rpms
/
avahi
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import avahi-0.7-27.el8

Browse Source
c8-beta imports/c8-beta/avahi-0.7-27.el8
MSVSphere Packaging Team 11 months ago
commit b2addf5a91
18 changed files with 2373 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.avahi.metadata
Unescape View File

@ -0,0 +1 @@
8a062878968c0f8e083046429647ad33b122542f SOURCES/avahi-0.7.tar.gz

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/avahi-0.7.tar.gz

40
SOURCES/0001-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-.patch
Unescape View File

@ -0,0 +1,40 @@
From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
From: Riccardo Schirone <sirmy15@gmail.com>
Date: Fri, 26 Mar 2021 11:50:24 +0100
Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
client_work
If a client fills the input buffer, client_work() disables the
AVAHI_WATCH_IN event, thus preventing the function from executing the
`read` syscall the next times it is called. However, if the client then
terminates the connection, the socket file descriptor receives a HUP
event, which is not handled, thus the kernel keeps marking the HUP event
as occurring. While iterating over the file descriptors that triggered
an event, the client file descriptor will keep having the HUP event and
the client_work() function is always called with AVAHI_WATCH_HUP but
without nothing being done, thus entering an infinite loop.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
---
avahi-daemon/simple-protocol.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
index 3e0ebb1..6c0274d 100644
--- a/avahi-daemon/simple-protocol.c
+++ b/avahi-daemon/simple-protocol.c
@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
}
}
+ if (events & AVAHI_WATCH_HUP) {
+ client_free(c);
+ return;
+ }
+
c->server->poll_api->watch_update(
watch,
(c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
--
2.41.0

56
SOURCES/0001-Emit-error-if-requested-service-is-not-found.patch
Unescape View File

@ -0,0 +1,56 @@
From 509b0d14fa46b7015e0bacf2a8105f1d14d7b5e5 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 23 Aug 2023 18:51:46 +0200
Subject: [PATCH] Emit error if requested service is not found
It currently just crashes instead of replying with error. Check return
value and emit error instead of passing NULL pointer to reply.
Fixes #375
---
avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
index eb8a662..a9b62fe 100644
--- a/avahi-daemon/dbus-protocol.c
+++ b/avahi-daemon/dbus-protocol.c
@@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl(DBusConnection *c, DBusMessage *m, AVAH
}
t = avahi_alternative_host_name(n);
- avahi_dbus_respond_string(c, m, t);
- avahi_free(t);
+ if (t) {
+ avahi_dbus_respond_string(c, m, t);
+ avahi_free(t);
- return DBUS_HANDLER_RESULT_HANDLED;
+ return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
+ }
} else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "GetAlternativeServiceName")) {
char *n, *t;
@@ -405,10 +409,14 @@ static DBusHandlerResult msg_server_impl(DBusConnection *c, DBusMessage *m, AVAH
}
t = avahi_alternative_service_name(n);
- avahi_dbus_respond_string(c, m, t);
- avahi_free(t);
+ if (t) {
+ avahi_dbus_respond_string(c, m, t);
+ avahi_free(t);
- return DBUS_HANDLER_RESULT_HANDLED;
+ return DBUS_HANDLER_RESULT_HANDLED;
+ } else {
+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
+ }
} else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "EntryGroupNew")) {
Client *client;
--
2.41.0

55
SOURCES/0001-Ensure-each-label-is-at-least-one-byte-long.patch
Unescape View File

@ -0,0 +1,55 @@
From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 11 Apr 2023 15:29:59 +0200
Subject: [PATCH] Ensure each label is at least one byte long
The only allowed exception is single dot, where it should return empty
string.
Fixes #454.
---
avahi-common/domain-test.c | 14 ++++++++++++++
avahi-common/domain.c | 2 +-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
index cf763ec..3acc1c1 100644
--- a/avahi-common/domain-test.c
+++ b/avahi-common/domain-test.c
@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
avahi_free(s);
+ printf("%s\n", s = avahi_normalize_name_strdup("."));
+ avahi_free(s);
+
+ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
+ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
+ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
+ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
+ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
+ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
+ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
+ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
+ "}.?.?.?.}.=.?.?.}");
+ assert(s == NULL);
+
printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
printf("%i\n", avahi_domain_equal("A", "a"));
diff --git a/avahi-common/domain.c b/avahi-common/domain.c
index 3b1ab68..e66d241 100644
--- a/avahi-common/domain.c
+++ b/avahi-common/domain.c
@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
}
if (!empty) {
- if (size < 1)
+ if (size < 2)
return NULL;
*(r++) = '.';
--
2.41.0

