Fix CVE-2023-38469

Resolves: RHEL-5637
2023-11-08 18:03:01 +01:00 · 2023-11-08 18:03:01 +01:00 · bc2522e788
commit bc2522e788
parent b52f19c976
2 changed files with 51 additions and 1 deletions
--- a/0001-core-reject-overly-long-TXT-resource-records.patch
+++ b/0001-core-reject-overly-long-TXT-resource-records.patch
@ -0,0 +1,46 @@
+From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH] core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+CVE-2023-38469
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 2bb8924..9c04ebb 100644
+--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+ 
+#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+         case AVAHI_DNS_TYPE_TXT: {
+ 
+             AvahiStringList *strlst;
+            size_t used = 0;
+ 
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+ 
+                used += 1+strlst->size;
+                if (used > AVAHI_DNS_RDATA_MAX)
+                    return 0;
+            }
+
+             return 1;
+         }
+     }
+-- 
+2.41.0
+
--- a/avahi.spec
+++ b/avahi.spec
@ -48,7 +48,7 @@

 Name:             avahi
 Version:          0.8
-Release:          19%{?dist}
+Release:          20%{?dist}
 Summary:          Local network service discovery
 License:          LGPLv2+
 URL:              http://avahi.org
@ -141,6 +141,7 @@ Patch17: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
 Patch18: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
 Patch19: 0001-core-extract-host-name-using-avahi_unescape_label.patch
 Patch20: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch
+Patch21: 0001-core-reject-overly-long-TXT-resource-records.patch

 ## downstream patches
 Patch100:         avahi-0.6.30-mono-libdir.patch
@ -836,6 +837,9 @@ exit 0


 %changelog
+* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-20
+- Fix CVE-2023-38469 (RHEL-5637)
+
 * Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-19
 - Fix CVE-2023-38471 (RHEL-5642)