From e0fa763377daee2fadae7753f2f777a20ad4b49d Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Thu, 9 Nov 2023 19:39:56 +0100 Subject: [PATCH] Fix CVE-2021-3468 Resolves: RHEL-9542 --- ...oop-in-avahi-daemon-by-handling-HUP-.patch | 40 +++++++++++++++++++ avahi.spec | 6 ++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch diff --git a/0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch b/0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch new file mode 100644 index 0000000..ef251fe --- /dev/null +++ b/0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch @@ -0,0 +1,40 @@ +From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb1..6c0274d 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | +-- +2.41.0 + diff --git a/avahi.spec b/avahi.spec index 90f895d..ebcb76d 100644 --- a/avahi.spec +++ b/avahi.spec @@ -26,7 +26,7 @@ Name: avahi Version: 0.7 -Release: 26%{?dist} +Release: 27%{?dist} Summary: Local network service discovery License: LGPLv2+ URL: http://avahi.org @@ -95,6 +95,7 @@ Patch0010: 0001-common-derive-alternative-host-name-from-its-unescap.patch Patch0011: 0001-core-extract-host-name-using-avahi_unescape_label.patch Patch0012: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch Patch0013: 0001-core-reject-overly-long-TXT-resource-records.patch +Patch0014: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch ## downstream patches Patch100: avahi-0.6.30-mono-libdir.patch @@ -663,6 +664,9 @@ exit 0 %changelog +* Thu Nov 09 2023 Michal Sekletar - 0.7-27 +- Fix CVE-2021-3468 (RHEL-9542) + * Thu Nov 09 2023 Michal Sekletar - 0.7-26 - Fix CVE-2023-38469 (RHEL-5635)