rpms/avahi
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2023-38471

Browse Source 
Resolves: RHEL-5639
This commit is contained in:
Michal Sekletar 2023-11-09 19:25:57 +01:00
parent 9b714caea4
commit c4f5f8b357
3 changed files with 127 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
0001-core-extract-host-name-using-avahi_unescape_label.patch Normal file
View File

@ -0,0 +1,71 @@
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 23 Oct 2023 13:38:35 +0200
Subject: [PATCH] core: extract host name using avahi_unescape_label()
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as the host name
which crashed the daemon.
Fixes #453
CVE-2023-38471
---
avahi-core/server.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/avahi-core/server.c b/avahi-core/server.c
index c32637a..f6a21bb 100644
--- a/avahi-core/server.c
+++ b/avahi-core/server.c
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
}
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
- char *hn = NULL;
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
+ char label[AVAHI_LABEL_MAX];
+ char *hn = NULL, *h;
+ size_t len;
+
assert(s);
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
else
hn = avahi_normalize_name_strdup(host_name);
- hn[strcspn(hn, ".")] = 0;
+ h = hn;
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+ avahi_free(h);
+ return AVAHI_ERR_INVALID_HOST_NAME;
+ }
+
+ avahi_free(h);
+
+ h = label_escaped;
+ len = sizeof(label_escaped);
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
+ return AVAHI_ERR_INVALID_HOST_NAME;
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
- avahi_free(hn);
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
- }
withdraw_host_rrs(s);
avahi_free(s->host_name);
- s->host_name = hn;
+ s->host_name = avahi_strdup(label_escaped);
+ if (!s->host_name)
+ return AVAHI_ERR_NO_MEMORY;
update_fqdn(s);
--
2.41.0

50
0001-core-return-errors-from-avahi_server_set_host_name-p.patch Normal file
View File

@ -0,0 +1,50 @@
From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Tue, 24 Oct 2023 22:04:51 +0000
Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
---
avahi-core/server.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/avahi-core/server.c b/avahi-core/server.c
index f6a21bb..84df6b5 100644
--- a/avahi-core/server.c
+++ b/avahi-core/server.c
@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
else
hn = avahi_normalize_name_strdup(host_name);
+ if (!hn)
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+
h = hn;
if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
avahi_free(h);
- return AVAHI_ERR_INVALID_HOST_NAME;
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
}
avahi_free(h);
@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
h = label_escaped;
len = sizeof(label_escaped);
if (!avahi_escape_label(label, strlen(label), &h, &len))
- return AVAHI_ERR_INVALID_HOST_NAME;
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
avahi_free(s->host_name);
s->host_name = avahi_strdup(label_escaped);
if (!s->host_name)
- return AVAHI_ERR_NO_MEMORY;
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
update_fqdn(s);
--
2.41.0

7
avahi.spec
View File

@ -26,7 +26,7 @@
Name: avahi Name: avahi
Version: 0.7 Version: 0.7
Release: 24%{?dist} Release: 25%{?dist}
Summary: Local network service discovery Summary: Local network service discovery
License: LGPLv2+ License: LGPLv2+
URL: http://avahi.org URL: http://avahi.org
@ -92,6 +92,8 @@ Patch0007: 0001-Ensure-each-label-is-at-least-one-byte-long.patch
Patch0008: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch Patch0008: 0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
Patch0009: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch Patch0009: 0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
Patch0010: 0001-common-derive-alternative-host-name-from-its-unescap.patch Patch0010: 0001-common-derive-alternative-host-name-from-its-unescap.patch
Patch0011: 0001-core-extract-host-name-using-avahi_unescape_label.patch
Patch0012: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch
## downstream patches ## downstream patches
Patch100: avahi-0.6.30-mono-libdir.patch Patch100: avahi-0.6.30-mono-libdir.patch
@ -660,6 +662,9 @@ exit 0
%changelog %changelog
* Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-25
- Fix CVE-2023-38471 (RHEL-5639)
* Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-24 * Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-24
- Fix CVE-2023-38473 (RHEL-5643) - Fix CVE-2023-38473 (RHEL-5643)