Summary: | <net-dns/avahi DoS-0.6.24-r2 reflector creates packet storm on legacy unicast traffic (CVE-2009-0758) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | jer, swegener | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517683 | ||||||||
Whiteboard: | B3 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2009-03-02 17:28:27 UTC
CVE-2009-0758 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0758): The originates_from_local_legacy_unicast_socket function in avahi-core/server.c in avahi-daemon 0.6.23 does not account for the network byte order of a port number when processing incoming multicast packets, which allows remote attackers to cause a denial of service (network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet that triggers a multicast packet storm. I've applied the patch to net-dns/avahi-0.6.24-r1 Arches, please test and mark stable: =net-dns/avahi-0.6.24-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Please mark avahi-0.6.24-r2 stable, it contains a fix for libtool-2. Created attachment 184208 [details]
net-dns:avahi-0.6.24-r2:20090307-102952.log
seems to have troubles with libtool-1.5.26 here on amd64/x86.
Created attachment 184210 [details]
config.log
Stable for HPPA. Stable on alpha. ppc64 done (In reply to comment #5) > Created an attachment (id=184208) [edit] > net-dns:avahi-0.6.24-r2:20090307-102952.log > > seems to have troubles with libtool-1.5.26 here on amd64/x86. > Same here on x86, yet on alpha doesn't give any issues with the same USE-flags :/ ppc done That log is not libtool, it's intltool. The ebuild lacks a dependency over a newer version of intltool. The avahi versions released up to now use libtool 1.5 by default. (In reply to comment #12) > That log is not libtool, it's intltool. The ebuild lacks a dependency over a > newer version of intltool. > > The avahi versions released up to now use libtool 1.5 by default. > Indeed, with stable intltool on x86 it works now...probably this bug should depend on the gnome stabilization. arm/ia64/s390/sh/sparc/x86 stable amd64 stable, all arches done. GLSA 200904-10 |