rpms/avahi
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2021-3468

Browse Source 
Resolves: RHEL-9542
This commit is contained in:
Michal Sekletar 2023-11-09 19:39:56 +01:00
parent 5ce6485fac
commit e0fa763377
2 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch Normal file
View File

@ -0,0 +1,40 @@
From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
From: Riccardo Schirone <sirmy15@gmail.com>
Date: Fri, 26 Mar 2021 11:50:24 +0100
Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
client_work
If a client fills the input buffer, client_work() disables the
AVAHI_WATCH_IN event, thus preventing the function from executing the
`read` syscall the next times it is called. However, if the client then
terminates the connection, the socket file descriptor receives a HUP
event, which is not handled, thus the kernel keeps marking the HUP event
as occurring. While iterating over the file descriptors that triggered
an event, the client file descriptor will keep having the HUP event and
the client_work() function is always called with AVAHI_WATCH_HUP but
without nothing being done, thus entering an infinite loop.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
---
avahi-daemon/simple-protocol.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
index 3e0ebb1..6c0274d 100644
--- a/avahi-daemon/simple-protocol.c
+++ b/avahi-daemon/simple-protocol.c
@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
}
}
+ if (events & AVAHI_WATCH_HUP) {
+ client_free(c);
+ return;
+ }
+
c->server->poll_api->watch_update(
watch,
(c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
--
2.41.0

6
avahi.spec
View File

@ -26,7 +26,7 @@
Name: avahi Name: avahi
Version: 0.7 Version: 0.7
Release: 26%{?dist} Release: 27%{?dist}
Summary: Local network service discovery Summary: Local network service discovery
License: LGPLv2+ License: LGPLv2+
URL: http://avahi.org URL: http://avahi.org
@ -95,6 +95,7 @@ Patch0010: 0001-common-derive-alternative-host-name-from-its-unescap.patch
Patch0011: 0001-core-extract-host-name-using-avahi_unescape_label.patch Patch0011: 0001-core-extract-host-name-using-avahi_unescape_label.patch
Patch0012: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch Patch0012: 0001-core-return-errors-from-avahi_server_set_host_name-p.patch
Patch0013: 0001-core-reject-overly-long-TXT-resource-records.patch Patch0013: 0001-core-reject-overly-long-TXT-resource-records.patch
Patch0014: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch
## downstream patches ## downstream patches
Patch100: avahi-0.6.30-mono-libdir.patch Patch100: avahi-0.6.30-mono-libdir.patch
@ -663,6 +664,9 @@ exit 0
%changelog %changelog
* Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-27
- Fix CVE-2021-3468 (RHEL-9542)
* Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-26 * Thu Nov 09 2023 Michal Sekletar <msekleta@redhat.com> - 0.7-26
- Fix CVE-2023-38469 (RHEL-5635) - Fix CVE-2023-38469 (RHEL-5635)