Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package avahi for openSUSE:Factory checked in at 2023-04-13 14:09:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/avahi (Old) and /work/SRC/openSUSE:Factory/.avahi.new.19717 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "avahi" Thu Apr 13 14:09:49 2023 rev:157 rq:1078524 version:0.8 Changes: -------- --- /work/SRC/openSUSE:Factory/avahi/avahi.changes 2022-12-21 16:06:16.746437521 +0100 +++ /work/SRC/openSUSE:Factory/.avahi.new.19717/avahi.changes 2023-04-13 14:09:57.892026936 +0200 @@ -1,0 +2,6 @@ +Tue Apr 11 21:00:12 UTC 2023 - Michael Gorse <[email protected]> + +- Add avahi-CVE-2023-1981.patch: emit error if requested service + is not found (boo#1210328 CVE-2023-1981). + +------------------------------------------------------------------- New: ---- avahi-CVE-2023-1981.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ avahi.spec ++++++ --- /var/tmp/diff_new_pack.uVRszS/_old 2023-04-13 14:09:58.604031024 +0200 +++ /var/tmp/diff_new_pack.uVRszS/_new 2023-04-13 14:09:58.612031071 +0200 @@ -1,7 +1,7 @@ # # spec file # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -99,6 +99,8 @@ Patch27: 0009-fix-bytestring-decoding-for-proper-display.patch Patch28: harden_avahi-daemon.service.patch Patch29: harden_avahi-dnsconfd.service.patch +# PATCH-FIX-UPSTREAM avahi-CVE-2023-1981.patch boo#1210328 [email protected] -- emit error if requested service is not found. +Patch30: avahi-CVE-2023-1981.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gdbm-devel @@ -417,6 +419,7 @@ + # This is the avahi-discover command, only provided for the primary python3 flavor %package -n python3-avahi-gtk Summary: A set of Avahi utilities written in Python Using python-gtk @@ -510,6 +513,7 @@ %patch27 -p1 %patch28 -p1 %patch29 -p1 +%patch30 -p1 %if !%{build_core} # Replace all .la references from local .la files to installed versions ++++++ avahi-CVE-2023-1981.patch ++++++ >From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <[email protected]> Date: Thu, 17 Nov 2022 01:51:53 +0100 Subject: [PATCH] Emit error if requested service is not found It currently just crashes instead of replying with error. Check return value and emit error instead of passing NULL pointer to reply. Fixes #375 --- avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c index 70d7687..406d0b4 100644 --- a/avahi-daemon/dbus-protocol.c +++ b/avahi-daemon/dbus-protocol.c @@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM } t = avahi_alternative_host_name(n); - avahi_dbus_respond_string(c, m, t); - avahi_free(t); + if (t) { + avahi_dbus_respond_string(c, m, t); + avahi_free(t); - return DBUS_HANDLER_RESULT_HANDLED; + return DBUS_HANDLER_RESULT_HANDLED; + } else { + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); + } } static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) { @@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB } t = avahi_alternative_service_name(n); - avahi_dbus_respond_string(c, m, t); - avahi_free(t); + if (t) { + avahi_dbus_respond_string(c, m, t); + avahi_free(t); - return DBUS_HANDLER_RESULT_HANDLED; + return DBUS_HANDLER_RESULT_HANDLED; + } else { + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); + } } static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) { -- 2.40.0
