Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 793953 (CVE-2021-3468, CVE-2021-3502, CVE-2021-36217, CVE-2023-1981, CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472, CVE-2023-38473)

Summary: net-dns/avahi: multiple DoS vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, maintainer-needed
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/lathiat/avahi/pull/330
See Also: https://bugs.gentoo.org/show_bug.cgi?id=798117
https://github.com/gentoo/gentoo/pull/26021
Whiteboard: A3 [upstream/ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 883907    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 18:48:46 UTC
Description:
"A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-24 03:04:57 UTC
*** Bug 798117 has been marked as a duplicate of this bug. ***
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-24 03:05:44 UTC
CVE-2021-3502:

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.


Patch: https://github.com/lathiat/avahi/commit/fd482a74625b8db8547b8cfca3ee3d3c6c721423
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-07 21:23:55 UTC
CVE-2021-36217:

Avahi 0.8 allows a local denial of service (NULL pointer dereference and daemon crash) against avahi-daemon via the D-Bus interface or a "ping .local" command.

Unreleased patch: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:21:59 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:30:10 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:38:08 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:46:15 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:02:12 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:10:31 UTC
Package list is empty or all packages have requested keywords.
Comment 10 Larry the Git Cow gentoo-dev 2022-08-18 13:27:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca40d8f1bbfd62625a223896fefe4cc0d5284175

commit ca40d8f1bbfd62625a223896fefe4cc0d5284175
Author:     Federico Denkena <federico.denkena@posteo.de>
AuthorDate: 2022-06-21 15:33:40 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2022-08-18 13:21:57 +0000

    Patches for net-dns/avahi
    
    These patches were pulled from the avahi upstream to fix a vulnerability
    and other bugs.
    Bug: https://bugs.gentoo.org/793953
    Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
    Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

 net-dns/avahi/avahi-0.8-r6.ebuild                  | 217 +++++++++++++++++++++
 .../avahi/files/avahi-0.8-dependency-error.patch   |  15 ++
 .../files/avahi-0.8-disable-avahi-ui-sharp.patch   |  12 --
 .../avahi/files/avahi-0.8-null-pointer-crash.patch | 129 ++++++++++++
 .../avahi-0.8-potentially-undefined-fix.patch      |  25 +++
 5 files changed, 386 insertions(+), 12 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 16:00:06 UTC
(In reply to Larry the Git Cow from comment #10)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=ca40d8f1bbfd62625a223896fefe4cc0d5284175
> 
> commit ca40d8f1bbfd62625a223896fefe4cc0d5284175
> Author:     Federico Denkena <federico.denkena@posteo.de>
> AuthorDate: 2022-06-21 15:33:40 +0000
> Commit:     Anthony G. Basile <blueness@gentoo.org>
> CommitDate: 2022-08-18 13:21:57 +0000
> 
>     Patches for net-dns/avahi
>     
>     These patches were pulled from the avahi upstream to fix a vulnerability
>     and other bugs.
>     Bug: https://bugs.gentoo.org/793953
>     Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
>     Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
> 
>  net-dns/avahi/avahi-0.8-r6.ebuild                  | 217
> +++++++++++++++++++++
>  .../avahi/files/avahi-0.8-dependency-error.patch   |  15 ++
>  .../files/avahi-0.8-disable-avahi-ui-sharp.patch   |  12 --
>  .../avahi/files/avahi-0.8-null-pointer-crash.patch | 129 ++++++++++++
>  .../avahi-0.8-potentially-undefined-fix.patch      |  25 +++
>  5 files changed, 386 insertions(+), 12 deletions(-)

Seems like this only fixes CVE-2021-3502/CVE-2021-36217 (which appear to be duplicates)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-27 17:51:48 UTC
CVE-2023-1981 (https://github.com/lathiat/avahi/issues/375):

A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.

Unreleased patch is: https://github.com/lathiat/avahi/commit/92e4419e1ccb76b93358f47f46662298da4183bf
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-05 18:25:02 UTC
Redhat has, unhelpfully, not adding all of the upstream
references to the CVEs, but they seem all fixed upstream.

CVE-2023-38473:

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.

Merged PR: https://github.com/lathiat/avahi/pull/486

CVE-2023-38470:

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

Merged PR: https://github.com/lathiat/avahi/pull/457

CVE-2023-38469:

A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.

Merged PR: https://github.com/lathiat/avahi/pull/500

CVE-2023-38471:

A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.

Merged PR: https://github.com/lathiat/avahi/pull/494

CVE-2023-38472:

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.

Merged PR: https://github.com/lathiat/avahi/pull/490

Worth noting that someone's asked for a release to be made: https://github.com/lathiat/avahi/issues/503