Fix CVE-2021-3468

Resolves: #1944092
This commit is contained in:
Michal Sekletar 2023-08-17 17:30:55 +02:00
parent a92a735c98
commit 486b4f7426
2 changed files with 45 additions and 1 deletions

View File

@ -0,0 +1,40 @@
From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
From: Riccardo Schirone <sirmy15@gmail.com>
Date: Fri, 26 Mar 2021 11:50:24 +0100
Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
client_work
If a client fills the input buffer, client_work() disables the
AVAHI_WATCH_IN event, thus preventing the function from executing the
`read` syscall the next times it is called. However, if the client then
terminates the connection, the socket file descriptor receives a HUP
event, which is not handled, thus the kernel keeps marking the HUP event
as occurring. While iterating over the file descriptors that triggered
an event, the client file descriptor will keep having the HUP event and
the client_work() function is always called with AVAHI_WATCH_HUP but
without nothing being done, thus entering an infinite loop.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
---
avahi-daemon/simple-protocol.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
index 3e0ebb1..6c0274d 100644
--- a/avahi-daemon/simple-protocol.c
+++ b/avahi-daemon/simple-protocol.c
@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
}
}
+ if (events & AVAHI_WATCH_HUP) {
+ client_free(c);
+ return;
+ }
+
c->server->poll_api->watch_update(
watch,
(c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
--
2.40.0

View File

@ -48,7 +48,7 @@
Name: avahi Name: avahi
Version: 0.8 Version: 0.8
Release: 12%{?dist} Release: 13%{?dist}
Summary: Local network service discovery Summary: Local network service discovery
License: LGPLv2+ License: LGPLv2+
URL: http://avahi.org URL: http://avahi.org
@ -132,6 +132,7 @@ Patch8: 0008-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch
Patch9: 0009-fix-requires-in-pc-file.patch Patch9: 0009-fix-requires-in-pc-file.patch
Patch10: 0010-fix-bytestring-decoding-for-proper-display.patch Patch10: 0010-fix-bytestring-decoding-for-proper-display.patch
Patch11: 0011-avahi_dns_packet_consume_uint32-fix-potential-undefi.patch Patch11: 0011-avahi_dns_packet_consume_uint32-fix-potential-undefi.patch
Patch12: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch
## downstream patches ## downstream patches
Patch100: avahi-0.6.30-mono-libdir.patch Patch100: avahi-0.6.30-mono-libdir.patch
@ -827,6 +828,9 @@ exit 0
%changelog %changelog
* Thu Aug 17 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-13
- Fix CVE-2021-3468 (#1944092)
* Mon Feb 21 2022 Michal Sekletár <msekleta@redhat.com> - 0.8-12 * Mon Feb 21 2022 Michal Sekletár <msekleta@redhat.com> - 0.8-12
- make sure we get compiled with -fstack-protector-strong (#2044643) - make sure we get compiled with -fstack-protector-strong (#2044643)