diff --git a/SOURCES/0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch b/SOURCES/0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch new file mode 100644 index 0000000..ef251fe --- /dev/null +++ b/SOURCES/0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch @@ -0,0 +1,40 @@ +From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb1..6c0274d 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | +-- +2.41.0 + diff --git a/SOURCES/0001-Ensure-each-label-is-at-least-one-byte-long.patch b/SOURCES/0001-Ensure-each-label-is-at-least-one-byte-long.patch new file mode 100644 index 0000000..759e3e8 --- /dev/null +++ b/SOURCES/0001-Ensure-each-label-is-at-least-one-byte-long.patch @@ -0,0 +1,55 @@ +From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 11 Apr 2023 15:29:59 +0200 +Subject: [PATCH] Ensure each label is at least one byte long + +The only allowed exception is single dot, where it should return empty +string. + +Fixes #454. +--- + avahi-common/domain-test.c | 14 ++++++++++++++ + avahi-common/domain.c | 2 +- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c +index cf763ec..3acc1c1 100644 +--- a/avahi-common/domain-test.c ++++ b/avahi-common/domain-test.c +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); + avahi_free(s); + ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); ++ avahi_free(s); ++ ++ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." ++ "}.?.?.?.}.=.?.?.}"); ++ assert(s == NULL); ++ + printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); + printf("%i\n", avahi_domain_equal("A", "a")); + +diff --git a/avahi-common/domain.c b/avahi-common/domain.c +index 3b1ab68..e66d241 100644 +--- a/avahi-common/domain.c ++++ b/avahi-common/domain.c +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) { + } + + if (!empty) { +- if (size < 1) ++ if (size < 2) + return NULL; + + *(r++) = '.'; +-- +2.41.0 + diff --git a/SOURCES/0001-common-derive-alternative-host-name-from-its-unescap.patch b/SOURCES/0001-common-derive-alternative-host-name-from-its-unescap.patch new file mode 100644 index 0000000..7bb64b7 --- /dev/null +++ b/SOURCES/0001-common-derive-alternative-host-name-from-its-unescap.patch @@ -0,0 +1,107 @@ +From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 11 Oct 2023 17:45:44 +0200 +Subject: [PATCH] common: derive alternative host name from its unescaped + version + +Normalization of input makes sure we don't have to deal with special +cases like unescaped dot at the end of label. + +Fixes #451 #487 +CVE-2023-38473 +--- + avahi-common/alternative-test.c | 3 +++ + avahi-common/alternative.c | 27 +++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c +index 9255435..681fc15 100644 +--- a/avahi-common/alternative-test.c ++++ b/avahi-common/alternative-test.c +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + const char* const test_strings[] = { + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", ++ ").", ++ "\\.", ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", + "gurke", + "-", + " #", +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c +index b3d39f0..a094e6d 100644 +--- a/avahi-common/alternative.c ++++ b/avahi-common/alternative.c +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { + } + + char *avahi_alternative_host_name(const char *s) { ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; ++ char *alt, *r, *ret; + const char *e; +- char *r; ++ size_t len; + + assert(s); + + if (!avahi_is_valid_host_name(s)) + return NULL; + +- if ((e = strrchr(s, '-'))) { ++ if (!avahi_unescape_label(&s, label, sizeof(label))) ++ return NULL; ++ ++ if ((e = strrchr(label, '-'))) { + const char *p; + + e++; +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { + + if (e) { + char *c, *m; +- size_t l; + int n; + + n = atoi(e)+1; + if (!(m = avahi_strdup_printf("%i", n))) + return NULL; + +- l = e-s-1; ++ len = e-label-1; + +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; + +- if (!(c = avahi_strndup(s, l))) { ++ if (!(c = avahi_strndup(label, len))) { + avahi_free(m); + return NULL; + } +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { + } else { + char *c; + +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) + return NULL; + + drop_incomplete_utf8(c); +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { + avahi_free(c); + } + ++ alt = alternative; ++ len = sizeof(alternative); ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); ++ ++ avahi_free(r); ++ r = avahi_strdup(ret); ++ + assert(avahi_is_valid_host_name(r)); + + return r; +-- +2.41.0 + diff --git a/SOURCES/0001-core-copy-resource-records-with-zero-length-rdata-pr.patch b/SOURCES/0001-core-copy-resource-records-with-zero-length-rdata-pr.patch new file mode 100644 index 0000000..ac8a492 --- /dev/null +++ b/SOURCES/0001-core-copy-resource-records-with-zero-length-rdata-pr.patch @@ -0,0 +1,52 @@ +From 160e8fb6ca1b33387f30f7a6aa9159015ffda9d0 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Sun, 22 Oct 2023 10:31:31 +0000 +Subject: [PATCH] core: copy resource records with zero-length rdata properly + +It fixes the crash spotted +https://github.com/lathiat/avahi/pull/490#issuecomment-1773019619. +The fuzz target was updated to exercise those code paths (among other +things). Without this commit it crashes with +``` +fuzz-consume-record: malloc.c:250: void *avahi_memdup(const void *, size_t): Assertion `s' failed. +==72869== ERROR: libFuzzer: deadly signal + #0 0x5031b5 in __sanitizer_print_stack_trace (avahi/out/fuzz-consume-record+0x5031b5) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) + #1 0x45cd6c in fuzzer::PrintStackTrace() (avahi/out/fuzz-consume-record+0x45cd6c) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) + #2 0x441c47 in fuzzer::Fuzzer::CrashCallback() (out/fuzz-consume-record+0x441c47) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) + #3 0x7f189e97ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) + #4 0x7f189e9cf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) + #5 0x7f189e97eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) + #6 0x7f189e96787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) + #7 0x7f189e96779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) + #8 0x7f189e977186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) + #9 0x557bfc in avahi_memdup avahi/avahi-common/malloc.c:250:5 + #10 0x54895c in avahi_record_copy avahi/avahi-core/rr.c:469:45 +``` +--- + avahi-core/rr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/avahi-core/rr.c b/avahi-core/rr.c +index 7fa0bee..2bb8924 100644 +--- a/avahi-core/rr.c ++++ b/avahi-core/rr.c +@@ -426,6 +426,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) { + copy->ref = 1; + copy->key = avahi_key_ref(r->key); + copy->ttl = r->ttl; ++ memset(©->data, 0, sizeof(copy->data)); + + switch (r->key->type) { + case AVAHI_DNS_TYPE_PTR: +@@ -466,7 +467,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) { + break; + + default: +- if (!(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size))) ++ if (r->data.generic.size && !(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size))) + goto fail; + copy->data.generic.size = r->data.generic.size; + break; +-- +2.41.0 + diff --git a/SOURCES/0001-core-extract-host-name-using-avahi_unescape_label.patch b/SOURCES/0001-core-extract-host-name-using-avahi_unescape_label.patch new file mode 100644 index 0000000..54846bc --- /dev/null +++ b/SOURCES/0001-core-extract-host-name-using-avahi_unescape_label.patch @@ -0,0 +1,71 @@ +From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 23 Oct 2023 13:38:35 +0200 +Subject: [PATCH] core: extract host name using avahi_unescape_label() + +Previously we could create invalid escape sequence when we split the +string on dot. For example, from valid host name "foo\\.bar" we have +created invalid name "foo\\" and tried to set that as the host name +which crashed the daemon. + +Fixes #453 + +CVE-2023-38471 +--- + avahi-core/server.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index c32637a..f6a21bb 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { + } + + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { +- char *hn = NULL; ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; ++ char label[AVAHI_LABEL_MAX]; ++ char *hn = NULL, *h; ++ size_t len; ++ + assert(s); + + AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); +@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + else + hn = avahi_normalize_name_strdup(host_name); + +- hn[strcspn(hn, ".")] = 0; ++ h = hn; ++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { ++ avahi_free(h); ++ return AVAHI_ERR_INVALID_HOST_NAME; ++ } ++ ++ avahi_free(h); ++ ++ h = label_escaped; ++ len = sizeof(label_escaped); ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) ++ return AVAHI_ERR_INVALID_HOST_NAME; + +- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { +- avahi_free(hn); ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +- } + + withdraw_host_rrs(s); + + avahi_free(s->host_name); +- s->host_name = hn; ++ s->host_name = avahi_strdup(label_escaped); ++ if (!s->host_name) ++ return AVAHI_ERR_NO_MEMORY; + + update_fqdn(s); + +-- +2.41.0 + diff --git a/SOURCES/0001-core-make-sure-there-is-rdata-to-process-before-pars.patch b/SOURCES/0001-core-make-sure-there-is-rdata-to-process-before-pars.patch new file mode 100644 index 0000000..cfba294 --- /dev/null +++ b/SOURCES/0001-core-make-sure-there-is-rdata-to-process-before-pars.patch @@ -0,0 +1,43 @@ +From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 19 Oct 2023 17:36:44 +0200 +Subject: [PATCH] core: make sure there is rdata to process before parsing it + +Fixes #452 + +CVE-2023-38472 +--- + avahi-client/client-test.c | 3 +++ + avahi-daemon/dbus-entry-group.