import UBI avahi-0.7-21.el8_9.1

This commit is contained in:
eabdullin 2023-12-14 13:37:20 +00:00
parent aa633d01a8
commit 086e290bd8
9 changed files with 481 additions and 1 deletions

View File

@ -0,0 +1,40 @@
From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
From: Riccardo Schirone <sirmy15@gmail.com>
Date: Fri, 26 Mar 2021 11:50:24 +0100
Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
client_work
If a client fills the input buffer, client_work() disables the
AVAHI_WATCH_IN event, thus preventing the function from executing the
`read` syscall the next times it is called. However, if the client then
terminates the connection, the socket file descriptor receives a HUP
event, which is not handled, thus the kernel keeps marking the HUP event
as occurring. While iterating over the file descriptors that triggered
an event, the client file descriptor will keep having the HUP event and
the client_work() function is always called with AVAHI_WATCH_HUP but
without nothing being done, thus entering an infinite loop.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
---
avahi-daemon/simple-protocol.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
index 3e0ebb1..6c0274d 100644
--- a/avahi-daemon/simple-protocol.c
+++ b/avahi-daemon/simple-protocol.c
@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
}
}
+ if (events & AVAHI_WATCH_HUP) {
+ client_free(c);
+ return;
+ }
+
c->server->poll_api->watch_update(
watch,
(c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
--
2.41.0

View File

@ -0,0 +1,55 @@
From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 11 Apr 2023 15:29:59 +0200
Subject: [PATCH] Ensure each label is at least one byte long
The only allowed exception is single dot, where it should return empty
string.
Fixes #454.
---
avahi-common/domain-test.c | 14 ++++++++++++++
avahi-common/domain.c | 2 +-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
index cf763ec..3acc1c1 100644
--- a/avahi-common/domain-test.c
+++ b/avahi-common/domain-test.c
@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
avahi_free(s);
+ printf("%s\n", s = avahi_normalize_name_strdup("."));
+ avahi_free(s);
+
+ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
+ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
+ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
+ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
+ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
+ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
+ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
+ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
+ "}.?.?.?.}.=.?.?.}");
+ assert(s == NULL);
+
printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
printf("%i\n", avahi_domain_equal("A", "a"));
diff --git a/avahi-common/domain.c b/avahi-common/domain.c
index 3b1ab68..e66d241 100644
--- a/avahi-common/domain.c
+++ b/avahi-common/domain.c
@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
}
if (!empty) {
- if (size < 1)
+ if (size < 2)
return NULL;
*(r++) = '.';
--
2.41.0

View File

@ -0,0 +1,107 @@
From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 11 Oct 2023 17:45:44 +0200
Subject: [PATCH] common: derive alternative host name from its unescaped
version
Normalization of input makes sure we don't have to deal with special
cases like unescaped dot at the end of label.
Fixes #451 #487
CVE-2023-38473
---
avahi-common/alternative-test.c | 3 +++
avahi-common/alternative.c | 27 +++++++++++++++++++--------
2 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
index 9255435..681fc15 100644
--- a/avahi-common/alternative-test.c
+++ b/avahi-common/alternative-test.c
@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
const char* const test_strings[] = {
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
+ ").",
+ "\\.",
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
"gurke",
"-",
" #",
diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
index b3d39f0..a094e6d 100644
--- a/avahi-common/alternative.c
+++ b/avahi-common/alternative.c
@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
}
char *avahi_alternative_host_name(const char *s) {
+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
+ char *alt, *r, *ret;
const char *e;
- char *r;
+ size_t len;
assert(s);
if (!avahi_is_valid_host_name(s))
return NULL;
- if ((e = strrchr(s, '-'))) {
+ if (!avahi_unescape_label(&s, label, sizeof(label)))
+ return NULL;
+
+ if ((e = strrchr(label, '-'))) {
const char *p;
e++;
@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
if (e) {
char *c, *m;
- size_t l;
int n;
n = atoi(e)+1;
if (!(m = avahi_strdup_printf("%i", n)))
return NULL;
- l = e-s-1;
+ len = e-label-1;
- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
- if (!(c = avahi_strndup(s, l))) {
+ if (!(c = avahi_strndup(label, len))) {
avahi_free(m);
return NULL;
}
@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
} else {
char *c;
- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
return NULL;
drop_incomplete_utf8(c);
@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
avahi_free(c);
}
+ alt = alternative;
+ len = sizeof(alternative);
+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
+
+ avahi_free(r);
+ r = avahi_strdup(ret);
+
assert(avahi_is_valid_host_name(r));
return r;
--
2.41.0

