Skip to content

Commit

Permalink
Patch avahi for multiple CVEs (#11251)
Browse files Browse the repository at this point in the history
Co-authored-by: Andrew Phelps <[email protected]>
Co-authored-by: Riken Maharjan <[email protected]>
Co-authored-by: jslobodzian <[email protected]>
  • Loading branch information
4 people authored Dec 20, 2024
1 parent db971fc commit 0f715e9
Show file tree
Hide file tree
Showing 6 changed files with 311 additions and 1 deletion.
43 changes: 43 additions & 0 deletions SPECS/avahi/CVE-2023-38469.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
From c89fd5f2e85052f1f8b74ddeff38235932236889 Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <[email protected]>
Date: Wed, 27 Nov 2024 08:48:59 +0000
Subject: [PATCH] Fix CVE patch

---
avahi-core/rr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/avahi-core/rr.c b/avahi-core/rr.c
index 7fa0bee..b03a24c 100644
--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
@@ -32,6 +32,7 @@
#include <avahi-common/malloc.h>
#include <avahi-common/defs.h>

+#include "dns.h"
#include "rr.h"
#include "log.h"
#include "util.h"
@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
case AVAHI_DNS_TYPE_TXT: {

AvahiStringList *strlst;
+ size_t used = 0;

- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
if (strlst->size > 255 || strlst->size <= 0)
return 0;

+ used += 1+strlst->size;
+ if (used > AVAHI_DNS_RDATA_MAX)
+ return 0;
+ }
+
return 1;
}
}
--
2.45.2

51 changes: 51 additions & 0 deletions SPECS/avahi/CVE-2023-38470.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
From cc5f44eb015384d8c764646c48b9da80f811446c Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <[email protected]>
Date: Mon, 2 Dec 2024 10:25:43 +0000
Subject: [PATCH] Fix CVE-2023-38470

---
avahi-common/domain-test.c | 14 ++++++++++++++
avahi-common/domain.c | 2 +-
2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
index cf763ec..3acc1c1 100644
--- a/avahi-common/domain-test.c
+++ b/avahi-common/domain-test.c
@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
avahi_free(s);

+ printf("%s\n", s = avahi_normalize_name_strdup("."));
+ avahi_free(s);
+
+ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
+ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
+ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
+ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
+ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
+ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
+ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
+ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
+ "}.?.?.?.}.=.?.?.}");
+ assert(s == NULL);
+
printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
printf("%i\n", avahi_domain_equal("A", "a"));

diff --git a/avahi-common/domain.c b/avahi-common/domain.c
index 3b1ab68..e66d241 100644
--- a/avahi-common/domain.c
+++ b/avahi-common/domain.c
@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
}

if (!empty) {
- if (size < 1)
+ if (size < 2)
return NULL;

*(r++) = '.';
--
2.45.2

63 changes: 63 additions & 0 deletions SPECS/avahi/CVE-2023-38471.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
From 48467feda7135e3fa2392294387601f88a06f001 Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <[email protected]>
Date: Mon, 2 Dec 2024 10:49:17 +0000
Subject: [PATCH] Fix CVE-2023-38471 patch

---
avahi-core/server.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/avahi-core/server.c b/avahi-core/server.c
index e507750..40f1d68 100644
--- a/avahi-core/server.c
+++ b/avahi-core/server.c
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
}

int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
- char *hn = NULL;
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
+ char label[AVAHI_LABEL_MAX];
+ char *hn = NULL, *h;
+ size_t len;
+
assert(s);

AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
else
hn = avahi_normalize_name_strdup(host_name);

- hn[strcspn(hn, ".")] = 0;
+ h = hn;
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+ avahi_free(h);
+ return AVAHI_ERR_INVALID_HOST_NAME;
+ }
+
+ avahi_free(h);
+
+ h = label_escaped;
+ len = sizeof(label_escaped);
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
+ return AVAHI_ERR_INVALID_HOST_NAME;

- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
- avahi_free(hn);
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
- }

withdraw_host_rrs(s);

avahi_free(s->host_name);
- s->host_name = hn;
+ s->host_name = avahi_strdup(label_escaped);
+ if (!s->host_name)
+ return AVAHI_ERR_NO_MEMORY;

update_fqdn(s);

