import CS avahi-0.8-20.el9
This commit is contained in:
parent
5332d4e43f
commit
c1878f6674
SOURCES
0001-Ensure-each-label-is-at-least-one-byte-long.patch0001-common-derive-alternative-host-name-from-its-unescap.patch0001-core-copy-resource-records-with-zero-length-rdata-pr.patch0001-core-extract-host-name-using-avahi_unescape_label.patch0001-core-make-sure-there-is-rdata-to-process-before-pars.patch0001-core-reject-overly-long-TXT-resource-records.patch0001-core-return-errors-from-avahi_server_set_host_name-p.patch
SPECS
@ -0,0 +1,55 @@
|
|||||||
|
From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Tue, 11 Apr 2023 15:29:59 +0200
|
||||||
|
Subject: [PATCH] Ensure each label is at least one byte long
|
||||||
|
|
||||||
|
The only allowed exception is single dot, where it should return empty
|
||||||
|
string.
|
||||||
|
|
||||||
|
Fixes #454.
|
||||||
|
---
|
||||||
|
avahi-common/domain-test.c | 14 ++++++++++++++
|
||||||
|
avahi-common/domain.c | 2 +-
|
||||||
|
2 files changed, 15 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
|
||||||
|
index cf763ec..3acc1c1 100644
|
||||||
|
--- a/avahi-common/domain-test.c
|
||||||
|
+++ b/avahi-common/domain-test.c
|
||||||
|
@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
|
||||||
|
printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
|
||||||
|
avahi_free(s);
|
||||||
|
|
||||||
|
+ printf("%s\n", s = avahi_normalize_name_strdup("."));
|
||||||
|
+ avahi_free(s);
|
||||||
|
+
|
||||||
|
+ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
|
||||||
|
+ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
|
||||||
|
+ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
|
||||||
|
+ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
|
||||||
|
+ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
|
||||||
|
+ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
|
||||||
|
+ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
|
||||||
|
+ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
|
||||||
|
+ "}.?.?.?.}.=.?.?.}");
|
||||||
|
+ assert(s == NULL);
|
||||||
|
+
|
||||||
|
printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
|
||||||
|
printf("%i\n", avahi_domain_equal("A", "a"));
|
||||||
|
|
||||||
|
diff --git a/avahi-common/domain.c b/avahi-common/domain.c
|
||||||
|
index 3b1ab68..e66d241 100644
|
||||||
|
--- a/avahi-common/domain.c
|
||||||
|
+++ b/avahi-common/domain.c
|
||||||
|
@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!empty) {
|
||||||
|
- if (size < 1)
|
||||||
|
+ if (size < 2)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
*(r++) = '.';
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,107 @@
|
|||||||
|
From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Sekletar <msekleta@redhat.com>
|
||||||
|
Date: Wed, 11 Oct 2023 17:45:44 +0200
|
||||||
|
Subject: [PATCH] common: derive alternative host name from its unescaped
|
||||||
|
version
|
||||||
|
|
||||||
|
Normalization of input makes sure we don't have to deal with special
|
||||||
|
cases like unescaped dot at the end of label.