View File

@ -0,0 +1,52 @@
From 160e8fb6ca1b33387f30f7a6aa9159015ffda9d0 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sun, 22 Oct 2023 10:31:31 +0000
Subject: [PATCH] core: copy resource records with zero-length rdata properly
It fixes the crash spotted
https://github.com/lathiat/avahi/pull/490#issuecomment-1773019619.
The fuzz target was updated to exercise those code paths (among other
things). Without this commit it crashes with
```
fuzz-consume-record: malloc.c:250: void *avahi_memdup(const void *, size_t): Assertion `s' failed.
==72869== ERROR: libFuzzer: deadly signal
#0 0x5031b5 in __sanitizer_print_stack_trace (avahi/out/fuzz-consume-record+0x5031b5) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
#1 0x45cd6c in fuzzer::PrintStackTrace() (avahi/out/fuzz-consume-record+0x45cd6c) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
#2 0x441c47 in fuzzer::Fuzzer::CrashCallback() (out/fuzz-consume-record+0x441c47) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
#3 0x7f189e97ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#4 0x7f189e9cf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#5 0x7f189e97eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#6 0x7f189e96787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#7 0x7f189e96779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#8 0x7f189e977186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#9 0x557bfc in avahi_memdup avahi/avahi-common/malloc.c:250:5
#10 0x54895c in avahi_record_copy avahi/avahi-core/rr.c:469:45
```
---
avahi-core/rr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/avahi-core/rr.c b/avahi-core/rr.c
index 7fa0bee..2bb8924 100644
--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
@@ -426,6 +426,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) {
copy->ref = 1;
copy->key = avahi_key_ref(r->key);
copy->ttl = r->ttl;
+ memset(&copy->data, 0, sizeof(copy->data));
switch (r->key->type) {
case AVAHI_DNS_TYPE_PTR:
@@ -466,7 +467,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) {
break;
default:
- if (!(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size)))
+ if (r->data.generic.size && !(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size)))
goto fail;
copy->data.generic.size = r->data.generic.size;
break;
--
2.41.0

View File

@ -0,0 +1,71 @@
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 23 Oct 2023 13:38:35 +0200
Subject: [PATCH] core: extract host name using avahi_unescape_label()
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as the host name
which crashed the daemon.
Fixes #453
CVE-2023-38471
---
avahi-core/server.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/avahi-core/server.c b/avahi-core/server.c
index c32637a..f6a21bb 100644
--- a/avahi-core/server.c
+++ b/avahi-core/server.c
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
}
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
- char *hn = NULL;
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
+ char label[AVAHI_LABEL_MAX];
+ char *hn = NULL, *h;
+ size_t len;
+
assert(s);
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
else
hn = avahi_normalize_name_strdup(host_name);
- hn[strcspn(hn, ".")] = 0;
+ h = hn;
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+ avahi_free(h);
+ return AVAHI_ERR_INVALID_HOST_NAME;
+ }
+
+ avahi_free(h);
+
+ h = label_escaped;
+ len = sizeof(label_escaped);
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
+ return AVAHI_ERR_INVALID_HOST_NAME;
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
- avahi_free(hn);
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
- }
withdraw_host_rrs(s);
avahi_free(s->host_name);
- s->host_name = hn;
+ s->host_name = avahi_strdup(label_escaped);
+ if (!s->host_name)
+ return AVAHI_ERR_NO_MEMORY;
update_fqdn(s);
--
2.41.0

