793953 – (CVE-2021-3468, CVE-2021-3502, CVE-2021-36217) net-dns/avahi: Denial of service (CVE-2021-{3468,3502,36217))

Bug 793953 (CVE-2021-3468, CVE-2021-3502, CVE-2021-36217) - net-dns/avahi: Denial of service (CVE-2021-{3468,3502,36217))

Summary: net-dns/avahi: Denial of service (CVE-2021-{3468,3502,36217))

Status:	IN_PROGRESS

Alias:	CVE-2021-3468, CVE-2021-3502, CVE-2021-36217

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/lathiat/avahi/pull...
Whiteboard:	A3 [upstream/ebuild]
Keywords:	PullRequest

Duplicates (1):	798117 (view as bug list)
Depends on:
Blocks:

Reported:	2021-06-02 18:48 UTC by Sam James
Modified:	2022-06-21 16:16 UTC (History)
CC List:	2 users (show)

See Also:	798117 https://github.com/gentoo/gentoo/pull/26021
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-06-02 18:48:46 UTC

Description:
"A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered."

Comment 1 John Helmert III archtester

2021-06-24 03:04:57 UTC

*** Bug 798117 has been marked as a duplicate of this bug. ***

Comment 2 John Helmert III archtester

2021-06-24 03:05:44 UTC

CVE-2021-3502:

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.


Patch: https://github.com/lathiat/avahi/commit/fd482a74625b8db8547b8cfca3ee3d3c6c721423

Comment 3 John Helmert III archtester

2021-07-07 21:23:55 UTC

CVE-2021-36217:

Avahi 0.8 allows a local denial of service (NULL pointer dereference and daemon crash) against avahi-daemon via the D-Bus interface or a "ping .local" command.

Unreleased patch: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:21:59 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:30:10 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:38:08 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:46:15 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:02:12 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 18:10:31 UTC

Package list is empty or all packages have requested keywords.