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c +index b3366d8..ba97998 100644 +--- a/avahi-client/client-test.c ++++ b/avahi-client/client-test.c +@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); + printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); + ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); ++ assert(error != AVAHI_OK); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); +diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c +index 4e879a5..aa23d4b 100644 +--- a/avahi-daemon/dbus-entry-group.c ++++ b/avahi-daemon/dbus-entry-group.c +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); + +- if (avahi_rdata_parse (r, rdata, size) < 0) { ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { + avahi_record_unref (r); + return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); + } +-- +2.41.0 + diff --git a/SOURCES/0001-core-reject-overly-long-TXT-resource-records.patch b/SOURCES/0001-core-reject-overly-long-TXT-resource-records.patch new file mode 100644 index 0000000..946a531 --- /dev/null +++ b/SOURCES/0001-core-reject-overly-long-TXT-resource-records.patch @@ -0,0 +1,46 @@ +From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Mon, 23 Oct 2023 20:29:31 +0000 +Subject: [PATCH] core: reject overly long TXT resource records + +Closes https://github.com/lathiat/avahi/issues/455 + +CVE-2023-38469 +--- + avahi-core/rr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/avahi-core/rr.c b/avahi-core/rr.c +index 2bb8924..9c04ebb 100644 +--- a/avahi-core/rr.c ++++ b/avahi-core/rr.c +@@ -32,6 +32,7 @@ + #include + #include + ++#include "dns.h" + #include "rr.h" + #include "log.h" + #include "util.h" +@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) { + case AVAHI_DNS_TYPE_TXT: { + + AvahiStringList *strlst; ++ size_t used = 0; + +- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) ++ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { + if (strlst->size > 255 || strlst->size <= 0) + return 0; + ++ used += 1+strlst->size; ++ if (used > AVAHI_DNS_RDATA_MAX) ++ return 0; ++ } ++ + return 1; + } + } +-- +2.41.0 + diff --git a/SOURCES/0001-core-return-errors-from-avahi_server_set_host_name-p.patch b/SOURCES/0001-core-return-errors-from-avahi_server_set_host_name-p.patch new file mode 100644 index 0000000..b0cb1b3 --- /dev/null +++ b/SOURCES/0001-core-return-errors-from-avahi_server_set_host_name-p.patch @@ -0,0 +1,50 @@ +From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Tue, 24 Oct 2023 22:04:51 +0000 +Subject: [PATCH] core: return errors from avahi_server_set_host_name properly + +It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09 +--- + avahi-core/server.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index f6a21bb..84df6b5 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + else + hn = avahi_normalize_name_strdup(host_name); + ++ if (!hn) ++ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); ++ + h = hn; + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { + avahi_free(h); +- return AVAHI_ERR_INVALID_HOST_NAME; ++ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); + } + + avahi_free(h); +@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + h = label_escaped; + len = sizeof(label_escaped); + if (!avahi_escape_label(label, strlen(label), &h, &len)) +- return AVAHI_ERR_INVALID_HOST_NAME; ++ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); + + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + avahi_free(s->host_name); + s->host_name = avahi_strdup(label_escaped); + if (!s->host_name) +- return AVAHI_ERR_NO_MEMORY; ++ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); + + update_fqdn(s); + +-- +2.41.0 + diff --git a/SPECS/avahi.spec b/SPECS/avahi.spec index 4b11a4f..79d494c 100644 --- a/SPECS/avahi.spec +++ b/SPECS/avahi.spec @@ -26,7 +26,7 @@ Name: avahi Version: 0.7 -Release: 21%{?dist} +Release: 21%{?dist}.1 Summary: Local network service discovery License: LGPLv2+ URL: http://avahi.org @@ -88,6 +88,14 @@ Patch0003: 0003-Remove-empty-avahi_discover-Python-module.patch Patch0004: 0004-avahi-client-fix-resource-leak.patch Patch0005: 0005-chroot-fix-bogus-assignments-in-assertions.patch Patch0006: 0001-Emit-error-if-requested-service-is-not-found.patch +Patch0007: 0001-Ensure-each-label-is-at-least-one-byte-long.patch +Patch0008: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch +Patch0009: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch +Patch0010: 0001-common-derive-alternative-host-name-from-its-unescap.patch +Patch0011: 0001-core-extract-host-name-using-avahi_unescape_label.patch +Patch0012: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch +Patch0013: 0001-core-reject-overly-long-TXT-resource-records.patch +Patch0014: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch ## downstream patches Patch100: avahi-0.6.30-mono-libdir.patch @@ -656,6 +664,14 @@ exit 0 %changelog +* Wed Dec 06 2023 Michal Sekletar - 0.7-21.1 +- Fix CVE-2021-3468 (RHEL-18311) +- Fix CVE-2023-38469 (RHEL-17783) +- Fix CVE-2023-38470 (RHEL-17795) +- Fix CVE-2023-38471 (RHEL-17789) +- Fix CVE-2023-38472 (RHEL-17807) +- Fix CVE-2023-38473 (RHEL-17801) + * Wed Aug 23 2023 Michal Sekletar - 0.7-21 - Fix CVE-2023-1981 (#2186688)