Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package avahi for openSUSE:Factory checked in at 2024-06-21 16:02:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/avahi (Old) and /work/SRC/openSUSE:Factory/.avahi.new.18349 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "avahi" Fri Jun 21 16:02:58 2024 rev:169 rq:1181998 version:0.8 Changes: -------- --- /work/SRC/openSUSE:Factory/avahi/avahi.changes 2024-04-05 20:24:33.291363851 +0200 +++ /work/SRC/openSUSE:Factory/.avahi.new.18349/avahi.changes 2024-06-21 16:03:34.866892287 +0200 @@ -1,0 +2,6 @@ +Thu Jun 20 16:01:22 UTC 2024 - Michael Gorse <mgo...@suse.com> + +- Add avahi-filter-bogus-services.patch: no longer supply bogus + services to callbacks (bsc#1226586). + +------------------------------------------------------------------- New: ---- avahi-filter-bogus-services.patch BETA DEBUG BEGIN: New: - Add avahi-filter-bogus-services.patch: no longer supply bogus services to callbacks (bsc#1226586). BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ avahi.spec ++++++ --- /var/tmp/diff_new_pack.Vdd7pt/_old 2024-06-21 16:03:35.726923833 +0200 +++ /var/tmp/diff_new_pack.Vdd7pt/_new 2024-06-21 16:03:35.730923980 +0200 @@ -113,6 +113,8 @@ Patch34: avahi-CVE-2023-38469.patch # PATCH-FIX-UPSTREAM avahi-CVE-2023-38471.patch bsc#1216594 xw...@suse.com -- Extract host name using avahi_unescape_label Patch35: avahi-CVE-2023-38471.patch +# PATCH-FIX-UPSTREAM avahi-filter-bogus-services.patch bsc#1226586 mgo...@suse.com -- no longer supply bogus services to callbacks. +Patch36: avahi-filter-bogus-services.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gdbm-devel @@ -421,8 +423,8 @@ Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Computing. -# This is the avahi-discover command, only provided for the primary python3 flavor +# This is the avahi-discover command, only provided for the primary python3 flavor %package -n python3-avahi-gtk Summary: A set of Avahi utilities written in Python Using python-gtk Group: Development/Languages/Python ++++++ avahi-filter-bogus-services.patch ++++++ >From 93b14365c1c1e04efd1a890e8caa01a2a514bfd8 Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin <evv...@ya.ru> Date: Sun, 12 Nov 2023 01:16:58 +0000 Subject: [PATCH] core: no longer supply bogus services to callbacks It was technically a DOS allowing packets with service names like "bogus.service.local" to bring down `avahi-browse -a`. In practice it was usually triggered by misconfigured smart devices but it isn't that hard to forge packets like that and send them deliberately. The tests are added to make sure invalid service names are rejected and valid service names keep working. The fuzz target is updated to make sure that avahi_service_name_split always supplies valid arguments to avahi_service_name_join. avahi now logs what exactly it fails to split ``` avahi-daemon[176]: Failed to split service name '0.1.9.1.8.8.e.f.f.f.f.a.a.1.4.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa' avahi-daemon[176]: Failed to split service name 'bogus\032.\032\209\129\208\181\209\128\208\178\208\184\209\129.local' avahi-daemon[176]: Failed to split service name '255.20.254.169.in-addr.arpa' avahi-daemon[176]: Failed to split service name 'bogus\032.\032\209\129\208\181\209\128\208\178\208\184\209\129.local' avahi-daemon[176]: Failed to split service name '33.93.168.192.in-addr.arpa' ``` when --debug is passed to it (which makes that part consistent with the other places where weird packets are rejected). Closes https://github.com/lathiat/avahi/issues/212 --- .github/workflows/smoke-tests.sh | 2 ++ avahi-common/domain-test.c | 36 ++++++++++++++++++++++++++++++++ avahi-common/domain.c | 14 +++++++++++++ avahi-core/browse-service-type.c | 2 +- avahi-core/browse-service.c | 2 +- fuzz/fuzz-packet.c | 18 ++++++++-------- 6 files changed, 63 insertions(+), 11 deletions(-) diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c index 7a662da..9679e98 100644 --- a/avahi-common/domain-test.c +++ b/avahi-common/domain-test.c @@ -26,6 +26,7 @@ #include <assert.h> #include "domain.h" +#include "error.h" #include "malloc.h" int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { @@ -34,6 +35,7 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { const char *p; size_t size; char name[64], type[AVAHI_DOMAIN_NAME_MAX], domain[AVAHI_DOMAIN_NAME_MAX]; + int res; printf("%s\n", s = avahi_normalize_name_strdup("foo.foo\\046.")); avahi_free(s); @@ -132,5 +134,39 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { assert(!avahi_is_valid_fqdn("::1")); assert(!avahi_is_valid_fqdn(".192.168.50.1.")); + res = avahi_service_name_split("test._ssh._tcp.local", name, sizeof(name), type, sizeof(type), domain, sizeof(domain)); + assert(res >= 0); + assert(strcmp(name, "test") == 0); + assert(strcmp(type, "_ssh._tcp") == 0); + assert(strcmp(domain, "local") == 0); + + res = avahi_service_name_split("test._hop._sub._ssh._tcp.local", name, sizeof(name), type, sizeof(type), domain, sizeof(domain)); + assert(res >= 0); + assert(strcmp(name, "test") == 0); + assert(strcmp(type, "_hop._sub._ssh._tcp") == 0); + assert(strcmp(domain, "local") == 0); + + res = avahi_service_name_split("_qotd._udp.hey.local", NULL, 0, type, sizeof(type), domain, sizeof(domain)); + assert(res >= 0); + assert(strcmp(type, "_qotd._udp") == 0); + assert(strcmp(domain, "hey.local") == 0); + + res = avahi_service_name_split("_wat._sub._qotd._udp.hey.local", NULL, 0, type, sizeof(type), domain, sizeof(domain)); + assert(res >= 0); + assert(strcmp(type, "_wat._sub._qotd._udp") == 0); + assert(strcmp(domain, "hey.local") == 0); + + res = avahi_service_name_split("wat.bogus.service.local", name, sizeof(name), type, sizeof(type), domain, sizeof(domain)); + assert(res == AVAHI_ERR_INVALID_SERVICE_TYPE); + + res = avahi_service_name_split("bogus.service.local", NULL, 0, type, sizeof(type), domain, sizeof(domain)); + assert(res == AVAHI_ERR_INVALID_SERVICE_TYPE); + + res = avahi_service_name_split("", name, sizeof(name), type, sizeof(type), domain, sizeof(domain)); + assert(res == AVAHI_ERR_INVALID_SERVICE_NAME); + + res = avahi_service_name_split("", NULL, 0, type, sizeof(type), domain, sizeof(domain)); + assert(res == AVAHI_ERR_INVALID_SERVICE_TYPE); + return 0; } diff --git a/avahi-common/domain.c b/avahi-common/domain.c index c7af116..9e93018 100644 --- a/avahi-common/domain.c +++ b/avahi-common/domain.c @@ -501,6 +501,7 @@ int avahi_service_name_split(const char *p, char *name, size_t name_size, char * DOMAIN } state; int type_empty = 1, domain_empty = 1; + char *oname, *otype, *odomain; assert(p); assert(type); @@ -508,6 +509,10 @@ int avahi_service_name_split(const char *p, char *name, size_t name_size, char * assert(domain); assert(domain_size > 0); + oname = name; + otype = type; + odomain = domain; + if (name) { assert(name_size > 0); *name = 0; @@ -570,6 +575,15 @@ int avahi_service_name_split(const char *p, char *name, size_t name_size, char * } } + if ((oname && !avahi_is_valid_service_name(oname))) + return AVAHI_ERR_INVALID_SERVICE_NAME; + + if (!avahi_is_valid_service_type_generic(otype)) + return AVAHI_ERR_INVALID_SERVICE_TYPE; + + if (!avahi_is_valid_domain_name(odomain)) + return AVAHI_ERR_INVALID_DOMAIN_NAME; + return 0; } diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c index b1fc7af..f0d6938 100644 --- a/avahi-core/browse-service-type.c +++ b/avahi-core/browse-service-type.c @@ -65,7 +65,7 @@ static void record_browser_callback( assert(record->key->type == AVAHI_DNS_TYPE_PTR); if (avahi_service_name_split(record->data.ptr.name, NULL, 0, type, sizeof(type), domain, sizeof(domain)) < 0) { - avahi_log_warn("Invalid service type '%s'", record->key->name); + avahi_log_debug("Failed to split service name '%s'", record->data.ptr.name); return; } diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c index 63e0275..e924bae 100644 --- a/avahi-core/browse-service.c +++ b/avahi-core/browse-service.c @@ -69,7 +69,7 @@ static void record_browser_callback( flags |= AVAHI_LOOKUP_RESULT_LOCAL; if (avahi_service_name_split(record->data.ptr.name, service, sizeof(service), type, sizeof(type), domain, sizeof(domain)) < 0) { - avahi_log_warn("Failed to split '%s'", record->key->name); + avahi_log_debug("Failed to split service name '%s'", record->data.ptr.name); return; }
