Bugzilla Bug 260971

Rob Leslie reported that the avahi daemon creates packet storm on legacy
unicast traffic, see URL for details.

CVE-2009-0758 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0758):
  The originates_from_local_legacy_unicast_socket function in
  avahi-core/server.c in avahi-daemon 0.6.23 does not account for the
  network byte order of a port number when processing incoming
  multicast packets, which allows remote attackers to cause a denial of
  service (network bandwidth and CPU consumption) via a crafted legacy
  unicast mDNS query packet that triggers a multicast packet storm.

I've applied the patch to net-dns/avahi-0.6.24-r1

Arches, please test and mark stable:
=net-dns/avahi-0.6.24-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Please mark avahi-0.6.24-r2 stable, it contains a fix for libtool-2.

Created an attachment (id=184208) [details]
net-dns:avahi-0.6.24-r2:20090307-102952.log

seems to have troubles with libtool-1.5.26 here on amd64/x86.

Created an attachment (id=184210) [details]
config.log

Stable for HPPA.

Stable on alpha. 

ppc64 done

(In reply to comment #5)
> Created an attachment (id=184208) [edit] [details]
> net-dns:avahi-0.6.24-r2:20090307-102952.log
> 
> seems to have troubles with libtool-1.5.26 here on amd64/x86.
> 

Same here on x86, yet on alpha doesn't give any issues with the same USE-flags
:/

ppc done

That log is not libtool, it's intltool. The ebuild lacks a dependency over a
newer version of intltool.

The avahi versions released up to now use libtool 1.5 by default.

(In reply to comment #12)
> That log is not libtool, it's intltool. The ebuild lacks a dependency over a
> newer version of intltool.
> 
> The avahi versions released up to now use libtool 1.5 by default.
> 

Indeed, with stable intltool on x86 it works now...probably this bug should
depend on the gnome stabilization.

arm/ia64/s390/sh/sparc/x86 stable

amd64 stable, all arches done.

GLSA 200904-10