From 26d7dd19cc0178189ac566ca65f762b4e381fb0e Mon Sep 17 00:00:00 2001 From: wangkerong Date: Tue, 15 Jun 2021 14:44:00 +0800 Subject: [PATCH] fix cve-2021-3468 --- avahi.spec | 10 +++++++++- backport-CVE-2021-3468.patch | 37 ++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-3468.patch diff --git a/avahi.spec b/avahi.spec index 306dfff..87debe8 100644 --- a/avahi.spec +++ b/avahi.spec @@ -3,7 +3,7 @@ Name: avahi Version: 0.8 -Release: 3 +Release: 4 Summary: Avahi is a local network service discovery License: LGPLv2+ URL: http://avahi.org @@ -17,6 +17,8 @@ Patch3: 0003-fix-requires-in-pc-file.patch Patch4: 0004-fix-bytestring-decoding-for-proper-display.patch Patch5: 0005-avahi_dns_packet_consume_uint32-fix-potential-undefi.patch +Patch6000: backport-CVE-2021-3468.patch + BuildRequires: gcc automake libtool desktop-file-utils gtk2-devel glib2-devel BuildRequires: libcap-devel expat-devel gdbm-devel BuildRequires: intltool perl-XML-Parser xmltoman systemd libevent-devel @@ -519,6 +521,12 @@ fi %{_mandir}/man8/* %changelog +* Tue Jun 15 2021 wangkerong - 0.8-4 +- Type:CVE +- ID:CVE-2021-3468 +- SUG:NA +- DESC:fix CVE-2021-3468 + * Thu May 20 2021 hanhui - 0.8-3 - Type:enhancement - ID:NA diff --git a/backport-CVE-2021-3468.patch b/backport-CVE-2021-3468.patch new file mode 100644 index 0000000..3e0725a --- /dev/null +++ b/backport-CVE-2021-3468.patch @@ -0,0 +1,37 @@ +From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb11..6c0274d6 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | -- Gitee