--
2.45.2

40 changes: 40 additions & 0 deletions SPECS/avahi/CVE-2023-38472.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
From 2cc17a0febc2c1f70db147d9d56861f3520bacad Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <[email protected]>
Date: Mon, 2 Dec 2024 04:44:07 +0000
Subject: [PATCH] Fix CVE patch

---
avahi-client/client-test.c | 3 +++
avahi-daemon/dbus-entry-group.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
index 7d04a6a..57750a4 100644
--- a/avahi-client/client-test.c
+++ b/avahi-client/client-test.c
@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));

+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+ assert(error != AVAHI_OK);
+
avahi_entry_group_commit (group);

domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
index 4e879a5..aa23d4b 100644
--- a/avahi-daemon/dbus-entry-group.c
+++ b/avahi-daemon/dbus-entry-group.c
@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);

- if (avahi_rdata_parse (r, rdata, size) < 0) {
+ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
avahi_record_unref (r);
return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
}
--
2.45.2

101 changes: 101 additions & 0 deletions SPECS/avahi/CVE-2023-38473.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
From e6348a0e1f1f42547dce80135afea806125654cc Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <[email protected]>
Date: Mon, 2 Dec 2024 09:20:54 +0000
Subject: [PATCH] Fix CVE-2023-38473

---
avahi-common/alternative-test.c | 3 +++
avahi-common/alternative.c | 27 +++++++++++++++++++--------
2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
index 9255435..681fc15 100644
--- a/avahi-common/alternative-test.c
+++ b/avahi-common/alternative-test.c
@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
const char* const test_strings[] = {
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
+ ").",
+ "\\.",
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
"gurke",
"-",
" #",
diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
index b3d39f0..a094e6d 100644
--- a/avahi-common/alternative.c
+++ b/avahi-common/alternative.c
@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
}

char *avahi_alternative_host_name(const char *s) {
+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
+ char *alt, *r, *ret;
const char *e;
- char *r;
+ size_t len;

assert(s);

if (!avahi_is_valid_host_name(s))
return NULL;

- if ((e = strrchr(s, '-'))) {
+ if (!avahi_unescape_label(&s, label, sizeof(label)))
+ return NULL;
+
+ if ((e = strrchr(label, '-'))) {
const char *p;

e++;
@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {

if (e) {
char *c, *m;
- size_t l;
int n;

n = atoi(e)+1;
if (!(m = avahi_strdup_printf("%i", n)))
return NULL;

- l = e-s-1;
+ len = e-label-1;

- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;

- if (!(c = avahi_strndup(s, l))) {
+ if (!(c = avahi_strndup(label, len))) {
avahi_free(m);
return NULL;
}
@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
} else {
char *c;

- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
return NULL;

drop_incomplete_utf8(c);
@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
avahi_free(c);
}

+ alt = alternative;
+ len = sizeof(alternative);
+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
+
+ avahi_free(r);
+ r = avahi_strdup(ret);
+
assert(avahi_is_valid_host_name(r));

return r;
--
2.45.2

14 changes: 13 additions & 1 deletion SPECS/avahi/avahi.spec
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Summary: Local network service discovery
Name: avahi
Version: 0.8
Release: 2%{?dist}
Release: 3%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -13,6 +13,11 @@ Patch0: %{name}-libevent-pc-fix.patch
Patch1: CVE-2021-3468.patch
Patch2: CVE-2021-3502.patch
Patch3: CVE-2023-1981.patch
Patch4: CVE-2023-38470.patch
Patch5: CVE-2023-38471.patch
Patch6: CVE-2023-38472.patch
Patch7: CVE-2023-38473.patch
Patch8: CVE-2023-38469.patch
BuildRequires: automake
BuildRequires: dbus-devel >= 0.90
BuildRequires: dbus-glib-devel >= 0.70
Expand Down Expand Up @@ -406,6 +411,13 @@ exit 0
%endif

%changelog
* Mon Dec 02 2024 Kanishk Bansal <[email protected]> - 0.8-3
- Fix CVE-2023-38473 wih an upstream patch
- Fix CVE-2023-38472 wih an upstream patch
- Fix CVE-2023-38471 wih an upstream patch
- Fix CVE-2023-38470 wih an upstream patch
- Fix CVE-2023-38469.patch with an upstream patch

* Tue Oct 29 2024 Daniel McIlvaney <[email protected]> - 0.8-2
- Fix CVE-2023-1981 with an upstream patch

Expand Down

0 comments on commit 0f715e9

Please sign in to comment.