Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:avahi
Hi, as discussed (internally) with Salvatore from the security team, I'd like to make a stable upload for avahi, fixing CVE-2021-3468 / #984938. The patch has been applied/reviewed upstream and was also uploaded to unstable. Full debdiff is attached. Regards, Michael
diff --git a/debian/changelog b/debian/changelog index 88166628..f4b6f9c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +avahi (0.8-5+deb11u2) bullseye; urgency=medium + + * Avoid infinite-loop in avahi-daemon by handling HUP event in client_work. + Fixes a local DoS that could be triggered by writing long lines to + /run/avahi-daemon/socket. (CVE-2021-3468, Closes: #984938) + + -- Michael Biebl <[email protected]> Tue, 10 Jan 2023 09:43:16 +0100 + avahi (0.8-5+deb11u1) bullseye; urgency=medium [ Simon McVittie ] diff --git a/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch b/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch new file mode 100644 index 00000000..a29444da --- /dev/null +++ b/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch @@ -0,0 +1,38 @@ +From: Riccardo Schirone <[email protected]> +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 + +(cherry picked from commit 447affe29991ee99c6b9732fc5f2c1048a611d3b) +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb1..6c0274d 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | diff --git a/debian/patches/series b/debian/patches/series index 7b513a9c..cdfebce3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,4 @@ build-db-Use-the-same-database-format-that-the-C-code-exp.patch avahi-discover-Escape-strings-substituted-into-Pango-mark.patch Do-not-disable-timeout-cleanup-on-watch-cleanup.patch Fix-NULL-pointer-crashes-from-175.patch +Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
