-
Notifications
You must be signed in to change notification settings - Fork 565
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch avahi for multiple CVEs (#11251)
Co-authored-by: Andrew Phelps <[email protected]> Co-authored-by: Riken Maharjan <[email protected]> Co-authored-by: jslobodzian <[email protected]>
- Loading branch information
1 parent
db971fc
commit 0f715e9
Showing
6 changed files
with
311 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
From c89fd5f2e85052f1f8b74ddeff38235932236889 Mon Sep 17 00:00:00 2001 | ||
From: Kanishk-Bansal <[email protected]> | ||
Date: Wed, 27 Nov 2024 08:48:59 +0000 | ||
Subject: [PATCH] Fix CVE patch | ||
|
||
--- | ||
avahi-core/rr.c | 9 ++++++++- | ||
1 file changed, 8 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/avahi-core/rr.c b/avahi-core/rr.c | ||
index 7fa0bee..b03a24c 100644 | ||
--- a/avahi-core/rr.c | ||
+++ b/avahi-core/rr.c | ||
@@ -32,6 +32,7 @@ | ||
#include <avahi-common/malloc.h> | ||
#include <avahi-common/defs.h> | ||
|
||
+#include "dns.h" | ||
#include "rr.h" | ||
#include "log.h" | ||
#include "util.h" | ||
@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r) { | ||
case AVAHI_DNS_TYPE_TXT: { | ||
|
||
AvahiStringList *strlst; | ||
+ size_t used = 0; | ||
|
||
- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) | ||
+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { | ||
if (strlst->size > 255 || strlst->size <= 0) | ||
return 0; | ||
|
||
+ used += 1+strlst->size; | ||
+ if (used > AVAHI_DNS_RDATA_MAX) | ||
+ return 0; | ||
+ } | ||
+ | ||
return 1; | ||
} | ||
} | ||
-- | ||
2.45.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
From cc5f44eb015384d8c764646c48b9da80f811446c Mon Sep 17 00:00:00 2001 | ||
From: Kanishk-Bansal <[email protected]> | ||
Date: Mon, 2 Dec 2024 10:25:43 +0000 | ||
Subject: [PATCH] Fix CVE-2023-38470 | ||
|
||
--- | ||
avahi-common/domain-test.c | 14 ++++++++++++++ | ||
avahi-common/domain.c | 2 +- | ||
2 files changed, 15 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c | ||
index cf763ec..3acc1c1 100644 | ||
--- a/avahi-common/domain-test.c | ||
+++ b/avahi-common/domain-test.c | ||
@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { | ||
printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); | ||
avahi_free(s); | ||
|
||
+ printf("%s\n", s = avahi_normalize_name_strdup(".")); | ||
+ avahi_free(s); | ||
+ | ||
+ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." | ||
+ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" | ||
+ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" | ||
+ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." | ||
+ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." | ||
+ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" | ||
+ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." | ||
+ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." | ||
+ "}.?.?.?.}.=.?.?.}"); | ||
+ assert(s == NULL); | ||
+ | ||
printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); | ||
printf("%i\n", avahi_domain_equal("A", "a")); | ||
|
||
diff --git a/avahi-common/domain.c b/avahi-common/domain.c | ||
index 3b1ab68..e66d241 100644 | ||
--- a/avahi-common/domain.c | ||
+++ b/avahi-common/domain.c | ||
@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) { | ||
} | ||
|
||
if (!empty) { | ||
- if (size < 1) | ||
+ if (size < 2) | ||
return NULL; | ||
|
||
*(r++) = '.'; | ||
-- | ||
2.45.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
From 48467feda7135e3fa2392294387601f88a06f001 Mon Sep 17 00:00:00 2001 | ||
From: Kanishk-Bansal <[email protected]> | ||
Date: Mon, 2 Dec 2024 10:49:17 +0000 | ||
Subject: [PATCH] Fix CVE-2023-38471 patch | ||
