Fix CVE-2023-38471

Resolves: RHEL-5642
2023-11-08 17:48:17 +01:00 · 2023-11-08 17:48:17 +01:00 · b52f19c976
commit b52f19c976
parent c1a2af932b
3 changed files with 127 additions and 1 deletions
--- a/0001-core-extract-host-name-using-avahi_unescape_label.patch
+++ b/0001-core-extract-host-name-using-avahi_unescape_label.patch
@ -0,0 +1,71 @@
+From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] core: extract host name using avahi_unescape_label()
+
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+
+Fixes #453
+
+CVE-2023-38471
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index c32637a..f6a21bb 100644
+--- a/avahi-core/server.c
+++ b/avahi-core/server.c
+@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
+ }
+ 
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+-    char *hn = NULL;
+    char label_escaped[AVAHI_LABEL_MAX*4+1];
+    char label[AVAHI_LABEL_MAX];
+    char *hn = NULL, *h;
+    size_t len;
+
+     assert(s);
+ 
+     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
+-    hn[strcspn(hn, ".")] = 0;
+    h = hn;
+    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+        avahi_free(h);
+        return AVAHI_ERR_INVALID_HOST_NAME;
+    }
+
+    avahi_free(h);
+
+    h = label_escaped;
+    len = sizeof(label_escaped);
+    if (!avahi_escape_label(label, strlen(label), &h, &len))
+        return AVAHI_ERR_INVALID_HOST_NAME;
+ 
+-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+-        avahi_free(hn);
+    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+-    }
+ 
+     withdraw_host_rrs(s);
+ 
+     avahi_free(s->host_name);
+-    s->host_name = hn;
+    s->host_name = avahi_strdup(label_escaped);
+    if (!s->host_name)
+        return AVAHI_ERR_NO_MEMORY;
+ 
+     update_fqdn(s);
+ 
+-- 
+2.41.0
+
--- a/0001-core-return-errors-from-avahi_server_set_host_name-p.patch
+++ b/0001-core-return-errors-from-avahi_server_set_host_name-p.patch
@ -0,0 +1,50 @@
+From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 24 Oct 2023 22:04:51 +0000
+Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
+
+It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
+---
+ avahi-core/server.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index f6a21bb..84df6b5 100644
+--- a/avahi-core/server.c
+++ b/avahi-core/server.c
+@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
+    if (!hn)
+        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+
+     h = hn;
+     if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+         avahi_free(h);
+-        return AVAHI_ERR_INVALID_HOST_NAME;
+        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+     }
+ 
+     avahi_free(h);
+@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     h = label_escaped;
+     len = sizeof(label_escaped);
+     if (!avahi_escape_label(label, strlen(label), &h, &len))
+-        return AVAHI_ERR_INVALID_HOST_NAME;
+        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+ 
+     if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     avahi_free(s->host_name);
+     s->host_name = avahi_strdup(label_escaped);
+     if (!s->host_name)
+-        return AVAHI_ERR_NO_MEMORY;
+        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+ 
+     update_fqdn(s);
+ 
+-- 
+2.41.0
+
--- a/avahi.spec
+++ b/avahi.spec
@ -48,7 +48,7 @@

 Name:             avahi
 Version:          0.8
-Release:          18%{?dist}
+Release:          19%{?dist}
 Summary:          Local network service discovery
 License:          LGPLv2+
 URL:              http://avahi.org
@ -139,6 +139,8 @@ Patch15: 0001-common-derive-alternative-host-name-from-its-unescap.patch
 Patch16: 0001-Ensure-each-label-is-at-least-one-byte-long.patch
 Patch17: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
 Patch18: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
+Patch19: 0001-core-extract-host-name-using-avahi_unescape_label.patch
+Patch20: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch

 ## downstream patches
 Patch100:         avahi-0.6.30-mono-libdir.patch
@ -834,6 +836,9 @@ exit 0


 %changelog
+* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-19
+- Fix CVE-2023-38471 (RHEL-5642)
+
 * Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-18
 - Fix CVE-2023-38472 (RHEL-5645)