231
SOURCES/0001-avahi-python-Use-the-agnostic-DBM-interface.patch
Unescape View File

@ -0,0 +1,231 @@
From be7992f35ab4ed7ed9907319b429dc079c2b7285 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Tue, 11 Jul 2017 21:52:37 +0200
Subject: [PATCH] avahi-python: Use the agnostic DBM interface
Also fixes configure failing if Python 3 is the build python and GDBM is
enabled, since Py3 only has anydbm under the name of 'dbm'.
Not enough to make ServiceTypeDatabase.py compatible with Py3, but it's
a start.
(cherry picked from commit 63750f1be96ad08c407193b08bf3b9ee74310e2d)
Related: #1561019
---
avahi-python/avahi/Makefile.am | 15 +----------
avahi-python/avahi/ServiceTypeDatabase.py.in | 33 ++++++++++++++++++-------
configure.ac | 9 +++----
service-type-database/Makefile.am | 18 +++-----------
service-type-database/{build-db.in => build-db} | 13 +++++++---
5 files changed, 42 insertions(+), 46 deletions(-)
rename service-type-database/{build-db.in => build-db} (87%)
diff --git a/avahi-python/avahi/Makefile.am b/avahi-python/avahi/Makefile.am
index 3eb67d0..c906b9b 100644
--- a/avahi-python/avahi/Makefile.am
+++ b/avahi-python/avahi/Makefile.am
@@ -25,29 +25,16 @@ avahidir = $(pythondir)/avahi
if HAVE_GDBM
nodist_avahi_SCRIPTS = ServiceTypeDatabase.py
-
-ServiceTypeDatabase.py: ServiceTypeDatabase.py.in
- $(AM_V_GEN)sed -e 's,@PYTHON\@,$(PYTHON),g' \
- -e 's,@DBM\@,gdbm,g' \
- -e 's,@FIRST_KEY\@,key = self.db.firstkey(),g' \
- -e 's,@CHECK_KEY\@,while key is not None:,g' \
- -e 's,@NEXT_KEY\@,key = self.db.nextkey(key),g' \
- -e 's,@pkglibdatadir\@,$(pkglibdatadir),g' $< > $@ && \
- chmod +x $@
endif
if HAVE_DBM
nodist_avahi_SCRIPTS = ServiceTypeDatabase.py
+endif
ServiceTypeDatabase.py: ServiceTypeDatabase.py.in
$(AM_V_GEN)sed -e 's,@PYTHON\@,$(PYTHON),g' \
- -e 's,@DBM\@,dbm,g' \
- -e 's,@FIRST_KEY\@,keys = self.db.keys(),g' \
- -e 's,@CHECK_KEY\@,for key in keys:,g' \
- -e 's,@NEXT_KEY\@,,g' \
-e 's,@pkglibdatadir\@,$(pkglibdatadir),g' $< > $@ && \
chmod +x $@
-endif
avahi_PYTHON = $(avahi_SCRIPTS)
diff --git a/avahi-python/avahi/ServiceTypeDatabase.py.in b/avahi-python/avahi/ServiceTypeDatabase.py.in
index 4ddd654..d7f9969 100644
--- a/avahi-python/avahi/ServiceTypeDatabase.py.in
+++ b/avahi-python/avahi/ServiceTypeDatabase.py.in
@@ -17,7 +17,11 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA.
-import @DBM@
+try:
+ import anydbm as dbm
+except ImportError:
+ import dbm
+
import locale
import re
@@ -28,7 +32,7 @@ class ServiceTypeDatabase:
def __init__(self, filename = "@pkglibdatadir@/service-types.db"):
- self.db = @DBM@.open(filename, "r")
+ self.db = dbm.open(filename, "r")
l = locale.getlocale(locale.LC_MESSAGES)
@@ -90,13 +94,24 @@ class ServiceTypeDatabase:
def __iter__(self):
- @FIRST_KEY@
- @CHECK_KEY@
-
- if re.search('_[a-zA-Z0-9-]+\._[a-zA-Z0-9-]+', key) and not re.search('_[a-zA-Z0-9-]+\._[a-zA-Z0-9-]+\[.*\]', key):
- yield key
-
- @NEXT_KEY@
+ def want_key(key):
+ if not re.search('_[a-zA-Z0-9-]+\._[a-zA-Z0-9-]+', key):
+ return False
+ if re.search('_[a-zA-Z0-9-]+\._[a-zA-Z0-9-]+\[.*\]', key):
+ return False
+ return True
+
+ try:
+ key = self.db.firstkey()
