Fix CVE-2023-38469

Resolves: RHEL-5635
2023-11-09 19:32:50 +01:00 · 2023-11-09 19:32:50 +01:00 · 5ce6485fac
commit 5ce6485fac
parent c4f5f8b357
2 changed files with 51 additions and 1 deletions
--- a/0001-core-reject-overly-long-TXT-resource-records.patch
+++ b/0001-core-reject-overly-long-TXT-resource-records.patch
@ -0,0 +1,46 @@
+From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH] core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+CVE-2023-38469
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 2bb8924..9c04ebb 100644
+--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+ 
+#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+         case AVAHI_DNS_TYPE_TXT: {
+ 
+             AvahiStringList *strlst;
+            size_t used = 0;
+ 
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+ 
+                used += 1+strlst->size;
+                if (used > AVAHI_DNS_RDATA_MAX)
+                    return 0;
+            }
+
+             return 1;
+         }
+     }
+-- 
+2.41.0
+
--- a/avahi.spec
+++ b/avahi.spec
@ -26,7 +26,7 @@

 Name:             avahi
 Version:          0.7
-Release:          25%{?dist}
+Release:          26%{?dist}
 Summary:          Local network service discovery
 License:          LGPLv2+
 URL:              http://avahi.org
@ -94,6 +94,7 @@ Patch0009:  0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
 Patch0010:  0001-common-derive-alternative-host-name-from-its-unescap.patch
 Patch0011:  0001-core-extract-host-name-using-avahi_unescape_label.patch
 Patch0012:  0001-core-return-errors-from-avahi_server_set_host_name-p.patch
+Patch0013:  0001-core-reject-overly-long-TXT-resource-records.patch

 ## downstream patches
 Patch100:         avahi-0.6.30-mono-libdir.patch
@ -662,6 +663,9 @@ exit 0


 %changelog
+* Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-26
+- Fix CVE-2023-38469 (RHEL-5635)
+
 * Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-25
 - Fix CVE-2023-38471 (RHEL-5639)