|
||||||
|
|
||||||
|
Fixes #451 #487
|
||||||
|
CVE-2023-38473
|
||||||
|
---
|
||||||
|
avahi-common/alternative-test.c | 3 +++
|
||||||
|
avahi-common/alternative.c | 27 +++++++++++++++++++--------
|
||||||
|
2 files changed, 22 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
|
||||||
|
index 9255435..681fc15 100644
|
||||||
|
--- a/avahi-common/alternative-test.c
|
||||||
|
+++ b/avahi-common/alternative-test.c
|
||||||
|
@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
|
||||||
|
const char* const test_strings[] = {
|
||||||
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
|
||||||
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
|
||||||
|
+ ").",
|
||||||
|
+ "\\.",
|
||||||
|
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
|
||||||
|
"gurke",
|
||||||
|
"-",
|
||||||
|
" #",
|
||||||
|
diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
|
||||||
|
index b3d39f0..a094e6d 100644
|
||||||
|
--- a/avahi-common/alternative.c
|
||||||
|
+++ b/avahi-common/alternative.c
|
||||||
|
@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
|
||||||
|
}
|
||||||
|
|
||||||
|
char *avahi_alternative_host_name(const char *s) {
|
||||||
|
+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
|
||||||
|
+ char *alt, *r, *ret;
|
||||||
|
const char *e;
|
||||||
|
- char *r;
|
||||||
|
+ size_t len;
|
||||||
|
|
||||||
|
assert(s);
|
||||||
|
|
||||||
|
if (!avahi_is_valid_host_name(s))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
- if ((e = strrchr(s, '-'))) {
|
||||||
|
+ if (!avahi_unescape_label(&s, label, sizeof(label)))
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ if ((e = strrchr(label, '-'))) {
|
||||||
|
const char *p;
|
||||||
|
|
||||||
|
e++;
|
||||||
|
@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
|
||||||
|
|
||||||
|
if (e) {
|
||||||
|
char *c, *m;
|
||||||
|
- size_t l;
|
||||||
|
int n;
|
||||||
|
|
||||||
|
n = atoi(e)+1;
|
||||||
|
if (!(m = avahi_strdup_printf("%i", n)))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
- l = e-s-1;
|
||||||
|
+ len = e-label-1;
|
||||||
|
|
||||||
|
- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
|
||||||
|
- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
|
||||||
|
+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
|
||||||
|
+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
|
||||||
|
|
||||||
|
- if (!(c = avahi_strndup(s, l))) {
|
||||||
|
+ if (!(c = avahi_strndup(label, len))) {
|
||||||
|
avahi_free(m);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
|
||||||
|
} else {
|
||||||
|
char *c;
|
||||||
|
|
||||||
|
- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
|
||||||
|
+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
drop_incomplete_utf8(c);
|
||||||
|
@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
|
||||||
|
avahi_free(c);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ alt = alternative;
|
||||||
|
+ len = sizeof(alternative);
|
||||||
|
+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
|
||||||
|
+
|
||||||
|
+ avahi_free(r);
|
||||||
|
+ r = avahi_strdup(ret);
|
||||||
|
+
|
||||||
|
assert(avahi_is_valid_host_name(r));
|
||||||
|
|
||||||
|
return r;
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,52 @@
|
|||||||
|
From 160e8fb6ca1b33387f30f7a6aa9159015ffda9d0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evgeny Vereshchagin <evvers@ya.ru>
|
||||||
|
Date: Sun, 22 Oct 2023 10:31:31 +0000
|
||||||
|
Subject: [PATCH] core: copy resource records with zero-length rdata properly
|
||||||
|
|
||||||
|
It fixes the crash spotted
|
||||||
|
https://github.com/lathiat/avahi/pull/490#issuecomment-1773019619.
|
||||||
|
The fuzz target was updated to exercise those code paths (among other
|
||||||
|
things). Without this commit it crashes with
|
||||||
|
```
|
||||||
|
fuzz-consume-record: malloc.c:250: void *avahi_memdup(const void *, size_t): Assertion `s' failed.
