Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 793953 (CVE-2021-3468, CVE-2021-3502, CVE-2021-36217) - net-dns/avahi: Denial of service (CVE-2021-{3468,3502,36217))
Summary: net-dns/avahi: Denial of service (CVE-2021-{3468,3502,36217))
Status: IN_PROGRESS
Alias: CVE-2021-3468, CVE-2021-3502, CVE-2021-36217
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/lathiat/avahi/pull...
Whiteboard: A3 [upstream/ebuild]
Keywords:
: 798117 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-06-02 18:48 UTC by Sam James
Modified: 2021-07-07 21:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-06-02 18:48:46 UTC
Description:
"A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered."
Comment 1 John Helmert III gentoo-dev Security 2021-06-24 03:04:57 UTC
*** Bug 798117 has been marked as a duplicate of this bug. ***
Comment 2 John Helmert III gentoo-dev Security 2021-06-24 03:05:44 UTC
CVE-2021-3502:

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.


Patch: https://github.com/lathiat/avahi/commit/fd482a74625b8db8547b8cfca3ee3d3c6c721423
Comment 3 John Helmert III gentoo-dev Security 2021-07-07 21:23:55 UTC
CVE-2021-36217:

Avahi 0.8 allows a local denial of service (NULL pointer dereference and daemon crash) against avahi-daemon via the D-Bus interface or a "ping .local" command.

Unreleased patch: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c