From 96e904824be7064892ef2263e9b610d1179419b4 Mon Sep 17 00:00:00 2001 From: zppzhangpan Date: Mon, 6 Nov 2023 17:17:40 +0800 Subject: [PATCH] fix CVE-2023-38469 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 --- avahi.spec | 10 ++- backport-0001-CVE-2023-38471.patch | 31 +++++++++ backport-0002-CVE-2023-38471.patch | 71 +++++++++++++++++++ backport-CVE-2023-38469.patch | 106 ++++++++++++++++++++++++++++ backport-CVE-2023-38472.patch | 44 ++++++++++++ backport-CVE-2023-38473.patch | 108 +++++++++++++++++++++++++++++ 6 files changed, 369 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2023-38471.patch create mode 100644 backport-0002-CVE-2023-38471.patch create mode 100644 backport-CVE-2023-38469.patch create mode 100644 backport-CVE-2023-38472.patch create mode 100644 backport-CVE-2023-38473.patch diff --git a/avahi.spec b/avahi.spec index 03288b5..0a6af63 100644 --- a/avahi.spec +++ b/avahi.spec @@ -3,7 +3,7 @@ Name: avahi Version: 0.8 -Release: 16 +Release: 17 Summary: Avahi is a local network service discovery License: LGPLv2+ URL: http://avahi.org @@ -21,6 +21,11 @@ Patch6001: backport-CVE-2021-3468.patch Patch6002: backport-CVE-2021-36217.patch Patch6003: backport-CVE-2023-1981.patch Patch6004: backport-CVE-2023-38470.patch +Patch6005: backport-CVE-2023-38473.patch +Patch6006: backport-CVE-2023-38472.patch +Patch6007: backport-0001-CVE-2023-38471.patch +Patch6008: backport-0002-CVE-2023-38471.patch +Patch6009: backport-CVE-2023-38469.patch BuildRequires: gcc automake libtool desktop-file-utils gtk2-devel glib2-devel gcc-c++ BuildRequires: libcap-devel expat-devel gdbm-devel make @@ -558,6 +563,9 @@ fi %{_mandir}/man8/* %changelog +* Mon Nov 6 2023 zhangpan - 0.8-17 +- fix CVE-2023-38469 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 + * Mon Oct 16 2023 zhangpan - 0.8-16 - fix CVE-2023-38470 diff --git a/backport-0001-CVE-2023-38471.patch b/backport-0001-CVE-2023-38471.patch new file mode 100644 index 0000000..5152952 --- /dev/null +++ b/backport-0001-CVE-2023-38471.patch @@ -0,0 +1,31 @@ +From 1c599d80f0cdd6845ad2e9bd91465d59c9b0c211 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Fri, 9 Dec 2022 14:33:16 +0000 +Subject: [PATCH] dbus: deny SetHostName via org.freedesktop.Avahi.Server2 as + well + +Looks like the policy wasn't updated when the Server2 interface was +introduced. + +It's a follow-up to https://github.com/lathiat/avahi/pull/175 + +Reference:https://github.com/lathiat/avahi/commit/1c599d80f0cdd6845ad2e9bd91465d59c9b0c211 +Conflict:NA + +--- + avahi-daemon/avahi-dbus.conf.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/avahi-daemon/avahi-dbus.conf.in b/avahi-daemon/avahi-dbus.conf.in +index 1df0cc478..a78f02850 100644 +--- a/avahi-daemon/avahi-dbus.conf.in ++++ b/avahi-daemon/avahi-dbus.conf.in +@@ -18,6 +18,8 @@ + + ++ + + + diff --git a/backport-0002-CVE-2023-38471.patch b/backport-0002-CVE-2023-38471.patch new file mode 100644 index 0000000..84e45ce --- /dev/null +++ b/backport-0002-CVE-2023-38471.patch @@ -0,0 +1,71 @@ +From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 23 Oct 2023 13:38:35 +0200 +Subject: [PATCH] core: extract host name using avahi_unescape_label() + +Previously we could create invalid escape sequence when we split the +string on dot. For example, from valid host name "foo\\.bar" we have +created invalid name "foo\\" and tried to set that as the host name +which crashed the daemon. + +Fixes #453 + +CVE-2023-38471 + +Reference:https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09 +Conflict:NA + +--- + avahi-core/server.