Fix CVE-2023-38472

Resolves: RHEL-5645

0001-core-copy-resource-records-with-zero-length-rdata-pr.patch

@@ -0,0 +1,52 @@
+From 160e8fb6ca1b33387f30f7a6aa9159015ffda9d0 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Sun, 22 Oct 2023 10:31:31 +0000
+Subject: [PATCH] core: copy resource records with zero-length rdata properly
+
+It fixes the crash spotted
+https://github.com/lathiat/avahi/pull/490#issuecomment-1773019619.
+The fuzz target was updated to exercise those code paths (among other
+things). Without this commit it crashes with
+```
+fuzz-consume-record: malloc.c:250: void *avahi_memdup(const void *, size_t): Assertion `s' failed.
+==72869== ERROR: libFuzzer: deadly signal
+    #0 0x5031b5 in __sanitizer_print_stack_trace (avahi/out/fuzz-consume-record+0x5031b5) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
+    #1 0x45cd6c in fuzzer::PrintStackTrace() (avahi/out/fuzz-consume-record+0x45cd6c) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
+    #2 0x441c47 in fuzzer::Fuzzer::CrashCallback() (out/fuzz-consume-record+0x441c47) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
+    #3 0x7f189e97ebaf  (/lib64/libc.so.6+0x3dbaf) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
+    #4 0x7f189e9cf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
+    #5 0x7f189e97eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
+    #6 0x7f189e96787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
+    #7 0x7f189e96779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
+    #8 0x7f189e977186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
+    #9 0x557bfc in avahi_memdup avahi/avahi-common/malloc.c:250:5
+    #10 0x54895c in avahi_record_copy avahi/avahi-core/rr.c:469:45
+```
+---
+ avahi-core/rr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 7fa0bee..2bb8924 100644
+--- a/avahi-core/rr.c
++++ b/avahi-core/rr.c
+@@ -426,6 +426,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) {
+     copy->ref = 1;
+     copy->key = avahi_key_ref(r->key);
+     copy->ttl = r->ttl;
++    memset(&copy->data, 0, sizeof(copy->data));
+ 
+     switch (r->key->type) {
+         case AVAHI_DNS_TYPE_PTR:
+@@ -466,7 +467,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) {
+             break;
+ 
+         default:
+-            if (!(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size)))
++            if (r->data.generic.size && !(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size)))
+                 goto fail;
+             copy->data.generic.size = r->data.generic.size;
+             break;
+-- 
+2.41.0
+

0001-core-make-sure-there-is-rdata-to-process-before-pars.patch

@@ -0,0 +1,43 @@
+From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] core: make sure there is rdata to process before parsing it
+
+Fixes #452
+
+CVE-2023-38472
+---
+ avahi-client/client-test.c      | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
+index b3366d8..ba97998 100644
+--- a/avahi-client/client-test.c
++++ b/avahi-client/client-test.c
+@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ 
++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
++    assert(error != AVAHI_OK);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
+index 4e879a5..aa23d4b 100644
+--- a/avahi-daemon/dbus-entry-group.c
++++ b/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
+         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+ 
+-        if (avahi_rdata_parse (r, rdata, size) < 0) {
++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+             avahi_record_unref (r);
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+         }
+-- 
+2.41.0
+

avahi.spec

@@ -48,7 +48,7 @@
 
 Name:             avahi
 Version:          0.8
-Release:          17%{?dist}
+Release:          18%{?dist}
 Summary:          Local network service discovery
 License:          LGPLv2+
 URL:              http://avahi.org
@@ -137,6 +137,8 @@ Patch13: 0001-Fix-NULL-pointer-crashes-from-175.patch
 Patch14: 0001-Emit-error-if-requested-service-is-not-found.patch
 Patch15: 0001-common-derive-alternative-host-name-from-its-unescap.patch
 Patch16: 0001-Ensure-each-label-is-at-least-one-byte-long.patch
+Patch17: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
+Patch18: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
 
 ## downstream patches
 Patch100:         avahi-0.6.30-mono-libdir.patch
@@ -832,6 +834,9 @@ exit 0
 
 
 %changelog
+* Wed Nov 08 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-18
+- Fix CVE-2023-38472 (RHEL-5645)
+
 * Wed Nov 01 2023 Michal Sekletar <msekleta@redhat.com> - 0.8-17
 - Fix CVE-2023-38470 (RHEL-5641)