+ except AttributeError:
+ for key in self.db.keys():
+ if want_key(key):
+ yield key
+ else:
+ while key is not None:
+ if want_key(key):
+ yield key
+ key = self.db.nextkey(key)
def __len__(self):
diff --git a/configure.ac b/configure.ac
index 6678971..fbbf7cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -824,11 +824,10 @@ if test "x$HAVE_PYTHON" = "xyes" ; then
fi
AM_CHECK_PYMOD(socket,,,[AC_MSG_ERROR(Could not find Python module socket)])
- if test "x$HAVE_GDBM" = "xyes"; then
- AM_CHECK_PYMOD(gdbm,,,[AC_MSG_ERROR(Could not find Python module gdbm)])
- fi
- if test "x$HAVE_DBM" = "xyes"; then
- AM_CHECK_PYMOD(dbm,,,[AC_MSG_ERROR(Could not find Python module dbm)])
+ if test "x$HAVE_GDBM" = "xyes" || test "x$HAVE_DBM" = "xyes"; then
+ AM_CHECK_PYMOD(anydbm,,,[
+ AM_CHECK_PYMOD(dbm,,,[AC_MSG_ERROR(Could not find Python module dbm)])
+ ])
fi
fi
fi
diff --git a/service-type-database/Makefile.am b/service-type-database/Makefile.am
index d184fde..f9fa082 100644
--- a/service-type-database/Makefile.am
+++ b/service-type-database/Makefile.am
@@ -15,7 +15,7 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA.
-EXTRA_DIST=build-db.in service-types
+EXTRA_DIST=service-types
pkglibdatadir=$(libdir)/avahi
@@ -27,16 +27,11 @@ if HAVE_GDBM
noinst_SCRIPTS=build-db
pkglibdata_DATA+=service-types.db
-build-db: build-db.in
- $(AM_V_GEN)sed -e 's,@PYTHON\@,$(PYTHON),g' \
- -e 's,@DBM\@,gdbm,g' $< > $@ && \
- chmod +x $@
-
-service-types.db: service-types build-db
+service-types.db: service-types
$(AM_V_GEN)$(PYTHON) build-db $< $@.coming && \
mv $@.coming $@
-CLEANFILES = service-types.db build-db
+CLEANFILES = service-types.db
endif
if HAVE_DBM
@@ -44,11 +39,6 @@ if HAVE_DBM
noinst_SCRIPTS=build-db
pkglibdata_DATA+=service-types.db.pag service-types.db.dir
-build-db: build-db.in
- $(AM_V_GEN)sed -e 's,@PYTHON\@,$(PYTHON),g' \
- -e 's,@DBM\@,dbm,g' $< > $@ && \
- chmod +x $@
-
service-types.db.pag: service-types.db
$(AM_V_GEN)mv service-types.db.coming.pag service-types.db.pag
service-types.db.dir: service-types.db
@@ -57,7 +47,7 @@ service-types.db: service-types build-db
$(AM_V_GEN)$(PYTHON) build-db $< $@.coming && \
if test -f "$@.coming"; then mv $@.coming $@; fi
-CLEANFILES = service-types.db* build-db
+CLEANFILES = service-types.db*
endif
endif
diff --git a/service-type-database/build-db.in b/service-type-database/build-db
similarity index 87%
rename from service-type-database/build-db.in
rename to service-type-database/build-db
index 4cda425..78ee892 100755
--- a/service-type-database/build-db.in
+++ b/service-type-database/build-db
@@ -1,4 +1,4 @@
-#!@PYTHON@
+#!/usr/bin/env python
# -*-python-*-
# This file is part of avahi.
#
@@ -17,7 +17,12 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA.
-import @DBM@, sys
+try:
+ import anydbm as dbm
+except ImportError:
+ import dbm
+
+import sys
if len(sys.argv) > 1:
infn = sys.argv[1]
@@ -29,9 +34,9 @@ if len(sys.argv) > 2:
else:
outfn = infn + ".db"
-db = @DBM@.open(outfn, "n")
+db = dbm.open(outfn, "n")
-for ln in file(infn, "r"):
+for ln in open(infn, "r"):
ln = ln.strip(" \r\n\t")
if ln == "" or ln.startswith("#"):
--
2.14.3

