31:41 UTC
The release of 0.6.17 is planned for today.
Comment 9 Sven Wegener gentoo-dev 2007-01-07 13:59:11 UTC
The release of 0.6.17 has been deferred another week. I'm about to pull some fixes from upstream and bump to -r1 including the fixes.
Comment 10 Sven Wegener gentoo-dev 2007-01-07 21:48:28 UTC
OK, 0.6.16-r1 is in the tree.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 23:00:25 UTC
Hello teams, you know the deal.
0.6.16-r1
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 23:00:52 UTC
ppc is very fast
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2007-01-13 03:46:21 UTC
Marked net-dns/avahi-0.6.16-r1 stable for HPPA.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-01-13 08:41:52 UTC
ppc64 stable
Comment 15 Markus Meier gentoo-dev 2007-01-14 01:39:24 UTC
net-dns/avahi-0.6.16-r1  USE="dbus gdbm gtk mono python qt3 qt4 -autoipd -bookmarks -doc -howl-compat -mdnsresponder-compat"
1. emerges on x86
2. passes collision test
3. works

Gentoo Base System version 1.12.6
Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19.1 i686)
=================================================================
System uname: 2.6.19.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Last Sync: Sat, 13 Jan 2007 16:30:04 +0000
ccache version 2.4 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/pack
ages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa
_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via8
2xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop
 alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugin
s_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugin
s_shm alsa_pcm_plugins_softvol apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fort
ran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_G
B mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl
svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xpri
nt xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 16 Andrej Kacian (RETIRED) gentoo-dev 2007-01-14 02:37:29 UTC
x86 done
Comment 17 Luis Medinas (RETIRED) gentoo-dev 2007-01-15 01:52:54 UTC
amd64 stable for the win!
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2007-01-15 17:26:48 UTC
sparc stable.
Comment 19 Bryan Østergaard (RETIRED) gentoo-dev 2007-01-15 19:34:30 UTC
Alpha done.
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-15 23:28:31 UTC
needs voting:

i vote no since it sounds to me mostly like a client-side DoS
Comment 21 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-17 13:51:42 UTC
tend to vote no too
Comment 22 Wolf Giesen (RETIRED) gentoo-dev 2007-01-18 06:45:25 UTC
no++
Comment 23 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-22 11:42:44 UTC
closing with noglsa, feelfreetoreopenifyoudisagree