From 13a4ac00ec4d0f7144d9e7821206e51b92d1525490adb314ae6851dafe4785d4 Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dimstar@opensuse.org>
Date: Wed, 27 Mar 2024 08:21:54 +0000
Subject: [PATCH] Accepting request 1162477 from
 home:xiaoguang_wang:branches:GNOME:Factory

- Add avahi-CVE-2023-38471.patch: Extract host name using
  avahi_unescape_label (bsc#1216594, CVE-2023-38471).
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
  records (bsc#1216598, CVE-2023-38469).

OBS-URL: https://build.opensuse.org/request/show/1162477
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/avahi?expand=0&rev=239
---
 avahi-CVE-2023-38469.patch | 46 ++++++++++++++++++++++++
 avahi-CVE-2023-38471.patch | 71 ++++++++++++++++++++++++++++++++++++++
 avahi.changes              |  8 +++++
 avahi.spec                 |  7 +++-
 4 files changed, 131 insertions(+), 1 deletion(-)
 create mode 100644 avahi-CVE-2023-38469.patch
 create mode 100644 avahi-CVE-2023-38471.patch

diff --git a/avahi-CVE-2023-38469.patch b/avahi-CVE-2023-38469.patch
new file mode 100644
index 0000000..82109c3
--- /dev/null
+++ b/avahi-CVE-2023-38469.patch
@@ -0,0 +1,46 @@
+From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH] core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+CVE-2023-38469
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 2bb8924..9c04ebb 100644
+--- a/avahi-core/rr.c
++++ b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+ 
++#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+         case AVAHI_DNS_TYPE_TXT: {
+ 
+             AvahiStringList *strlst;
++            size_t used = 0;
+ 
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
++            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+ 
++                used += 1+strlst->size;
++                if (used > AVAHI_DNS_RDATA_MAX)
++                    return 0;
++            }
++
+             return 1;
+         }
+     }
+-- 
+2.44.0
+
diff --git a/avahi-CVE-2023-38471.patch b/avahi-CVE-2023-38471.patch
new file mode 100644
index 0000000..8b8cf8a
--- /dev/null
+++ b/avahi-CVE-2023-38471.patch
@@ -0,0 +1,71 @@
+From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] core: extract host name using avahi_unescape_label()
+
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+
+Fixes #453
+
+CVE-2023-38471
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index c32637a..f6a21bb 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
+ }
+ 
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+-    char *hn = NULL;
++    char label_escaped[AVAHI_LABEL_MAX*4+1];
++    char label[AVAHI_LABEL_MAX];
++    char *hn = NULL, *h;
++    size_t len;
++
+     assert(s);
+ 
+     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
+-    hn[strcspn(hn, ".")] = 0;
++    h = hn;
++    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
++        avahi_free(h);
++        return AVAHI_ERR_INVALID_HOST_NAME;
++    }
++
++    avahi_free(h);
++
++    h = label_escaped;
++    len = sizeof(label_escaped);
++    if (!avahi_escape_label(label, strlen(label), &h, &len))
++        return AVAHI_ERR_INVALID_HOST_NAME;
+ 
+-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+-        avahi_free(hn);
++    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+-    }
+ 
+     withdraw_host_rrs(s);
+ 
+     avahi_free(s->host_name);
+-    s->host_name = hn;
++    s->host_name = avahi_strdup(label_escaped);
++    if (!s->host_name)
++        return AVAHI_ERR_NO_MEMORY;
+ 
+     update_fqdn(s);
+ 
+-- 
+2.44.0
+
diff --git a/avahi.changes b/avahi.changes
index 586aeab..b9743c7 100644
--- a/avahi.changes
+++ b/avahi.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Mar 26 02:28:37 UTC 2024 - Xiaoguang Wang <xiaoguang.wang@suse.com>
+
+- Add avahi-CVE-2023-38471.patch: Extract host name using
+  avahi_unescape_label (bsc#1216594, CVE-2023-38471).
+- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
+  records (bsc#1216598, CVE-2023-38469).
+
 -------------------------------------------------------------------
 Tue Mar 12 14:42:24 UTC 2024 - pgajdos@suse.com
 
diff --git a/avahi.spec b/avahi.spec
index 134c2e1..2cc629f 100644
--- a/avahi.spec
+++ b/avahi.spec
@@ -107,6 +107,10 @@ Patch31:        avahi-CVE-2023-38473.patch
 Patch32:        avahi-CVE-2023-38470.patch
 # PATCH-FIX-UPSTREAM avahi-CVE-2023-38472.patch bsc#1216853 alynx.zhou@suse.com -- Fix reachable assertion in avahi_rdata_parse
 Patch33:        avahi-CVE-2023-38472.patch
+# PATCH-FIX-UPSTREAM avahi-CVE-2023-38469.patch bsc#1216598 xwang@suse.com -- Reject overly long TXT resource records
+Patch34:        avahi-CVE-2023-38469.patch
+# PATCH-FIX-UPSTREAM avahi-CVE-2023-38471.patch bsc#1216594 xwang@suse.com -- Extract host name using avahi_unescape_label
+Patch35:        avahi-CVE-2023-38471.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  gdbm-devel
@@ -420,13 +424,14 @@ DNS specifications for Zeroconf Computing.
 
 
 # This is the avahi-discover command, only provided for the primary python3 flavor
+
 %package -n python3-avahi-gtk
 Summary:        A set of Avahi utilities written in Python Using python-gtk
 Group:          Development/Languages/Python
 Requires:       python3-avahi = %{version}
 Requires:       python3-gobject
 Requires(post): coreutils
-Requires(postun):coreutils
+Requires(postun): coreutils
 Provides:       %{oldpython}-avahi-gtk = %{version}
 Obsoletes:      %{oldpython}-avahi-gtk < %{version}
 # Provide split-provides for update from <= 11.0: