Fix CVE-2023-38471
Resolves: RHEL-5642
This commit is contained in:
parent
c1a2af932b
commit
b52f19c976
71
0001-core-extract-host-name-using-avahi_unescape_label.patch
Normal file
71
0001-core-extract-host-name-using-avahi_unescape_label.patch
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Sekletar <msekleta@redhat.com>
|
||||||
|
Date: Mon, 23 Oct 2023 13:38:35 +0200
|
||||||
|
Subject: [PATCH] core: extract host name using avahi_unescape_label()
|
||||||
|
|
||||||
|
Previously we could create invalid escape sequence when we split the
|
||||||
|
string on dot. For example, from valid host name "foo\\.bar" we have
|
||||||
|
created invalid name "foo\\" and tried to set that as the host name
|
||||||
|
which crashed the daemon.
|
||||||
|
|
||||||
|
Fixes #453
|
||||||
|
|
||||||
|
CVE-2023-38471
|
||||||
|
---
|
||||||
|
avahi-core/server.c | 27 +++++++++++++++++++++------
|
||||||
|
1 file changed, 21 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-core/server.c b/avahi-core/server.c
|
||||||
|
index c32637a..f6a21bb 100644
|
||||||
|
--- a/avahi-core/server.c
|
||||||
|
+++ b/avahi-core/server.c
|
||||||
|
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
|
||||||
|
}
|
||||||
|
|
||||||
|
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
- char *hn = NULL;
|
||||||
|
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
|
||||||
|
+ char label[AVAHI_LABEL_MAX];
|
||||||
|
+ char *hn = NULL, *h;
|
||||||
|
+ size_t len;
|
||||||
|
+
|
||||||
|
assert(s);
|
||||||
|
|
||||||
|
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
|
||||||
|
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
else
|
||||||
|
hn = avahi_normalize_name_strdup(host_name);
|
||||||
|
|
||||||
|
- hn[strcspn(hn, ".")] = 0;
|
||||||
|
+ h = hn;
|
||||||
|
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
|
||||||
|
+ avahi_free(h);
|
||||||
|
+ return AVAHI_ERR_INVALID_HOST_NAME;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ avahi_free(h);
|
||||||
|
+
|
||||||
|
+ h = label_escaped;
|
||||||
|
+ len = sizeof(label_escaped);
|
||||||
|
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
|
||||||
|
+ return AVAHI_ERR_INVALID_HOST_NAME;
|
||||||
|
|
||||||
|
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
|
||||||
|
- avahi_free(hn);
|
||||||
|
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
|
||||||
|
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
|
||||||
|
- }
|
||||||
|
|
||||||
|
withdraw_host_rrs(s);
|
||||||
|
|
||||||
|
avahi_free(s->host_name);
|
||||||
|
- s->host_name = hn;
|
||||||
|
+ s->host_name = avahi_strdup(label_escaped);
|
||||||
|
+ if (!s->host_name)
|
||||||
|
+ return AVAHI_ERR_NO_MEMORY;
|
||||||
|
|
||||||
|
update_fqdn(s);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,50 @@
|
|||||||
|
From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evgeny Vereshchagin <evvers@ya.ru>
|
||||||
|
Date: Tue, 24 Oct 2023 22:04:51 +0000
|
||||||
|
Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
|
||||||
|
|
||||||
|
It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
|
||||||
|
---
|
||||||
|
avahi-core/server.c | 9 ++++++---
|
||||||
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-core/server.c b/avahi-core/server.c
|
||||||
|
index f6a21bb..84df6b5 100644
|
||||||
|
--- a/avahi-core/server.c
|
||||||
|
+++ b/avahi-core/server.c
|
||||||
|
@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
else
|
||||||
|
hn = avahi_normalize_name_strdup(host_name);
|
||||||
|
|
||||||
|
+ if (!hn)
|
||||||
|
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
|
||||||
|
+
|
||||||
|
h = hn;
|
||||||
|
if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
|
||||||
|
avahi_free(h);
|
||||||
|
- return AVAHI_ERR_INVALID_HOST_NAME;
|
||||||
|
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
|
||||||
|
}
|
||||||
|
|
||||||
|
avahi_free(h);
|
||||||
|
@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
h = label_escaped;
|
||||||
|
len = sizeof(label_escaped);
|
||||||
|
if (!avahi_escape_label(label, strlen(label), &h, &len))
|
||||||
|
- return AVAHI_ERR_INVALID_HOST_NAME;
|
||||||
|
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
|
||||||
|
|
||||||
|
if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
|
||||||
|
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
|
||||||
|
@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
avahi_free(s->host_name);
|
||||||
|
s->host_name = avahi_strdup(label_escaped);
|
||||||
|
if (!s->host_name)
|
||||||
|
- return AVAHI_ERR_NO_MEMORY;
|
||||||
|
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
|
||||||
|
|
||||||
|
update_fqdn(s);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -48,7 +48,7 @@
|
|||||||
|
|
||||||
Name: avahi
|
Name: avahi
|
||||||
Version: 0.8
|
Version: 0.8
|
||||||
Release: 18%{?dist}
|
Release: 19%{?dist}
|
||||||
Summary: Local network service discovery
|
Summary: Local network service discovery
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://avahi.org
|
URL: http://avahi.org
|
||||||
@ -139,6 +139,8 @@ Patch15: 0001-common-derive-alternative-host-name-from-its-unescap.patch
|
|||||||
Patch16: 0001-Ensure-each-label-is-at-least-one-byte-long.patch
|
Patch16: 0001-Ensure-each-label-is-at-least-one-byte-long.patch
|
||||||
Patch17: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
|
Patch17: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
|
||||||
Patch18: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
|
Patch18: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
|
||||||
|
Patch19: 0001-core-extract-host-name-using-avahi_unescape_label.patch
|
||||||
|
Patch20: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch
|
||||||
|
|
||||||
## downstream patches
|
## downstream patches
|
||||||
Patch100: avahi-0.6.30-mono-libdir.patch
|
Patch100: avahi-0.6.30-mono-libdir.patch
|
||||||
@ -834,6 +836,9 @@ exit 0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-19
|
||||||
|
- Fix CVE-2023-38471 (RHEL-5642)
|
||||||
|
|
||||||
* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-18
|
* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-18
|
||||||
- Fix CVE-2023-38472 (RHEL-5645)
|
- Fix CVE-2023-38472 (RHEL-5645)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user