107
SOURCES/0001-common-derive-alternative-host-name-from-its-unescap.patch
Unescape View File

@ -0,0 +1,107 @@
From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 11 Oct 2023 17:45:44 +0200
Subject: [PATCH] common: derive alternative host name from its unescaped
version
Normalization of input makes sure we don't have to deal with special
cases like unescaped dot at the end of label.
Fixes #451 #487
CVE-2023-38473
---
avahi-common/alternative-test.c | 3 +++
avahi-common/alternative.c | 27 +++++++++++++++++++--------
2 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
index 9255435..681fc15 100644
--- a/avahi-common/alternative-test.c
+++ b/avahi-common/alternative-test.c
@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
const char* const test_strings[] = {
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
+ ").",
+ "\\.",
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
"gurke",
"-",
" #",
diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
index b3d39f0..a094e6d 100644
--- a/avahi-common/alternative.c
+++ b/avahi-common/alternative.c
@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
}
char *avahi_alternative_host_name(const char *s) {
+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
+ char *alt, *r, *ret;
const char *e;
- char *r;
+ size_t len;
assert(s);
if (!avahi_is_valid_host_name(s))
return NULL;
- if ((e = strrchr(s, '-'))) {
+ if (!avahi_unescape_label(&s, label, sizeof(label)))
+ return NULL;
+
+ if ((e = strrchr(label, '-'))) {
const char *p;
e++;
@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
if (e) {
char *c, *m;
- size_t l;
int n;
n = atoi(e)+1;
if (!(m = avahi_strdup_printf("%i", n)))
return NULL;
- l = e-s-1;
+ len = e-label-1;
- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
- if (!(c = avahi_strndup(s, l))) {
+ if (!(c = avahi_strndup(label, len))) {
avahi_free(m);
return NULL;
}
@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
} else {
char *c;
- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
return NULL;
drop_incomplete_utf8(c);
@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
avahi_free(c);
}
+ alt = alternative;
+ len = sizeof(alternative);
+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
+
+ avahi_free(r);
+ r = avahi_strdup(ret);
+
assert(avahi_is_valid_host_name(r));
return r;
--
2.41.0

52
SOURCES/0001-core-copy-resource-records-with-zero-length-rdata-pr.patch
Unescape View File

@ -0,0 +1,52 @@
From 160e8fb6ca1b33387f30f7a6aa9159015ffda9d0 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sun, 22 Oct 2023 10:31:31 +0000
Subject: [PATCH] core: copy resource records with zero-length rdata properly
It fixes the crash spotted
https://github.com/lathiat/avahi/pull/490#issuecomment-1773019619.
The fuzz target was updated to exercise those code paths (among other
things). Without this commit it crashes with
```
fuzz-consume-record: malloc.c:250: void *avahi_memdup(const void *, size_t): Assertion `s' failed.
==72869== ERROR: libFuzzer: deadly signal
#0 0x5031b5 in __sanitizer_print_stack_trace (avahi/out/fuzz-consume-record+0x5031b5) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
#1 0x45cd6c in fuzzer::PrintStackTrace() (avahi/out/fuzz-consume-record+0x45cd6c) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
#2 0x441c47 in fuzzer::Fuzzer::CrashCallback() (out/fuzz-consume-record+0x441c47) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06)
#3 0x7f189e97ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#4 0x7f189e9cf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#5 0x7f189e97eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#6 0x7f189e96787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#7 0x7f189e96779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#8 0x7f189e977186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78)
#9 0x557bfc in avahi_memdup avahi/avahi-common/malloc.c:250:5
#10 0x54895c in avahi_record_copy avahi/avahi-core/rr.c:469:45
```
---
avahi-core/rr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/avahi-core/rr.c b/avahi-core/rr.c
index 7fa0bee..2bb8924 100644
--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
@@ -426,6 +426,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) {
copy->ref = 1;
copy->key = avahi_key_ref(r->key);
copy->ttl = r->ttl;
+ memset(&copy->data, 0, sizeof(copy->data));
switch (r->key->type) {
case AVAHI_DNS_TYPE_PTR:
@@ -466,7 +467,7 @@ AvahiRecord *avahi_record_copy(AvahiRecord *r) {
break;
default:
- if (!(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size)))
+ if (r->data.generic.size && !(copy->data.generic.data = avahi_memdup(r->data.generic.data, r->data.generic.size)))
goto fail;
copy->data.generic.size = r->data.generic.size;
break;
--
2.41.0

