Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627020 (CVE-2017-6519) - <net-dns/avahi-0.7-r2: Multicast DNS responds to unicast queries outside of local network (CVE-2017-6519)
Summary: <net-dns/avahi-0.7-r2: Multicast DNS responds to unicast queries outside of l...
Status: RESOLVED FIXED
Alias: CVE-2017-6519
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-04 01:44 UTC by Andrey Ovcharov
Modified: 2020-04-16 06:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Ovcharov 2017-08-04 01:44:47 UTC
https://nvd.nist.gov/vuln/detail/CVE-2017-6519

"avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809."

https://bugzilla.redhat.com/show_bug.cgi?id=1426712

"It was found that avahi responds to unicast queries coming from outside of local network which may cause an information leak, such as disclosing the device type/model that responds to the request or the operating system. The mDNS response may also be used to amplify denial of service attacks against other networks as the response size is greater than the size of request.

External References:

https://www.kb.cert.org/vuls/id/550620"
Comment 1 D'juan McDonald (domhnall) 2017-09-04 01:55:38 UTC
Upstream Bug: https://github.com/lathiat/avahi/issues/145
Comment 2 D'juan McDonald (domhnall) 2019-02-17 06:10:13 UTC
Update: "Drop legacy unicast queries from address not on local link"

https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f
https://github.com/lathiat/avahi/compare/v0.7...master


 net-dns/avahi:
          |                           a     |       |  
          |                           m     |       |  
          |                           d   x |       |  
          |                           6   8 |       |  
          |                           4   6 |   u   |  
          | a a   a     p           s |   | |   n   |  
          | l m   r i   p   h m s   p f m f | e u s | r
          | p d a m a p c x p 6 3   a b i b | a s l | e
          | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p
          | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o
----------+---------------------------------+-------+-------
0.6.32    | o o o o o o o o + o o o o o o o | 5 # 0 | gentoo
   0.7-r1 | + + + + + + + + + o + o + ~ ~ o | 6 o   | gentoo
   0.7-r2 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ ~ ~ o | 6 o   | gentoo

Seems bug 635418 closes this one also.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-29 03:21:13 UTC
(In reply to D'juan McDonald (domhnall) from comment #2)
> Update: "Drop legacy unicast queries from address not on local link"
> 
> https://github.com/lathiat/avahi/commit/
> e111def44a7df4624a4aa3f85fe98054bffb6b4f
> https://github.com/lathiat/avahi/compare/v0.7...master
> 
> 
>  net-dns/avahi:
>           |                           a     |       |  
>           |                           m     |       |  
>           |                           d   x |       |  
>           |                           6   8 |       |  
>           |                           4   6 |   u   |  
>           | a a   a     p           s |   | |   n   |  
>           | l m   r i   p   h m s   p f m f | e u s | r
>           | p d a m a p c x p 6 3   a b i b | a s l | e
>           | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p
>           | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o
> ----------+---------------------------------+-------+-------
> 0.6.32    | o o o o o o o o + o o o o o o o | 5 # 0 | gentoo
>    0.7-r1 | + + + + + + + + + o + o + ~ ~ o | 6 o   | gentoo
>    0.7-r2 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ ~ ~ o | 6 o   | gentoo
> 
> Seems bug 635418 closes this one also.

How so?  33 commits made to master since the 0.7 release.  No patches in the tree address this...
Comment 4 Anthony Basile gentoo-dev 2019-11-09 16:45:00 UTC
I added it to the tree.
Comment 5 Sam James archtester gentoo-dev Security 2020-04-09 10:31:52 UTC
Was fixed in 0.7-r2, tree is clean now. 

Setting to [glsa?].
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 06:39:06 UTC
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].