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index c32637af8..f6a21bb77 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { + } + + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { +- char *hn = NULL; ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; ++ char label[AVAHI_LABEL_MAX]; ++ char *hn = NULL, *h; ++ size_t len; ++ + assert(s); + + AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); +@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + else + hn = avahi_normalize_name_strdup(host_name); + +- hn[strcspn(hn, ".")] = 0; ++ h = hn; ++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { ++ avahi_free(h); ++ return AVAHI_ERR_INVALID_HOST_NAME; ++ } ++ ++ avahi_free(h); ++ ++ h = label_escaped; ++ len = sizeof(label_escaped); ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) ++ return AVAHI_ERR_INVALID_HOST_NAME; + +- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { +- avahi_free(hn); ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +- } + + withdraw_host_rrs(s); + + avahi_free(s->host_name); +- s->host_name = hn; ++ s->host_name = avahi_strdup(label_escaped); ++ if (!s->host_name) ++ return AVAHI_ERR_NO_MEMORY; + + update_fqdn(s); diff --git a/backport-CVE-2023-38469.patch b/backport-CVE-2023-38469.patch new file mode 100644 index 0000000..3db739a --- /dev/null +++ b/backport-CVE-2023-38469.patch @@ -0,0 +1,106 @@ +From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Mon, 23 Oct 2023 20:29:31 +0000 +Subject: [PATCH 1/2] core: reject overly long TXT resource records + +Closes https://github.com/lathiat/avahi/issues/455 + +CVE-2023-38469 + +Reference:https://github.com/lathiat/avahi/commit/61b9874ff91dd20a12483db07df29fe7f35db77f +Conflict:Adaptation Context + +--- + avahi-core/rr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/avahi-core/rr.c b/avahi-core/rr.c +index 2bb89244..9c04ebbd 100644 +--- a/avahi-core/rr.c ++++ b/avahi-core/rr.c +@@ -32,6 +32,7 @@ + #include + #include + ++#include "dns.h" + #include "rr.h" + #include "log.h" + #include "util.h" +@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) { + case AVAHI_DNS_TYPE_TXT: { + + AvahiStringList *strlst; ++ size_t used = 0; + +- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) ++ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { + if (strlst->size > 255 || strlst->size <= 0) + return 0; + ++ used += 1+strlst->size; ++ if (used > AVAHI_DNS_RDATA_MAX) ++ return 0; ++ } ++ + return 1; + } + } + +From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Wed, 25 Oct 2023 18:15:42 +0000 +Subject: [PATCH 2/2] tests: pass overly long TXT resource records + +to make sure they don't crash avahi any more. + +It reproduces https://github.com/lathiat/avahi/issues/455 +--- + avahi-client/client-test.c | 14 ++++++++++++++ + 1 files changed, 14 insertions(+) + +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c +index ba979988..da0e43ad 100644 +--- a/avahi-client/client-test.c ++++ b/avahi-client/client-test.c +@@ -22,6 +22,7 @@ + #endif + + #include ++#include + #include + + #include +@@ -33,6 +34,8 @@ + #include + #include + ++#include ++ + static const AvahiPoll *poll_api = NULL; + static AvahiSimplePoll *simple_poll = NULL; + +@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + uint32_t cookie; + struct timeval tv; + AvahiAddress a; ++ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1]; ++ AvahiStringList *txt = NULL; ++ int r; + + simple_poll = avahi_simple_poll_new(); + poll_api = avahi_simple_poll_get(simple_poll); +@@ -261,6 +267,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); + assert(error != AVAHI_OK); + ++ memset(rdata, 1, sizeof(rdata)); ++ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt); ++ assert(r >= 0); ++ assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata)); ++ error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt); ++ assert(error == AVAHI_ERR_INVALID_RECORD); ++ avahi_string_list_free(txt); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); diff --git a/backport-CVE-2023-38472.patch b/backport-CVE-2023-38472.patch new file mode 100644 index 0000000..ea6611f --- /dev/null +++ b/backport-CVE-2023-38472.patch @@ -0,0 +1,44 @@ +From d886dc5b1d3d2b76aaa38289245acfdfa979ca6c Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 19 Oct 2023 17:36:44 +0200 +Subject: [PATCH] core: make sure there is rdata to process before parsing it + +Fixes #452 + +CVE-2023-38472 + +Reference:https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40 +Conflict:NA + +--- + avahi-client/client-test.c | 3 +++ + avahi-daemon/dbus-entry-group.