71
SOURCES/0001-core-extract-host-name-using-avahi_unescape_label.patch
Unescape View File

@ -0,0 +1,71 @@
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 23 Oct 2023 13:38:35 +0200
Subject: [PATCH] core: extract host name using avahi_unescape_label()
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as the host name
which crashed the daemon.
Fixes #453
CVE-2023-38471
---
avahi-core/server.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/avahi-core/server.c b/avahi-core/server.c
index c32637a..f6a21bb 100644
--- a/avahi-core/server.c
+++ b/avahi-core/server.c
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
}
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
- char *hn = NULL;
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
+ char label[AVAHI_LABEL_MAX];
+ char *hn = NULL, *h;
+ size_t len;
+
assert(s);
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
else
hn = avahi_normalize_name_strdup(host_name);
- hn[strcspn(hn, ".")] = 0;
+ h = hn;
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+ avahi_free(h);
+ return AVAHI_ERR_INVALID_HOST_NAME;
+ }
+
+ avahi_free(h);
+
+ h = label_escaped;
+ len = sizeof(label_escaped);
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
+ return AVAHI_ERR_INVALID_HOST_NAME;
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
- avahi_free(hn);
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
- }
withdraw_host_rrs(s);
avahi_free(s->host_name);
- s->host_name = hn;
+ s->host_name = avahi_strdup(label_escaped);
+ if (!s->host_name)
+ return AVAHI_ERR_NO_MEMORY;
update_fqdn(s);
--
2.41.0

43
SOURCES/0001-core-make-sure-there-is-rdata-to-process-before-pars.patch
Unescape View File

@ -0,0 +1,43 @@
From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 19 Oct 2023 17:36:44 +0200
Subject: [PATCH] core: make sure there is rdata to process before parsing it
Fixes #452
CVE-2023-38472
---
avahi-client/client-test.c | 3 +++
avahi-daemon/dbus-entry-group.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
index b3366d8..ba97998 100644
--- a/avahi-client/client-test.c
+++ b/avahi-client/client-test.c
@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+ assert(error != AVAHI_OK);
+
avahi_entry_group_commit (group);
domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
index 4e879a5..aa23d4b 100644
--- a/avahi-daemon/dbus-entry-group.c
+++ b/avahi-daemon/dbus-entry-group.c
@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
- if (avahi_rdata_parse (r, rdata, size) < 0) {
+ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
avahi_record_unref (r);
return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
}
--
2.41.0

46
SOURCES/0001-core-reject-overly-long-TXT-resource-records.patch
Unescape View File

@ -0,0 +1,46 @@
From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Mon, 23 Oct 2023 20:29:31 +0000
Subject: [PATCH] core: reject overly long TXT resource records
Closes https://github.com/lathiat/avahi/issues/455
CVE-2023-38469
---
avahi-core/rr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/avahi-core/rr.c b/avahi-core/rr.c
index 2bb8924..9c04ebb 100644
--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
@@ -32,6 +32,7 @@
#include <avahi-common/malloc.h>
#include <avahi-common/defs.h>
+#include "dns.h"
#include "rr.h"
#include "log.h"
#include "util.h"
@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
case AVAHI_DNS_TYPE_TXT: {
AvahiStringList *strlst;
+ size_t used = 0;
- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
if (strlst->size > 255 || strlst->size <= 0)
return 0;
+ used += 1+strlst->size;
+ if (used > AVAHI_DNS_RDATA_MAX)
+ return 0;
+ }
+
return 1;
}
}
--
2.41.0

