Sync from SUSE:SLFO:Main avahi revision a84a51e308efc6edaaa3ab2b3403909a
This commit is contained in:
parent
d89aa177ff
commit
ed939eb83f
46
avahi-CVE-2023-38469.patch
Normal file
46
avahi-CVE-2023-38469.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
|
||||
From: Evgeny Vereshchagin <evvers@ya.ru>
|
||||
Date: Mon, 23 Oct 2023 20:29:31 +0000
|
||||
Subject: [PATCH] core: reject overly long TXT resource records
|
||||
|
||||
Closes https://github.com/lathiat/avahi/issues/455
|
||||
|
||||
CVE-2023-38469
|
||||
---
|
||||
avahi-core/rr.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/avahi-core/rr.c b/avahi-core/rr.c
|
||||
index 2bb8924..9c04ebb 100644
|
||||
--- a/avahi-core/rr.c
|
||||
+++ b/avahi-core/rr.c
|
||||
@@ -32,6 +32,7 @@
|
||||
#include <avahi-common/malloc.h>
|
||||
#include <avahi-common/defs.h>
|
||||
|
||||
+#include "dns.h"
|
||||
#include "rr.h"
|
||||
#include "log.h"
|
||||
#include "util.h"
|
||||
@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
|
||||
case AVAHI_DNS_TYPE_TXT: {
|
||||
|
||||
AvahiStringList *strlst;
|
||||
+ size_t used = 0;
|
||||
|
||||
- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
|
||||
+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
|
||||
if (strlst->size > 255 || strlst->size <= 0)
|
||||
return 0;
|
||||
|
||||
+ used += 1+strlst->size;
|
||||
+ if (used > AVAHI_DNS_RDATA_MAX)
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.44.0
|
||||
|
71
avahi-CVE-2023-38471.patch
Normal file
71
avahi-CVE-2023-38471.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Mon, 23 Oct 2023 13:38:35 +0200
|
||||
Subject: [PATCH] core: extract host name using avahi_unescape_label()
|
||||
|
||||
Previously we could create invalid escape sequence when we split the
|
||||
string on dot. For example, from valid host name "foo\\.bar" we have
|
||||
created invalid name "foo\\" and tried to set that as the host name
|
||||
which crashed the daemon.
|
||||
|
||||
Fixes #453
|
||||
|
||||
CVE-2023-38471
|
||||
---
|
||||
avahi-core/server.c | 27 +++++++++++++++++++++------
|
||||
1 file changed, 21 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/avahi-core/server.c b/avahi-core/server.c
|
||||
index c32637a..f6a21bb 100644
|
||||
--- a/avahi-core/server.c
|
||||
+++ b/avahi-core/server.c
|
||||
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
|
||||
}
|
||||
|
||||
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||
- char *hn = NULL;
|
||||
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
|
||||
+ char label[AVAHI_LABEL_MAX];
|
||||
+ char *hn = NULL, *h;
|
||||
+ size_t len;
|
||||
+
|
||||
assert(s);
|
||||
|
||||
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
|
||||
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
|
||||
else
|
||||
hn = avahi_normalize_name_strdup(host_name);
|
||||
|
||||
- hn[strcspn(hn, ".")] = 0;
|
||||
+ h = hn;
|
||||
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
|
||||
+ avahi_free(h);
|
||||
+ return AVAHI_ERR_INVALID_HOST_NAME;
|
||||
+ }
|
||||
+
|
||||
+ avahi_free(h);
|
||||
+
|
||||
+ h = label_escaped;
|
||||
+ len = sizeof(label_escaped);
|
||||
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
|
||||
+ return AVAHI_ERR_INVALID_HOST_NAME;
|
||||
|
||||
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
|
||||
- avahi_free(hn);
|
||||
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
|
||||
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
|
||||
- }
|
||||
|
||||
withdraw_host_rrs(s);
|
||||
|
||||
avahi_free(s->host_name);
|
||||
- s->host_name = hn;
|
||||
+ s->host_name = avahi_strdup(label_escaped);
|
||||
+ if (!s->host_name)
|
||||
+ return AVAHI_ERR_NO_MEMORY;
|
||||
|
||||
update_fqdn(s);
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 26 02:28:37 UTC 2024 - Xiaoguang Wang <xiaoguang.wang@suse.com>
|
||||
|
||||
- Add avahi-CVE-2023-38471.patch: Extract host name using
|
||||
avahi_unescape_label (bsc#1216594, CVE-2023-38471).
|
||||
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
|
||||
records (bsc#1216598, CVE-2023-38469).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 30 05:23:33 UTC 2023 - Alynx Zhou <alynx.zhou@suse.com>
|
||||
|
||||
|
@ -107,6 +107,10 @@ Patch31: avahi-CVE-2023-38473.patch
|
||||
Patch32: avahi-CVE-2023-38470.patch
|
||||
# PATCH-FIX-UPSTREAM avahi-CVE-2023-38472.patch bsc#1216853 alynx.zhou@suse.com -- Fix reachable assertion in avahi_rdata_parse
|
||||
Patch33: avahi-CVE-2023-38472.patch
|
||||
# PATCH-FIX-UPSTREAM avahi-CVE-2023-38469.patch bsc#1216598 xwang@suse.com -- Reject overly long TXT resource records
|
||||
Patch34: avahi-CVE-2023-38469.patch
|
||||
# PATCH-FIX-UPSTREAM avahi-CVE-2023-38471.patch bsc#1216594 xwang@suse.com -- Extract host name using avahi_unescape_label
|
||||
Patch35: avahi-CVE-2023-38471.patch
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: gdbm-devel
|
||||
|
Loading…
Reference in New Issue
Block a user