SLFO-pool/avahi
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main avahi revision 8c2470aca096f3f88f474414c9bd1fec

Browse Source
This commit is contained in:
Adrian Schröter 2024-07-03 10:52:22 +02:00
parent ed939eb83f
commit d435ac3534
3 changed files with 184 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
avahi-filter-bogus-services.patch Normal file
View File

@ -0,0 +1,159 @@
From 93b14365c1c1e04efd1a890e8caa01a2a514bfd8 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sun, 12 Nov 2023 01:16:58 +0000
Subject: [PATCH] core: no longer supply bogus services to callbacks
It was technically a DOS allowing packets with service names like
"bogus.service.local" to bring down `avahi-browse -a`. In practice
it was usually triggered by misconfigured smart devices but it isn't
that hard to forge packets like that and send them deliberately.
The tests are added to make sure invalid service names are rejected and
valid service names keep working. The fuzz target is updated to make
sure that avahi_service_name_split always supplies valid arguments to
avahi_service_name_join. avahi now logs what exactly it fails to split
```
avahi-daemon[176]: Failed to split service name '0.1.9.1.8.8.e.f.f.f.f.a.a.1.4.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa'
avahi-daemon[176]: Failed to split service name 'bogus\032.\032\209\129\208\181\209\128\208\178\208\184\209\129.local'
avahi-daemon[176]: Failed to split service name '255.20.254.169.in-addr.arpa'
avahi-daemon[176]: Failed to split service name 'bogus\032.\032\209\129\208\181\209\128\208\178\208\184\209\129.local'
avahi-daemon[176]: Failed to split service name '33.93.168.192.in-addr.arpa'
```
when --debug is passed to it (which makes that part consistent with the
other places where weird packets are rejected).
Closes https://github.com/lathiat/avahi/issues/212
---
.github/workflows/smoke-tests.sh | 2 ++
avahi-common/domain-test.c | 36 ++++++++++++++++++++++++++++++++
avahi-common/domain.c | 14 +++++++++++++
avahi-core/browse-service-type.c | 2 +-
avahi-core/browse-service.c | 2 +-
fuzz/fuzz-packet.c | 18 ++++++++--------
6 files changed, 63 insertions(+), 11 deletions(-)
diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
index 7a662da..9679e98 100644
--- a/avahi-common/domain-test.c
+++ b/avahi-common/domain-test.c
@@ -26,6 +26,7 @@
#include <assert.h>
#include "domain.h"
+#include "error.h"
#include "malloc.h"
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
@@ -34,6 +35,7 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
const char *p;
size_t size;
char name[64], type[AVAHI_DOMAIN_NAME_MAX], domain[AVAHI_DOMAIN_NAME_MAX];
+ int res;
printf("%s\n", s = avahi_normalize_name_strdup("foo.foo\\046."));
avahi_free(s);
@@ -132,5 +134,39 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
assert(!avahi_is_valid_fqdn("::1"));
assert(!avahi_is_valid_fqdn(".192.168.50.1."));
+ res = avahi_service_name_split("test._ssh._tcp.local", name, sizeof(name), type, sizeof(type), domain, sizeof(domain));
+ assert(res >= 0);
+ assert(strcmp(name, "test") == 0);
+ assert(strcmp(type, "_ssh._tcp") == 0);
+ assert(strcmp(domain, "local") == 0);
+
+ res = avahi_service_name_split("test._hop._sub._ssh._tcp.local", name, sizeof(name), type, sizeof(type), domain, sizeof(domain));
+ assert(res >= 0);
+ assert(strcmp(name, "test") == 0);
+ assert(strcmp(type, "_hop._sub._ssh._tcp") == 0);
+ assert(strcmp(domain, "local") == 0);
+
+ res = avahi_service_name_split("_qotd._udp.hey.local", NULL, 0, type, sizeof(type), domain, sizeof(domain));
+ assert(res >= 0);
+ assert(strcmp(type, "_qotd._udp") == 0);
+ assert(strcmp(domain, "hey.local") == 0);
+
+ res = avahi_service_name_split("_wat._sub._qotd._udp.hey.local", NULL, 0, type, sizeof(type), domain, sizeof(domain));
