Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 627020 (CVE-2017-6519)

Summary: <net-dns/avahi-0.7-r2: Multicast DNS responds to unicast queries outside of local network (CVE-2017-6519)
Product: Gentoo Security Reporter: Andrey Ovcharov <sudormrfhalt>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2017-6519
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Andrey Ovcharov 2017-08-04 01:44:47 UTC 
https://nvd.nist.gov/vuln/detail/CVE-2017-6519

"avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809."

https://bugzilla.redhat.com/show_bug.cgi?id=1426712

"It was found that avahi responds to unicast queries coming from outside of local network which may cause an information leak, such as disclosing the device type/model that responds to the request or the operating system. The mDNS response may also be used to amplify denial of service attacks against other networks as the response size is greater than the size of request.

External References:

https://www.kb.cert.org/vuls/id/550620"
Comment 1 D'juan McDonald (domhnall) 2017-09-04 01:55:38 UTC 
Upstream Bug: https://github.com/lathiat/avahi/issues/145
Comment 2 D'juan McDonald (domhnall) 2019-02-17 06:10:13 UTC 
Update: "Drop legacy unicast queries from address not on local link"

https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f
https://github.com/lathiat/avahi/compare/v0.7...master


 net-dns/avahi:
          |                           a     |       |  
          |                           m     |       |  
          |                           d   x |       |  
          |                           6   8 |       |  
          |                           4   6 |   u   |  
          | a a   a     p           s |   | |   n   |  
          | l m   r i   p   h m s   p f m f | e u s | r
          | p d a m a p c x p 6 3   a b i b | a s l | e
          | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p
          | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o
----------+---------------------------------+-------+-------
0.6.32    | o o o o o o o o + o o o o o o o | 5 # 0 | gentoo
   0.7-r1 | + + + + + + + + + o + o + ~ ~ o | 6 o   | gentoo
   0.7-r2 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ ~ ~ o | 6 o   | gentoo

Seems bug 635418 closes this one also.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-03-29 03:21:13 UTC 
(In reply to D'juan McDonald (domhnall) from comment #2)
> Update: "Drop legacy unicast queries from address not on local link"
> 
> https://github.com/lathiat/avahi/commit/
> e111def44a7df4624a4aa3f85fe98054bffb6b4f
> https://github.com/lathiat/avahi/compare/v0.7...master
> 
> 
>  net-dns/avahi:
>           |                           a     |       |  
>           |                           m     |       |  
>           |                           d   x |       |  
>           |                           6   8 |       |  
>           |                           4   6 |   u   |  
>           | a a   a     p           s |   | |   n   |  
>           | l m   r i   p   h m s   p f m f | e u s | r
>           | p d a m a p c x p 6 3   a b i b | a s l | e
>           | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p
>           | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o
> ----------+---------------------------------+-------+-------
> 0.6.32    | o o o o o o o o + o o o o o o o | 5 # 0 | gentoo
>    0.7-r1 | + + + + + + + + + o + o + ~ ~ o | 6 o   | gentoo
>    0.7-r2 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ ~ ~ o | 6 o   | gentoo
> 
> Seems bug 635418 closes this one also.

How so?  33 commits made to master since the 0.7 release.  No patches in the tree address this...
Comment 4 Anthony Basile gentoo-dev 2019-11-09 16:45:00 UTC 
I added it to the tree.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-09 10:31:52 UTC 
Was fixed in 0.7-r2, tree is clean now. 

Setting to [glsa?].
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 06:39:06 UTC 
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].