|
||
--- | ||
avahi-core/server.c | 27 +++++++++++++++++++++------ | ||
1 file changed, 21 insertions(+), 6 deletions(-) | ||
|
||
diff --git a/avahi-core/server.c b/avahi-core/server.c | ||
index e507750..40f1d68 100644 | ||
--- a/avahi-core/server.c | ||
+++ b/avahi-core/server.c | ||
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { | ||
} | ||
|
||
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
- char *hn = NULL; | ||
+ char label_escaped[AVAHI_LABEL_MAX*4+1]; | ||
+ char label[AVAHI_LABEL_MAX]; | ||
+ char *hn = NULL, *h; | ||
+ size_t len; | ||
+ | ||
assert(s); | ||
|
||
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); | ||
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { | ||
else | ||
hn = avahi_normalize_name_strdup(host_name); | ||
|
||
- hn[strcspn(hn, ".")] = 0; | ||
+ h = hn; | ||
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { | ||
+ avahi_free(h); | ||
+ return AVAHI_ERR_INVALID_HOST_NAME; | ||
+ } | ||
+ | ||
+ avahi_free(h); | ||
+ | ||
+ h = label_escaped; | ||
+ len = sizeof(label_escaped); | ||
+ if (!avahi_escape_label(label, strlen(label), &h, &len)) | ||
+ return AVAHI_ERR_INVALID_HOST_NAME; | ||
|
||
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { | ||
- avahi_free(hn); | ||
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) | ||
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); | ||
- } | ||
|
||
withdraw_host_rrs(s); | ||
|
||
avahi_free(s->host_name); | ||
- s->host_name = hn; | ||
+ s->host_name = avahi_strdup(label_escaped); | ||
+ if (!s->host_name) | ||
+ return AVAHI_ERR_NO_MEMORY; | ||
|
||
update_fqdn(s); | ||
|
||
-- | ||
2.45.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
From 2cc17a0febc2c1f70db147d9d56861f3520bacad Mon Sep 17 00:00:00 2001 | ||
From: Kanishk-Bansal <[email protected]> | ||
Date: Mon, 2 Dec 2024 04:44:07 +0000 | ||
Subject: [PATCH] Fix CVE patch | ||
|
||
--- | ||
avahi-client/client-test.c | 3 +++ | ||
avahi-daemon/dbus-entry-group.c | 2 +- | ||
2 files changed, 4 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c | ||
index 7d04a6a..57750a4 100644 | ||
--- a/avahi-client/client-test.c | ||
+++ b/avahi-client/client-test.c | ||
@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { | ||
printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); | ||
printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); | ||
|
||
+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); | ||
+ assert(error != AVAHI_OK); | ||
+ | ||
avahi_entry_group_commit (group); | ||
|
||
domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); | ||
diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c | ||
index 4e879a5..aa23d4b 100644 | ||
--- a/avahi-daemon/dbus-entry-group.c | ||
+++ b/avahi-daemon/dbus-entry-group.c | ||
@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage | ||
if (!(r = avahi_record_new_full (name, clazz, type, ttl))) | ||
return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); | ||
|
||
- if (avahi_rdata_parse (r, rdata, size) < 0) { | ||
+ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { | ||
avahi_record_unref (r); | ||
return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); | ||
} | ||
-- | ||
2.45.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
From e6348a0e1f1f42547dce80135afea806125654cc Mon Sep 17 00:00:00 2001 | ||
From: Kanishk-Bansal <[email protected]> | ||
Date: Mon, 2 Dec 2024 09:20:54 +0000 | ||
Subject: [PATCH] Fix CVE-2023-38473 | ||
|
||
--- | ||
avahi-common/alternative-test.c | 3 +++ | ||
avahi-common/alternative.c | 27 +++++++++++++++++++-------- | ||
2 files changed, 22 insertions(+), 8 deletions(-) | ||
|
||
diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c | ||