+ assert(res >= 0);
+ assert(strcmp(type, "_wat._sub._qotd._udp") == 0);
+ assert(strcmp(domain, "hey.local") == 0);
+
+ res = avahi_service_name_split("wat.bogus.service.local", name, sizeof(name), type, sizeof(type), domain, sizeof(domain));
+ assert(res == AVAHI_ERR_INVALID_SERVICE_TYPE);
+
+ res = avahi_service_name_split("bogus.service.local", NULL, 0, type, sizeof(type), domain, sizeof(domain));
+ assert(res == AVAHI_ERR_INVALID_SERVICE_TYPE);
+
+ res = avahi_service_name_split("", name, sizeof(name), type, sizeof(type), domain, sizeof(domain));
+ assert(res == AVAHI_ERR_INVALID_SERVICE_NAME);
+
+ res = avahi_service_name_split("", NULL, 0, type, sizeof(type), domain, sizeof(domain));
+ assert(res == AVAHI_ERR_INVALID_SERVICE_TYPE);
+
return 0;
}
diff --git a/avahi-common/domain.c b/avahi-common/domain.c
index c7af116..9e93018 100644
--- a/avahi-common/domain.c
+++ b/avahi-common/domain.c
@@ -501,6 +501,7 @@ int avahi_service_name_split(const char *p, char *name, size_t name_size, char *
DOMAIN
} state;
int type_empty = 1, domain_empty = 1;
+ char *oname, *otype, *odomain;
assert(p);
assert(type);
@@ -508,6 +509,10 @@ int avahi_service_name_split(const char *p, char *name, size_t name_size, char *
assert(domain);
assert(domain_size > 0);
+ oname = name;
+ otype = type;
+ odomain = domain;
+
if (name) {
assert(name_size > 0);
*name = 0;
@@ -570,6 +575,15 @@ int avahi_service_name_split(const char *p, char *name, size_t name_size, char *
}
}
+ if ((oname && !avahi_is_valid_service_name(oname)))
+ return AVAHI_ERR_INVALID_SERVICE_NAME;
+
+ if (!avahi_is_valid_service_type_generic(otype))
+ return AVAHI_ERR_INVALID_SERVICE_TYPE;
+
+ if (!avahi_is_valid_domain_name(odomain))
+ return AVAHI_ERR_INVALID_DOMAIN_NAME;
+
return 0;
}
diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c
index b1fc7af..f0d6938 100644
--- a/avahi-core/browse-service-type.c
+++ b/avahi-core/browse-service-type.c
@@ -65,7 +65,7 @@ static void record_browser_callback(
assert(record->key->type == AVAHI_DNS_TYPE_PTR);
if (avahi_service_name_split(record->data.ptr.name, NULL, 0, type, sizeof(type), domain, sizeof(domain)) < 0) {
- avahi_log_warn("Invalid service type '%s'", record->key->name);
+ avahi_log_debug("Failed to split service name '%s'", record->data.ptr.name);
return;
}
diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
index 63e0275..e924bae 100644
--- a/avahi-core/browse-service.c
+++ b/avahi-core/browse-service.c
@@ -69,7 +69,7 @@ static void record_browser_callback(
flags |= AVAHI_LOOKUP_RESULT_LOCAL;
if (avahi_service_name_split(record->data.ptr.name, service, sizeof(service), type, sizeof(type), domain, sizeof(domain)) < 0) {
- avahi_log_warn("Failed to split '%s'", record->key->name);
+ avahi_log_debug("Failed to split service name '%s'", record->data.ptr.name);
return;
}

17
avahi.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Jun 20 16:01:22 UTC 2024 - Michael Gorse <mgorse@suse.com>
- Add avahi-filter-bogus-services.patch: no longer supply bogus
services to callbacks (bsc#1226586).
-------------------------------------------------------------------
Thu Apr 4 13:44:36 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Tag hardening patches as PATCH-FEATURE-OPENSUSE
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Mar 26 02:28:37 UTC 2024 - Xiaoguang Wang <xiaoguang.wang@suse.com> Tue Mar 26 02:28:37 UTC 2024 - Xiaoguang Wang <xiaoguang.wang@suse.com>
@ -6,6 +17,12 @@ Tue Mar 26 02:28:37 UTC 2024 - Xiaoguang Wang <xiaoguang.wang@suse.com>
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource - Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
records (bsc#1216598, CVE-2023-38469). records (bsc#1216598, CVE-2023-38469).