View File

@ -0,0 +1,43 @@
From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 19 Oct 2023 17:36:44 +0200
Subject: [PATCH] core: make sure there is rdata to process before parsing it
Fixes #452
CVE-2023-38472
---
avahi-client/client-test.c | 3 +++
avahi-daemon/dbus-entry-group.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
index b3366d8..ba97998 100644
--- a/avahi-client/client-test.c
+++ b/avahi-client/client-test.c
@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+ assert(error != AVAHI_OK);
+
avahi_entry_group_commit (group);
domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
index 4e879a5..aa23d4b 100644
--- a/avahi-daemon/dbus-entry-group.c
+++ b/avahi-daemon/dbus-entry-group.c
@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
- if (avahi_rdata_parse (r, rdata, size) < 0) {
+ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
avahi_record_unref (r);
return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
}
--
2.41.0

View File

@ -0,0 +1,46 @@
From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Mon, 23 Oct 2023 20:29:31 +0000
Subject: [PATCH] core: reject overly long TXT resource records
Closes https://github.com/lathiat/avahi/issues/455
CVE-2023-38469
---
avahi-core/rr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/avahi-core/rr.c b/avahi-core/rr.c
index 2bb8924..9c04ebb 100644
--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
@@ -32,6 +32,7 @@
#include <avahi-common/malloc.h>
#include <avahi-common/defs.h>
+#include "dns.h"
#include "rr.h"
#include "log.h"
#include "util.h"
@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
case AVAHI_DNS_TYPE_TXT: {
AvahiStringList *strlst;
+ size_t used = 0;
- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
if (strlst->size > 255 || strlst->size <= 0)
return 0;
+ used += 1+strlst->size;
+ if (used > AVAHI_DNS_RDATA_MAX)
+ return 0;
+ }
+
return 1;
}
}
--
2.41.0

View File

@ -0,0 +1,50 @@
From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Tue, 24 Oct 2023 22:04:51 +0000
Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
---
avahi-core/server.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/avahi-core/server.c b/avahi-core/server.c
index f6a21bb..84df6b5 100644
--- a/avahi-core/server.c
+++ b/avahi-core/server.c
@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
else
hn = avahi_normalize_name_strdup(host_name);
+ if (!hn)
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+
h = hn;
if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
avahi_free(h);
- return AVAHI_ERR_INVALID_HOST_NAME;
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
}
avahi_free(h);
@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
h = label_escaped;
len = sizeof(label_escaped);
if (!avahi_escape_label(label, strlen(label), &h, &len))
- return AVAHI_ERR_INVALID_HOST_NAME;
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
avahi_free(s->host_name);
s->host_name = avahi_strdup(label_escaped);
if (!s->host_name)
- return AVAHI_ERR_NO_MEMORY;
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
update_fqdn(s);
--
2.41.0

View File

@ -26,7 +26,7 @@
Name: avahi
Version: 0.7
Release: 21%{?dist}
Release: 21%{?dist}.1
Summary: Local network service discovery
License: LGPLv2+
URL: http://avahi.org
@ -88,6 +88,14 @@ Patch0003: 0003-Remove-empty-avahi_discover-Python-module.patch
Patch0004: 0004-avahi-client-fix-resource-leak.patch
Patch0005: 0005-chroot-fix-bogus-assignments-in-assertions.patch
Patch0006: 0001-Emit-error-if-requested-service-is-not-found.patch
Patch0007: 0001-Ensure-each-label-is-at-least-one-byte-long.patch
Patch0008: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
Patch0009: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
Patch0010: 0001-common-derive-alternative-host-name-from-its-unescap.patch
Patch0011: 0001-core-extract-host-name-using-avahi_unescape_label.patch
Patch0012: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch
Patch0013: 0001-core-reject-overly-long-TXT-resource-records.patch
Patch0014: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch
## downstream patches
Patch100: avahi-0.6.30-mono-libdir.patch
@ -656,6 +664,14 @@ exit 0
%changelog
* Wed Dec 06 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-21.1
- Fix CVE-2021-3468 (RHEL-18311)
- Fix CVE-2023-38469 (RHEL-17783)
- Fix CVE-2023-38470 (RHEL-17795)
- Fix CVE-2023-38471 (RHEL-17789)
- Fix CVE-2023-38472 (RHEL-17807)
- Fix CVE-2023-38473 (RHEL-17801)
* Wed Aug 23 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-21
- Fix CVE-2023-1981 (#2186688)