Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 793953 (CVE-2021-3468, CVE-2021-3502, CVE-2021-36217) - net-dns/avahi: Denial of service (CVE-2021-{3468,3502,36217))
Summary: net-dns/avahi: Denial of service (CVE-2021-{3468,3502,36217))
Alias: CVE-2021-3468, CVE-2021-3502, CVE-2021-36217
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [upstream/ebuild]
: 798117 (view as bug list)
Depends on:
Reported: 2021-06-02 18:48 UTC by Sam James
Modified: 2021-07-29 18:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-06-02 18:48:46 UTC
"A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered."
Comment 1 John Helmert III gentoo-dev Security 2021-06-24 03:04:57 UTC
*** Bug 798117 has been marked as a duplicate of this bug. ***
Comment 2 John Helmert III gentoo-dev Security 2021-06-24 03:05:44 UTC

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.

Comment 3 John Helmert III gentoo-dev Security 2021-07-07 21:23:55 UTC

Avahi 0.8 allows a local denial of service (NULL pointer dereference and daemon crash) against avahi-daemon via the D-Bus interface or a "ping .local" command.

Unreleased patch:
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:21:59 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:30:10 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:38:08 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:46:15 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:02:12 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:10:31 UTC
Package list is empty or all packages have requested keywords.