50
SOURCES/0001-core-return-errors-from-avahi_server_set_host_name-p.patch
Unescape View File

@ -0,0 +1,50 @@
From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Tue, 24 Oct 2023 22:04:51 +0000
Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
---
avahi-core/server.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/avahi-core/server.c b/avahi-core/server.c
index f6a21bb..84df6b5 100644
--- a/avahi-core/server.c
+++ b/avahi-core/server.c
@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
else
hn = avahi_normalize_name_strdup(host_name);
+ if (!hn)
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+
h = hn;
if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
avahi_free(h);
- return AVAHI_ERR_INVALID_HOST_NAME;
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
}
avahi_free(h);
@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
h = label_escaped;
len = sizeof(label_escaped);
if (!avahi_escape_label(label, strlen(label), &h, &len))
- return AVAHI_ERR_INVALID_HOST_NAME;
+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
avahi_free(s->host_name);
s->host_name = avahi_strdup(label_escaped);
if (!s->host_name)
- return AVAHI_ERR_NO_MEMORY;
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
update_fqdn(s);
--
2.41.0

100
SOURCES/0002-avahi-python-Encode-unicode-strings-as-UTF-8.patch
Unescape View File

@ -0,0 +1,100 @@
From 3303a8a621467dd7be67cec211fe417e9c81946f Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Fri, 27 Apr 2018 11:09:07 +0100
Subject: [PATCH] avahi-python: Encode unicode strings as UTF-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, we would effectively encode anything representable in
Latin-1 as Latin-1, and crash on anything not representable in Latin-1:
>>> import avahi
>>> avahi.string_to_byte_array(u'©')
[dbus.Byte(169)]
>>> avahi.string_to_byte_array(u'\ufeff')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/avahi/__init__.py", line 94, in string_to_byte_array
r.append(dbus.Byte(ord(c)))
ValueError: Integer outside range 0-255
This is particularly important for Python 3, where the str type
is a Unicode string.
The b'' syntax for bytestrings is supported since at least Python 2.7.
These functions now accept either Unicode strings (Python 2 unicode,
Python 3 str), which are encoded in UTF-8, or bytestrings
(Python 2 str, Python 3 bytes) which are taken as-is.
Signed-off-by: Simon McVittie <smcv@debian.org>
(cherry picked from commit 169e85dbc13dcaae8a699618883e512614f540b7)
Related: #1561019
---
avahi-python/avahi/__init__.py | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/avahi-python/avahi/__init__.py b/avahi-python/avahi/__init__.py
index 7b45029..02305b0 100644
--- a/avahi-python/avahi/__init__.py
+++ b/avahi-python/avahi/__init__.py
@@ -17,6 +17,8 @@
# Some definitions matching those in avahi-common/defs.h
+import sys
+
import dbus
SERVER_INVALID, SERVER_REGISTERING, SERVER_RUNNING, SERVER_COLLISION, SERVER_FAILURE = range(0, 5)
@@ -66,6 +68,9 @@ DBUS_INTERFACE_HOST_NAME_RESOLVER = DBUS_NAME + ".HostNameResolver"
DBUS_INTERFACE_SERVICE_RESOLVER = DBUS_NAME + ".ServiceResolver"
DBUS_INTERFACE_RECORD_BROWSER = DBUS_NAME + ".RecordBrowser"
+if sys.version_info[0] >= 3:
+ unicode = str
+
def byte_array_to_string(s):
r = ""
@@ -86,12 +91,19 @@ def txt_array_to_string_array(t):
return l
-
def string_to_byte_array(s):
+ if isinstance(s, unicode):
+ s = s.encode('utf-8')
+
r = []
for c in s:
- r.append(dbus.Byte(ord(c)))
+ if isinstance(c, int):
+ # Python 3: iterating over bytes yields ints
+ r.append(dbus.Byte(c))
+ else:
+ # Python 2: iterating over str yields str
+ r.append(dbus.Byte(ord(c)))
return r
@@ -107,6 +119,12 @@ def dict_to_txt_array(txt_dict):
l = []
for k,v in txt_dict.items():
- l.append(string_to_byte_array("%s=%s" % (k,v)))
+ if isinstance(k, unicode):
+ k = k.encode('utf-8')
+
+ if isinstance(v, unicode):
+ v = v.encode('utf-8')
+
+ l.append(string_to_byte_array(b"%s=%s" % (k,v)))
return l
--
2.14.3

