793953 – (CVE-2021-3468, CVE-2021-3502, CVE-2021-36217, CVE-2023-1981, CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472, CVE-2023-38473) net-dns/avahi: multiple DoS vulnerabilities

Bug 793953 (CVE-2021-3468, CVE-2021-3502, CVE-2021-36217, CVE-2023-1981, CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472, CVE-2023-38473) - net-dns/avahi: multiple DoS vulnerabilities

Summary: net-dns/avahi: multiple DoS vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2021-3468, CVE-2021-3502, CVE-2021-36217, CVE-2023-1981, CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472, CVE-2023-38473

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/lathiat/avahi/pull...
Whiteboard:	A3 [upstream/ebuild]
Keywords:	PullRequest

Duplicates (1):	798117 (view as bug list)
Depends on:	883907
Blocks:
	Show dependency tree

Reported:	2021-06-02 18:48 UTC by Sam James
Modified:	2023-11-05 18:25 UTC (History)
CC List:	2 users (show)

See Also:	798117 https://github.com/gentoo/gentoo/pull/26021
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-06-02 18:48:46 UTC

Description:
"A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered."

Comment 1 John Helmert III archtester

2021-06-24 03:04:57 UTC

*** Bug 798117 has been marked as a duplicate of this bug. ***

Comment 2 John Helmert III archtester

2021-06-24 03:05:44 UTC

CVE-2021-3502:

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.


Patch: https://github.com/lathiat/avahi/commit/fd482a74625b8db8547b8cfca3ee3d3c6c721423

Comment 3 John Helmert III archtester

2021-07-07 21:23:55 UTC

CVE-2021-36217:

Avahi 0.8 allows a local denial of service (NULL pointer dereference and daemon crash) against avahi-daemon via the D-Bus interface or a "ping .local" command.

Unreleased patch: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:21:59 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:30:10 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:38:08 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:46:15 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:02:12 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 18:10:31 UTC

Package list is empty or all packages have requested keywords.

Comment 10 Larry the Git Cow gentoo-dev

2022-08-18 13:27:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca40d8f1bbfd62625a223896fefe4cc0d5284175

commit ca40d8f1bbfd62625a223896fefe4cc0d5284175
Author:     Federico Denkena <federico.denkena@posteo.de>
AuthorDate: 2022-06-21 15:33:40 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2022-08-18 13:21:57 +0000

    Patches for net-dns/avahi
    
    These patches were pulled from the avahi upstream to fix a vulnerability
    and other bugs.
    Bug: https://bugs.gentoo.org/793953
    Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
    Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

 net-dns/avahi/avahi-0.8-r6.ebuild                  | 217 +++++++++++++++++++++
 .../avahi/files/avahi-0.8-dependency-error.patch   |  15 ++
 .../files/avahi-0.8-disable-avahi-ui-sharp.patch   |  12 --
 .../avahi/files/avahi-0.8-null-pointer-crash.patch | 129 ++++++++++++
 .../avahi-0.8-potentially-undefined-fix.patch      |  25 +++
 5 files changed, 386 insertions(+), 12 deletions(-)

Comment 11 John Helmert III archtester

2022-08-18 16:00:06 UTC

(In reply to Larry the Git Cow from comment #10)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=ca40d8f1bbfd62625a223896fefe4cc0d5284175
> 
> commit ca40d8f1bbfd62625a223896fefe4cc0d5284175
> Author:     Federico Denkena <federico.denkena@posteo.de>
> AuthorDate: 2022-06-21 15:33:40 +0000
> Commit:     Anthony G. Basile <blueness@gentoo.org>
> CommitDate: 2022-08-18 13:21:57 +0000
> 
>     Patches for net-dns/avahi
>     
>     These patches were pulled from the avahi upstream to fix a vulnerability
>     and other bugs.
>     Bug: https://bugs.gentoo.org/793953
>     Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
>     Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
> 
>  net-dns/avahi/avahi-0.8-r6.ebuild                  | 217
> +++++++++++++++++++++
>  .../avahi/files/avahi-0.8-dependency-error.patch   |  15 ++
>  .../files/avahi-0.8-disable-avahi-ui-sharp.patch   |  12 --
>  .../avahi/files/avahi-0.8-null-pointer-crash.patch | 129 ++++++++++++
>  .../avahi-0.8-potentially-undefined-fix.patch      |  25 +++
>  5 files changed, 386 insertions(+), 12 deletions(-)

Seems like this only fixes CVE-2021-3502/CVE-2021-36217 (which appear to be duplicates)

Comment 12 John Helmert III archtester

2023-01-03 18:49:34 UTC

PR is finally merged! https://github.com/lathiat/avahi/pull/330

Patch is: https://github.com/lathiat/avahi/commit/6e72b8436b75481c8fd78b434d91b43c459e11e3

Comment 13 John Helmert III archtester

2023-05-27 17:51:48 UTC

CVE-2023-1981 (https://github.com/lathiat/avahi/issues/375):

A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.

Unreleased patch is: https://github.com/lathiat/avahi/commit/92e4419e1ccb76b93358f47f46662298da4183bf

Comment 14 John Helmert III archtester

2023-11-05 18:25:02 UTC

Redhat has, unhelpfully, not adding all of the upstream
references to the CVEs, but they seem all fixed upstream.

CVE-2023-38473:

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.

Merged PR: https://github.com/lathiat/avahi/pull/486

CVE-2023-38470:

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

Merged PR: https://github.com/lathiat/avahi/pull/457

CVE-2023-38469:

A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.

Merged PR: https://github.com/lathiat/avahi/pull/500

CVE-2023-38471:

A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.

Merged PR: https://github.com/lathiat/avahi/pull/494

CVE-2023-38472:

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.

Merged PR: https://github.com/lathiat/avahi/pull/490

Worth noting that someone's asked for a release to be made: https://github.com/lathiat/avahi/issues/503