|
||||||
|
==72869== ERROR: libFuzzer: deadly signal
|
||||||
|
#0 0x5031b5 in __sanitizer_print_stack_trace (avahi/out/fuzz-consume-record+0x5031b5) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
|
||||||
|
#1 0x45cd6c in fuzzer::PrintStackTrace() (avahi/out/fuzz-consume-record+0x45cd6c) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
|
||||||
|
#2 0x441c47 in fuzzer::Fuzzer::CrashCallback() (out/fuzz-consume-record+0x441c47) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
|
||||||
|
#3 0x7f189e97ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
|
||||||
|
#4 0x7f189e9cf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
|
||||||
|
#5 0x7f189e97eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
|
||||||
|
#6 0x7f189e96787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
|
||||||
|
#7 0x7f189e96779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
|
||||||
|
#8 0x7f189e977186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
|
||||||
|
#9 0x557bfc in avahi_memdup avahi/avahi-common/malloc.c:250:5
|
||||||
|
#10 0x54895c in avahi_record_copy avahi/avahi-core/rr.c:469:45
|
||||||
|
```
|
||||||
|
---
|
||||||
|
avahi-core/rr.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-core/rr.c b/avahi-core/rr.c
|
||||||
|
index 7fa0bee..2bb8924 100644
|
||||||
|
--- a/avahi-core/rr.c
|
||||||
|
+++ b/avahi-core/rr.c
|
||||||
|
@@ -426,6 +426,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) {
|
||||||
|
copy->ref = 1;
|
||||||
|
copy->key = avahi_key_ref(r->key);
|
||||||
|
copy->ttl = r->ttl;
|
||||||
|
+ memset(©->data, 0, sizeof(copy->data));
|
||||||
|
|
||||||
|
switch (r->key->type) {
|
||||||
|
case AVAHI_DNS_TYPE_PTR:
|
||||||
|
@@ -466,7 +467,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) {
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
- if (!(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size)))
|
||||||
|
+ if (r->data.generic.size && !(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size)))
|
||||||
|
goto fail;
|
||||||
|
copy->data.generic.size = r->data.generic.size;
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,71 @@
|
|||||||
|
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Sekletar <msekleta@redhat.com>
|
||||||
|
Date: Mon, 23 Oct 2023 13:38:35 +0200
|
||||||
|
Subject: [PATCH] core: extract host name using avahi_unescape_label()
|
||||||
|
|
||||||
|
Previously we could create invalid escape sequence when we split the
|
||||||
|
string on dot. For example, from valid host name "foo\\.bar" we have
|
||||||
|
created invalid name "foo\\" and tried to set that as the host name
|
||||||
|
which crashed the daemon.
|
||||||
|
|
||||||
|
Fixes #453
|
||||||
|
|
||||||
|
CVE-2023-38471
|
||||||
|
---
|
||||||
|
avahi-core/server.c | 27 +++++++++++++++++++++------
|
||||||
|
1 file changed, 21 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-core/server.c b/avahi-core/server.c
|
||||||
|
index c32637a..f6a21bb 100644
|
||||||
|
--- a/avahi-core/server.c
|
||||||
|
+++ b/avahi-core/server.c
|
||||||
|
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
|
||||||
|
}
|
||||||
|
|
||||||
|
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
- char *hn = NULL;
|
||||||
|
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
|
||||||
|
+ char label[AVAHI_LABEL_MAX];
|
||||||
|
+ char *hn = NULL, *h;
|
||||||
|
+ size_t len;
|
||||||
|
+
|
||||||
|
assert(s);
|
||||||
|
|
||||||
|
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
|
||||||
|
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
else
|
||||||
|
hn = avahi_normalize_name_strdup(host_name);
|
||||||
|
|
||||||
|
- hn[strcspn(hn, ".")] = 0;
|
||||||
|
+ h = hn;
|
||||||
|
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
|
||||||
|
+ avahi_free(h);
|
||||||
|
+ return AVAHI_ERR_INVALID_HOST_NAME;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ avahi_free(h);
|
||||||
|
+
|
||||||
|
+ h = label_escaped;
|
||||||
|
+ len = sizeof(label_escaped);
|
||||||
|
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
|
||||||
|