80
SOURCES/0003-Remove-empty-avahi_discover-Python-module.patch
Unescape View File

@ -0,0 +1,80 @@
From ffb19d8f3c7f1fe4f31f79f8601dd3079730401b Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Fri, 27 Apr 2018 09:01:13 +0100
Subject: [PATCH] Remove empty avahi_discover Python module
The avahi-discover tool no longer has any code outside its main
executable, so it does not need to install library modules. Its only
library code was avahi_discover.SimpleGladeApp, which was removed
in 2009.
Signed-off-by: Simon McVittie <smcv@debian.org>
---
avahi-python/avahi-discover/Makefile.am | 6 ------
avahi-python/avahi-discover/__init__.py | 18 ------------------
2 files changed, 24 deletions(-)
delete mode 100755 avahi-python/avahi-discover/__init__.py
diff --git a/avahi-python/avahi-discover/Makefile.am b/avahi-python/avahi-discover/Makefile.am
index 5fc4b25..bb4d717 100644
--- a/avahi-python/avahi-discover/Makefile.am
+++ b/avahi-python/avahi-discover/Makefile.am
@@ -18,7 +18,6 @@
AM_CFLAGS=-I$(top_srcdir)
EXTRA_DIST = \
- __init__.py \
avahi-discover.py \
avahi-discover.desktop.in.in
@@ -31,15 +30,11 @@ pythonscripts =
desktopdir = $(datadir)/applications
desktop_DATA =
-avahi_discoverdir = $(pythondir)/avahi_discover
-avahi_discover_PYTHON =
-
if HAVE_GDBM
pythonscripts += \
avahi-discover
desktop_DATA += avahi-discover.desktop
@INTLTOOL_DESKTOP_RULE@
-avahi_discover_PYTHON += __init__.py
endif
if HAVE_DBM
@@ -47,7 +42,6 @@ pythonscripts += \
avahi-discover
desktop_DATA += avahi-discover.desktop
@INTLTOOL_DESKTOP_RULE@
-avahi_discover_PYTHON += __init__.py
endif
avahi-discover.desktop.in: avahi-discover.desktop.in.in
diff --git a/avahi-python/avahi-discover/__init__.py b/avahi-python/avahi-discover/__init__.py
deleted file mode 100755
index 6f3ec7f..0000000
--- a/avahi-python/avahi-discover/__init__.py
+++ /dev/null
@@ -1,18 +0,0 @@
-#!@PYTHON@
-# -*-python-*-
-# This file is part of avahi.
-#
-# avahi is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as
-# published by the Free Software Foundation; either version 2 of the
-# License, or (at your option) any later version.
-#
-# avahi is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
-# License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with avahi; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
-# USA.
--
2.14.3

25
SOURCES/0004-avahi-client-fix-resource-leak.patch
Unescape View File

@ -0,0 +1,25 @@
From 374245ec1418e7e1e57120fcaf0a12ec695f5f6d Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 24 Oct 2018 15:22:19 +0000
Subject: [PATCH] avahi-client: fix resource leak
---
avahi-client/browser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/avahi-client/browser.c b/avahi-client/browser.c
index c978d94..fa4a9a8 100644
--- a/avahi-client/browser.c
+++ b/avahi-client/browser.c
@@ -72,6 +72,8 @@ static void parse_domain_file(AvahiDomainBrowser *b) {
if (avahi_normalize_name(buf, domain, sizeof(domain)))
b->static_browse_domains = avahi_string_list_add(b->static_browse_domains, domain);
}
+
+ fclose(f);
}
static void domain_browser_ref(AvahiDomainBrowser *db) {
--
2.17.2

27
SOURCES/0005-chroot-fix-bogus-assignments-in-assertions.patch
Unescape View File

@ -0,0 +1,27 @@
From 4b48927e8e2c721d103018b4ce39a164b6c2898f Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 24 Oct 2018 15:38:48 +0000
Subject: [PATCH] chroot: fix bogus assignments in assertions
---
avahi-daemon/chroot.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/avahi-daemon/chroot.c b/avahi-daemon/chroot.c
index ccd56be..871b3b3 100644
--- a/avahi-daemon/chroot.c
+++ b/avahi-daemon/chroot.c
@@ -188,8 +188,8 @@ static int recv_fd(int fd) {
return -1;
}
- assert(h->cmsg_len = CMSG_LEN(sizeof(int)));
- assert(h->cmsg_level = SOL_SOCKET);
+ assert(h->cmsg_len == CMSG_LEN(sizeof(int)));
+ assert(h->cmsg_level == SOL_SOCKET);
assert(h->cmsg_type == SCM_RIGHTS);
return *((int*)CMSG_DATA(h));
--
2.17.2