-------------------------------------------------------------------
Tue Mar 12 14:42:24 UTC 2024 - pgajdos@suse.com
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang macro, [bsc#1212476]
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Nov 30 05:23:33 UTC 2023 - Alynx Zhou <alynx.zhou@suse.com> Thu Nov 30 05:23:33 UTC 2023 - Alynx Zhou <alynx.zhou@suse.com>

12
avahi.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package avahi # spec file for package avahi
# #
# Copyright (c) 2023 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -97,7 +97,9 @@ Patch25: 0006-man-add-missing-bshell.1-symlink.patch
Patch26: 0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch Patch26: 0007-Ship-avahi-discover-1-bssh-1-and-bvnc-1-also-for-GTK.patch
# PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch mgorse@suse.com -- fix bytestring decoding for proper display. # PATCH-FIX-UPSTREAM 0009-fix-bytestring-decoding-for-proper-display.patch mgorse@suse.com -- fix bytestring decoding for proper display.
Patch27: 0009-fix-bytestring-decoding-for-proper-display.patch Patch27: 0009-fix-bytestring-decoding-for-proper-display.patch
# PATCH-FEATURE-OPENSUSE
Patch28: harden_avahi-daemon.service.patch Patch28: harden_avahi-daemon.service.patch
# PATCH-FEATURE-OPENSUSE
Patch29: harden_avahi-dnsconfd.service.patch Patch29: harden_avahi-dnsconfd.service.patch
# PATCH-FIX-UPSTREAM avahi-CVE-2023-1981.patch boo#1210328 mgorse@suse.com -- emit error if requested service is not found. # PATCH-FIX-UPSTREAM avahi-CVE-2023-1981.patch boo#1210328 mgorse@suse.com -- emit error if requested service is not found.
Patch30: avahi-CVE-2023-1981.patch Patch30: avahi-CVE-2023-1981.patch
@ -111,6 +113,8 @@ Patch33: avahi-CVE-2023-38472.patch
Patch34: avahi-CVE-2023-38469.patch Patch34: avahi-CVE-2023-38469.patch
# PATCH-FIX-UPSTREAM avahi-CVE-2023-38471.patch bsc#1216594 xwang@suse.com -- Extract host name using avahi_unescape_label # PATCH-FIX-UPSTREAM avahi-CVE-2023-38471.patch bsc#1216594 xwang@suse.com -- Extract host name using avahi_unescape_label
Patch35: avahi-CVE-2023-38471.patch Patch35: avahi-CVE-2023-38471.patch
# PATCH-FIX-UPSTREAM avahi-filter-bogus-services.patch bsc#1226586 mgorse@suse.com -- no longer supply bogus services to callbacks.
Patch36: avahi-filter-bogus-services.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gdbm-devel BuildRequires: gdbm-devel
@ -420,8 +424,6 @@ Avahi is an implementation of the DNS Service Discovery and Multicast
DNS specifications for Zeroconf Computing. DNS specifications for Zeroconf Computing.
# This is the avahi-discover command, only provided for the primary python3 flavor # This is the avahi-discover command, only provided for the primary python3 flavor
%package -n python3-avahi-gtk %package -n python3-avahi-gtk
Summary: A set of Avahi utilities written in Python Using python-gtk Summary: A set of Avahi utilities written in Python Using python-gtk
@ -429,7 +431,7 @@ Group: Development/Languages/Python
Requires: python3-avahi = %{version} Requires: python3-avahi = %{version}
Requires: python3-gobject Requires: python3-gobject
Requires(post): coreutils Requires(post): coreutils
Requires(postun):coreutils Requires(postun): coreutils
Provides: %{oldpython}-avahi-gtk = %{version} Provides: %{oldpython}-avahi-gtk = %{version}
Obsoletes: %{oldpython}-avahi-gtk < %{version} Obsoletes: %{oldpython}-avahi-gtk < %{version}
# Provide split-provides for update from <= 11.0: # Provide split-provides for update from <= 11.0:
@ -604,6 +606,8 @@ rm -rf %{buildroot}%{_sysconfdir}/init.d/
rm -rf %{buildroot}%{_sysconfdir}/avahi/services/ssh.service rm -rf %{buildroot}%{_sysconfdir}/avahi/services/ssh.service
rm -rf %{buildroot}%{_sysconfdir}/avahi/services/sftp-ssh.service rm -rf %{buildroot}%{_sysconfdir}/avahi/services/sftp-ssh.service
%python3_fix_shebang
%if !%{build_core} %if !%{build_core}
cd .. cd ..
%make_build install-pkgconfigDATA DESTDIR=%{buildroot} %make_build install-pkgconfigDATA DESTDIR=%{buildroot}