+ return AVAHI_ERR_INVALID_HOST_NAME;
|
||||||
|
|
||||||
|
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
|
||||||
|
- avahi_free(hn);
|
||||||
|
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
|
||||||
|
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
|
||||||
|
- }
|
||||||
|
|
||||||
|
withdraw_host_rrs(s);
|
||||||
|
|
||||||
|
avahi_free(s->host_name);
|
||||||
|
- s->host_name = hn;
|
||||||
|
+ s->host_name = avahi_strdup(label_escaped);
|
||||||
|
+ if (!s->host_name)
|
||||||
|
+ return AVAHI_ERR_NO_MEMORY;
|
||||||
|
|
||||||
|
update_fqdn(s);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,43 @@
|
|||||||
|
From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Sekletar <msekleta@redhat.com>
|
||||||
|
Date: Thu, 19 Oct 2023 17:36:44 +0200
|
||||||
|
Subject: [PATCH] core: make sure there is rdata to process before parsing it
|
||||||
|
|
||||||
|
Fixes #452
|
||||||
|
|
||||||
|
CVE-2023-38472
|
||||||
|
---
|
||||||
|
avahi-client/client-test.c | 3 +++
|
||||||
|
avahi-daemon/dbus-entry-group.c | 2 +-
|
||||||
|
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
|
||||||
|
index b3366d8..ba97998 100644
|
||||||
|
--- a/avahi-client/client-test.c
|
||||||
|
+++ b/avahi-client/client-test.c
|
||||||
|
@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
|
||||||
|
printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
|
||||||
|
printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
|
||||||
|
|
||||||
|
+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
|
||||||
|
+ assert(error != AVAHI_OK);
|
||||||
|
+
|
||||||
|
avahi_entry_group_commit (group);
|
||||||
|
|
||||||
|
domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
|
||||||
|
diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
|
||||||
|
index 4e879a5..aa23d4b 100644
|
||||||
|
--- a/avahi-daemon/dbus-entry-group.c
|
||||||
|
+++ b/avahi-daemon/dbus-entry-group.c
|
||||||
|
@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
|
||||||
|
if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
|
||||||
|
return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
|
||||||
|
|
||||||
|
- if (avahi_rdata_parse (r, rdata, size) < 0) {
|
||||||
|
+ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
|
||||||
|
avahi_record_unref (r);
|
||||||
|
return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,46 @@
|
|||||||
|
From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evgeny Vereshchagin <evvers@ya.ru>
|
||||||
|
Date: Mon, 23 Oct 2023 20:29:31 +0000
|
||||||
|
Subject: [PATCH] core: reject overly long TXT resource records
|
||||||
|
|
||||||
|
Closes https://github.com/lathiat/avahi/issues/455
|
||||||
|
|
||||||
|
CVE-2023-38469
|
||||||
|
---
|
||||||
|
avahi-core/rr.c | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-core/rr.c b/avahi-core/rr.c
|
||||||
|
index 2bb8924..9c04ebb 100644
|
||||||
|
--- a/avahi-core/rr.c
|
||||||
|
+++ b/avahi-core/rr.c
|
||||||
|
@@ -32,6 +32,7 @@
|
||||||
|
#include <avahi-common/malloc.h>
|
||||||
|
#include <avahi-common/defs.h>
|
||||||
|
|
||||||
|
+#include "dns.h"
|
||||||
|
#include "rr.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "util.h"
|
||||||
|
@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
|
||||||
|
case AVAHI_DNS_TYPE_TXT: {
|
||||||
|
|
||||||
|
AvahiStringList *strlst;
|
||||||
|
+ size_t used = 0;
|
||||||
|
|
||||||
|
- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
|
||||||
|
+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
|
||||||
|
if (strlst->size > 255 || strlst->size <= 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+ used += 1+strlst->size;
|
||||||
|
+ if (used > AVAHI_DNS_RDATA_MAX)
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,50 @@
|
|||||||
|
From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evgeny Vereshchagin <evvers@ya.ru>
|
||||||
|
Date: Tue, 24 Oct 2023 22:04:51 +0000
|
||||||
|
Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
|
||||||
|
|
||||||
|
It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
|
||||||
|
---
|
||||||
|
