From e42b031b0a0344f8fe88573bfa905f7e42e04ead Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Wed, 8 Nov 2023 16:50:21 +0100 Subject: [PATCH] Fix CVE-2023-38470 Resolves: RHEL-5641 --- ...each-label-is-at-least-one-byte-long.patch | 55 +++++++++++++++++++ avahi.spec | 6 +- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 0001-Ensure-each-label-is-at-least-one-byte-long.patch diff --git a/0001-Ensure-each-label-is-at-least-one-byte-long.patch b/0001-Ensure-each-label-is-at-least-one-byte-long.patch new file mode 100644 index 0000000..759e3e8 --- /dev/null +++ b/0001-Ensure-each-label-is-at-least-one-byte-long.patch @@ -0,0 +1,55 @@ +From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 11 Apr 2023 15:29:59 +0200 +Subject: [PATCH] Ensure each label is at least one byte long + +The only allowed exception is single dot, where it should return empty +string. + +Fixes #454. +--- + avahi-common/domain-test.c | 14 ++++++++++++++ + avahi-common/domain.c | 2 +- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c +index cf763ec..3acc1c1 100644 +--- a/avahi-common/domain-test.c ++++ b/avahi-common/domain-test.c +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); + avahi_free(s); + ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); ++ avahi_free(s); ++ ++ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." ++ "}.?.?.?.}.=.?.?.}"); ++ assert(s == NULL); ++ + printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); + printf("%i\n", avahi_domain_equal("A", "a")); + +diff --git a/avahi-common/domain.c b/avahi-common/domain.c +index 3b1ab68..e66d241 100644 +--- a/avahi-common/domain.c ++++ b/avahi-common/domain.c +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) { + } + + if (!empty) { +- if (size < 1) ++ if (size < 2) + return NULL; + + *(r++) = '.'; +-- +2.41.0 + diff --git a/avahi.spec b/avahi.spec index 70b266d..ef6ba37 100644 --- a/avahi.spec +++ b/avahi.spec @@ -48,7 +48,7 @@ Name: avahi Version: 0.8 -Release: 16%{?dist} +Release: 17%{?dist} Summary: Local network service discovery License: LGPLv2+ URL: http://avahi.org @@ -136,6 +136,7 @@ Patch12: 0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch Patch13: 0001-Fix-NULL-pointer-crashes-from-175.patch Patch14: 0001-Emit-error-if-requested-service-is-not-found.patch Patch15: 0001-common-derive-alternative-host-name-from-its-unescap.patch +Patch16: 0001-Ensure-each-label-is-at-least-one-byte-long.patch ## downstream patches Patch100: avahi-0.6.30-mono-libdir.patch @@ -831,6 +832,9 @@ exit 0 %changelog +* Wed Nov 01 2023 Michal Sekletar - 0.8-17 +- Fix CVE-2023-38470 (RHEL-5641) + * Wed Nov 01 2023 Michal Sekletar - 0.8-16 - Fix CVE-2023-38473 (RHEL-5729)