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c +index b3366d848..ba9799881 100644 +--- a/avahi-client/client-test.c ++++ b/avahi-client/client-test.c +@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); + printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); + ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); ++ assert(error != AVAHI_OK); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); +diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c +index 4e879a5ba..aa23d4b6b 100644 +--- a/avahi-daemon/dbus-entry-group.c ++++ b/avahi-daemon/dbus-entry-group.c +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); + +- if (avahi_rdata_parse (r, rdata, size) < 0) { ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { + avahi_record_unref (r); + return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); + } diff --git a/backport-CVE-2023-38473.patch b/backport-CVE-2023-38473.patch new file mode 100644 index 0000000..882b19e --- /dev/null +++ b/backport-CVE-2023-38473.patch @@ -0,0 +1,108 @@ +From 5edc17b7913cac824daa09fca9976c9c19e88822 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 11 Oct 2023 17:45:44 +0200 +Subject: [PATCH] common: derive alternative host name from its unescaped + version + +Normalization of input makes sure we don't have to deal with special +cases like unescaped dot at the end of label. + +Fixes #451 #487 +CVE-2023-38473 + +Reference:https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797 +Conflict:NA + +--- + avahi-common/alternative-test.c | 3 +++ + avahi-common/alternative.c | 27 +++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c +index 9255435ec..681fc15b8 100644 +--- a/avahi-common/alternative-test.c ++++ b/avahi-common/alternative-test.c +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + const char* const test_strings[] = { + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", ++ ").", ++ "\\.", ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", + "gurke", + "-", + " #", +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c +index b3d39f0ed..a094e6d76 100644 +--- a/avahi-common/alternative.c ++++ b/avahi-common/alternative.c +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { + } + + char *avahi_alternative_host_name(const char *s) { ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; ++ char *alt, *r, *ret; + const char *e; +- char *r; ++ size_t len; + + assert(s); + + if (!avahi_is_valid_host_name(s)) + return NULL; + +- if ((e = strrchr(s, '-'))) { ++ if (!avahi_unescape_label(&s, label, sizeof(label))) ++ return NULL; ++ ++ if ((e = strrchr(label, '-'))) { + const char *p; + + e++; +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { + + if (e) { + char *c, *m; +- size_t l; + int n; + + n = atoi(e)+1; + if (!(m = avahi_strdup_printf("%i", n))) + return NULL; + +- l = e-s-1; ++ len = e-label-1; + +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; + +- if (!(c = avahi_strndup(s, l))) { ++ if (!(c = avahi_strndup(label, len))) { + avahi_free(m); + return NULL; + } +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { + } else { + char *c; + +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) + return NULL; + + drop_incomplete_utf8(c); +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { + avahi_free(c); + } + ++ alt = alternative; ++ len = sizeof(alternative); ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); ++ ++ avahi_free(r); ++ r = avahi_strdup(ret); ++ + assert(avahi_is_valid_host_name(r)); + + return r; -- Gitee