avahi-core/server.c | 9 ++++++---
|
||||||
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/avahi-core/server.c b/avahi-core/server.c
|
||||||
|
index f6a21bb..84df6b5 100644
|
||||||
|
--- a/avahi-core/server.c
|
||||||
|
+++ b/avahi-core/server.c
|
||||||
|
@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
else
|
||||||
|
hn = avahi_normalize_name_strdup(host_name);
|
||||||
|
|
||||||
|
+ if (!hn)
|
||||||
|
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
|
||||||
|
+
|
||||||
|
h = hn;
|
||||||
|
if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
|
||||||
|
avahi_free(h);
|
||||||
|
- return AVAHI_ERR_INVALID_HOST_NAME;
|
||||||
|
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
|
||||||
|
}
|
||||||
|
|
||||||
|
avahi_free(h);
|
||||||
|
@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
h = label_escaped;
|
||||||
|
len = sizeof(label_escaped);
|
||||||
|
if (!avahi_escape_label(label, strlen(label), &h, &len))
|
||||||
|
- return AVAHI_ERR_INVALID_HOST_NAME;
|
||||||
|
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
|
||||||
|
|
||||||
|
if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
|
||||||
|
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
|
||||||
|
@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||||
|
avahi_free(s->host_name);
|
||||||
|
s->host_name = avahi_strdup(label_escaped);
|
||||||
|
if (!s->host_name)
|
||||||
|
- return AVAHI_ERR_NO_MEMORY;
|
||||||
|
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
|
||||||
|
|
||||||
|
update_fqdn(s);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -48,7 +48,7 @@
|
|||||||
|
|
||||||
Name: avahi
|
Name: avahi
|
||||||
Version: 0.8
|
Version: 0.8
|
||||||
Release: 15%{?dist}
|
Release: 20%{?dist}
|
||||||
Summary: Local network service discovery
|
Summary: Local network service discovery
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://avahi.org
|
URL: http://avahi.org
|
||||||
@ -135,6 +135,13 @@ Patch11: 0011-avahi_dns_packet_consume_uint32-fix-potential-undefi.patch
|
|||||||
Patch12: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch
|
Patch12: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch
|
||||||
Patch13: 0001-Fix-NULL-pointer-crashes-from-175.patch
|
Patch13: 0001-Fix-NULL-pointer-crashes-from-175.patch
|
||||||
Patch14: 0001-Emit-error-if-requested-service-is-not-found.patch
|
Patch14: 0001-Emit-error-if-requested-service-is-not-found.patch
|
||||||
|
Patch15: 0001-common-derive-alternative-host-name-from-its-unescap.patch
|
||||||
|
Patch16: 0001-Ensure-each-label-is-at-least-one-byte-long.patch
|
||||||
|
Patch17: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
|
||||||
|
Patch18: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
|
||||||
|
Patch19: 0001-core-extract-host-name-using-avahi_unescape_label.patch
|
||||||
|
Patch20: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch
|
||||||
|
Patch21: 0001-core-reject-overly-long-TXT-resource-records.patch
|
||||||
|
|
||||||
## downstream patches
|
## downstream patches
|
||||||
Patch100: avahi-0.6.30-mono-libdir.patch
|
Patch100: avahi-0.6.30-mono-libdir.patch
|
||||||
@ -830,6 +837,21 @@ exit 0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-20
|
||||||
|
- Fix CVE-2023-38469 (RHEL-5637)
|
||||||
|
|
||||||
|
* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-19
|
||||||
|
- Fix CVE-2023-38471 (RHEL-5642)
|
||||||
|
|
||||||
|
* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-18
|
||||||
|
- Fix CVE-2023-38472 (RHEL-5645)
|
||||||
|
|
||||||
|
* Wed Nov 01 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-17
|
||||||
|
- Fix CVE-2023-38470 (RHEL-5641)
|
||||||
|
|
||||||
|
* Wed Nov 01 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-16
|
||||||
|
- Fix CVE-2023-38473 (RHEL-5729)
|
||||||
|
|
||||||
* Wed Aug 23 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-15
|
* Wed Aug 23 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-15
|
||||||
- Fix CVE-2023-1981 (#2186689)
|
- Fix CVE-2023-1981 (#2186689)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user