50
SOURCES/avahi-0.6.30-mono-libdir.patch
Unescape View File

@ -0,0 +1,50 @@
diff -uNr avahi-0.6.30.old/avahi-sharp/Makefile.am avahi-0.6.30/avahi-sharp/Makefile.am
--- avahi-0.6.30.old/avahi-sharp/Makefile.am 2010-06-29 05:30:35.000000000 +0200
+++ avahi-0.6.30/avahi-sharp/Makefile.am 2011-11-27 17:03:04.933192204 +0100
@@ -73,10 +73,10 @@
endif
install-data-hook: $(ASSEMBLY)
- $(AM_V_GEN)MONO_SHARED_DIR=. $(GACUTIL) /i $(ASSEMBLY) /package avahi-sharp /gacdir $(libdir) /root $(DESTDIR)$(libdir)
+ $(AM_V_GEN)MONO_SHARED_DIR=. $(GACUTIL) /i $(ASSEMBLY) /package avahi-sharp /gacdir $(prefix)/lib /root $(DESTDIR)$(prefix)/lib
uninstall-hook: $(ASSEMBLY)
- $(AM_V_GEN)MONO_SHARED_DIR=. $(GACUTIL) /u avahi-sharp /package avahi-sharp /gacdir $(libdir) /root $(DESTDIR)$(libdir)
+ $(AM_V_GEN)MONO_SHARED_DIR=. $(GACUTIL) /u avahi-sharp /package avahi-sharp /gacdir $(prefix)/lib /root $(DESTDIR)$(prefix)/lib
endif
endif
diff -uNr avahi-0.6.30.old/avahi-sharp.pc.in avahi-0.6.30/avahi-sharp.pc.in
--- avahi-0.6.30.old/avahi-sharp.pc.in 2010-06-25 02:54:22.000000000 +0200
+++ avahi-0.6.30/avahi-sharp.pc.in 2011-11-27 17:00:05.482192846 +0100
@@ -5,4 +5,4 @@
Name: avahi-sharp
Description: Mono bindings for the Avahi mDNS/DNS-SD stack
Version: @PACKAGE_VERSION@
-Libs: -r:${libdir}/mono/avahi-sharp/avahi-sharp.dll
+Libs: -r:${prefix}/lib/mono/avahi-sharp/avahi-sharp.dll
diff -uNr avahi-0.6.30.old/avahi-ui-sharp/Makefile.am avahi-0.6.30/avahi-ui-sharp/Makefile.am
--- avahi-0.6.30.old/avahi-ui-sharp/Makefile.am 2010-06-29 05:30:35.000000000 +0200
+++ avahi-0.6.30/avahi-ui-sharp/Makefile.am 2011-11-27 17:04:59.812193067 +0100
@@ -60,10 +60,10 @@
endif
install-data-hook: $(ASSEMBLY)
- $(GACUTIL) /i $(ASSEMBLY) /package avahi-ui-sharp /gacdir $(libdir) /root $(DESTDIR)$(libdir)
+ $(GACUTIL) /i $(ASSEMBLY) /package avahi-ui-sharp /gacdir $(prefix)/lib /root $(DESTDIR)$(prefix)/lib
uninstall-hook: $(ASSEMBLY)
- $(GACUTIL) /u avahi-ui-sharp /package avahi-ui-sharp /gacdir $(libdir) /root $(DESTDIR)$(libdir)
+ $(GACUTIL) /u avahi-ui-sharp /package avahi-ui-sharp /gacdir $(prefix)/lib /root $(DESTDIR)$(prefix)/lib
endif
endif
diff -uNr avahi-0.6.30.old/avahi-ui-sharp.pc.in avahi-0.6.30/avahi-ui-sharp.pc.in
--- avahi-0.6.30.old/avahi-ui-sharp.pc.in 2010-06-25 02:54:22.000000000 +0200
+++ avahi-0.6.30/avahi-ui-sharp.pc.in 2011-11-27 17:04:05.077192737 +0100
@@ -6,4 +6,4 @@
Description: Mono bindings for the Avahi mDNS/DNS-SD stack
Version: @PACKAGE_VERSION@
Requires: gtk-sharp-2.0
-Libs: -r:${libdir}/mono/avahi-ui-sharp/avahi-ui-sharp.dll
+Libs: -r:${prefix}/lib/mono/avahi-ui-sharp/avahi-ui-sharp.dll

1338
SPECS/avahi.spec
View File

File diff suppressed because it is too large Load Diff
Write Preview
Loading…
Cancel
Save