Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id
<502b8fb37ece620c9723446611a9287974ba5a0c.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1028386,
regarding bullseye-pu: package avahi/0.8-5+deb11u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1028386: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028386
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:avahi
Hi,
as discussed (internally) with Salvatore from the security team,
I'd like to make a stable upload for avahi, fixing CVE-2021-3468 / #984938.
The patch has been applied/reviewed upstream and was also uploaded to
unstable.
Full debdiff is attached.
Regards,
Michael
diff --git a/debian/changelog b/debian/changelog
index 88166628..f4b6f9c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+avahi (0.8-5+deb11u2) bullseye; urgency=medium
+
+ * Avoid infinite-loop in avahi-daemon by handling HUP event in client_work.
+ Fixes a local DoS that could be triggered by writing long lines to
+ /run/avahi-daemon/socket. (CVE-2021-3468, Closes: #984938)
+
+ -- Michael Biebl <[email protected]> Tue, 10 Jan 2023 09:43:16 +0100
+
avahi (0.8-5+deb11u1) bullseye; urgency=medium
[ Simon McVittie ]
diff --git
a/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
b/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
new file mode 100644
index 00000000..a29444da
--- /dev/null
+++
b/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
@@ -0,0 +1,38 @@
+From: Riccardo Schirone <[email protected]>
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+
+(cherry picked from commit 447affe29991ee99c6b9732fc5f2c1048a611d3b)
+---
+ avahi-daemon/simple-protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb1..6c0274d 100644
+--- a/avahi-daemon/simple-protocol.c
++++ b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch,
AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+ }
+ }
+
++ if (events & AVAHI_WATCH_HUP) {
++ client_free(c);
++ return;
++ }
++
+ c->server->poll_api->watch_update(
+ watch,
+ (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/debian/patches/series b/debian/patches/series
index 7b513a9c..cdfebce3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@
build-db-Use-the-same-database-format-that-the-C-code-exp.patch
avahi-discover-Escape-strings-substituted-into-Pango-mark.patch
Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
Fix-NULL-pointer-crashes-from-175.patch
+Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.7
Hi,
Each of the updates referred to in these requests was included in this
morning's 11.7 point release.
Regards,
Adam
--- End Message ---