index 9255435..681fc15 100644 | ||
--- a/avahi-common/alternative-test.c | ||
+++ b/avahi-common/alternative-test.c | ||
@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { | ||
const char* const test_strings[] = { | ||
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", | ||
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", | ||
+ ").", | ||
+ "\\.", | ||
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", | ||
"gurke", | ||
"-", | ||
" #", | ||
diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c | ||
index b3d39f0..a094e6d 100644 | ||
--- a/avahi-common/alternative.c | ||
+++ b/avahi-common/alternative.c | ||
@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { | ||
} | ||
|
||
char *avahi_alternative_host_name(const char *s) { | ||
+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; | ||
+ char *alt, *r, *ret; | ||
const char *e; | ||
- char *r; | ||
+ size_t len; | ||
|
||
assert(s); | ||
|
||
if (!avahi_is_valid_host_name(s)) | ||
return NULL; | ||
|
||
- if ((e = strrchr(s, '-'))) { | ||
+ if (!avahi_unescape_label(&s, label, sizeof(label))) | ||
+ return NULL; | ||
+ | ||
+ if ((e = strrchr(label, '-'))) { | ||
const char *p; | ||
|
||
e++; | ||
@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { | ||
|
||
if (e) { | ||
char *c, *m; | ||
- size_t l; | ||
int n; | ||
|
||
n = atoi(e)+1; | ||
if (!(m = avahi_strdup_printf("%i", n))) | ||
return NULL; | ||
|
||
- l = e-s-1; | ||
+ len = e-label-1; | ||
|
||
- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) | ||
- l = AVAHI_LABEL_MAX-1-strlen(m)-1; | ||
+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) | ||
+ len = AVAHI_LABEL_MAX-1-strlen(m)-1; | ||
|
||
- if (!(c = avahi_strndup(s, l))) { | ||
+ if (!(c = avahi_strndup(label, len))) { | ||
avahi_free(m); | ||
return NULL; | ||
} | ||
@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { | ||
} else { | ||
char *c; | ||
|
||
- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) | ||
+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) | ||
return NULL; | ||
|
||
drop_incomplete_utf8(c); | ||
@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { | ||
avahi_free(c); | ||
} | ||
|
||
+ alt = alternative; | ||
+ len = sizeof(alternative); | ||
+ ret = avahi_escape_label(r, strlen(r), &alt, &len); | ||
+ | ||
+ avahi_free(r); | ||
+ r = avahi_strdup(ret); | ||
+ | ||
assert(avahi_is_valid_host_name(r)); | ||
|
||
return r; | ||
-- | ||
2.45.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,7 @@ | |
Summary: Local network service discovery | ||
Name: avahi | ||
Version: 0.8 | ||
Release: 2%{?dist} | ||
Release: 3%{?dist} | ||
License: LGPLv2+ | ||
Vendor: Microsoft Corporation | ||
Distribution: Mariner | ||
|
@@ -13,6 +13,11 @@ Patch0: %{name}-libevent-pc-fix.patch | |
Patch1: CVE-2021-3468.patch | ||
Patch2: CVE-2021-3502.patch | ||
Patch3: CVE-2023-1981.patch | ||
Patch4: CVE-2023-38470.patch | ||
Patch5: CVE-2023-38471.patch | ||
Patch6: CVE-2023-38472.patch | ||
Patch7: CVE-2023-38473.patch | ||
Patch8: CVE-2023-38469.patch | ||
BuildRequires: automake | ||
BuildRequires: dbus-devel >= 0.90 | ||
BuildRequires: dbus-glib-devel >= 0.70 | ||
|
@@ -406,6 +411,13 @@ exit 0 | |
%endif | ||
|
||
%changelog | ||
* Mon Dec 02 2024 Kanishk Bansal <[email protected]> - 0.8-3 | ||
- Fix CVE-2023-38473 wih an upstream patch | ||
- Fix CVE-2023-38472 wih an upstream patch | ||
- Fix CVE-2023-38471 wih an upstream patch | ||
- Fix CVE-2023-38470 wih an upstream patch | ||
- Fix CVE-2023-38469.patch with an upstream patch | ||
|
||
* Tue Oct 29 2024 Daniel McIlvaney <[email protected]> - 0.8-2 | ||
- Fix CVE-2023-1981 with an upstream patch | ||
|
||
|