Rob Leslie reported that the avahi daemon creates packet storm on legacy unicast traffic, see URL for details.
CVE-2009-0758 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0758): The originates_from_local_legacy_unicast_socket function in avahi-core/server.c in avahi-daemon 0.6.23 does not account for the network byte order of a port number when processing incoming multicast packets, which allows remote attackers to cause a denial of service (network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet that triggers a multicast packet storm.
I've applied the patch to net-dns/avahi-0.6.24-r1
Arches, please test and mark stable: =net-dns/avahi-0.6.24-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Please mark avahi-0.6.24-r2 stable, it contains a fix for libtool-2.
Created attachment 184208 [details] net-dns:avahi-0.6.24-r2:20090307-102952.log seems to have troubles with libtool-1.5.26 here on amd64/x86.
Created attachment 184210 [details] config.log
Stable for HPPA.
Stable on alpha.
ppc64 done
(In reply to comment #5) > Created an attachment (id=184208) [edit] > net-dns:avahi-0.6.24-r2:20090307-102952.log > > seems to have troubles with libtool-1.5.26 here on amd64/x86. > Same here on x86, yet on alpha doesn't give any issues with the same USE-flags :/
ppc done
That log is not libtool, it's intltool. The ebuild lacks a dependency over a newer version of intltool. The avahi versions released up to now use libtool 1.5 by default.
(In reply to comment #12) > That log is not libtool, it's intltool. The ebuild lacks a dependency over a > newer version of intltool. > > The avahi versions released up to now use libtool 1.5 by default. > Indeed, with stable intltool on x86 it works now...probably this bug should depend on the gnome stabilization.
arm/ia64/s390/sh/sparc/x86 stable
amd64 stable, all arches done.
GLSA 200904-10