packages/avahi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:3de26bcbd638ceffd6c592c782de32b97a232737
Branches Tags
packages:main
..
compare: packages:a18440ff52343f60f8caa7026179806ff53becda
Branches Tags
packages:main

No commits in common. "3de26bcbd638ceffd6c592c782de32b97a232737" and "a18440ff52343f60f8caa7026179806ff53becda" have entirely different histories.
3de26bcbd6 ... a18440ff52

6 changed files with 5 additions and 436 deletions
Show Stats Expand all files Collapse all files

56
avahi.spec
View File

@ -3,7 +3,7 @@
Name: avahi Name: avahi
Version: 0.8 Version: 0.8
Release: 20 Release: 15
Summary: Avahi is a local network service discovery Summary: Avahi is a local network service discovery
License: LGPLv2+ License: LGPLv2+
URL: http://avahi.org URL: http://avahi.org
@ -20,21 +20,12 @@ Patch5: 0005-avahi_dns_packet_consume_uint32-fix-potential-undefi.patc
Patch6001: backport-CVE-2021-3468.patch Patch6001: backport-CVE-2021-3468.patch
Patch6002: backport-CVE-2021-36217.patch Patch6002: backport-CVE-2021-36217.patch
Patch6003: backport-CVE-2023-1981.patch Patch6003: backport-CVE-2023-1981.patch
Patch6004: backport-CVE-2023-38470.patch
Patch6005: backport-CVE-2023-38473.patch
Patch6006: backport-CVE-2023-38472.patch
Patch6007: backport-CVE-2023-38471.patch
Patch6008: backport-CVE-2023-38469.patch
BuildRequires: gcc automake libtool desktop-file-utils gtk2-devel glib2-devel gcc-c++ BuildRequires: gcc automake libtool desktop-file-utils gtk2-devel glib2-devel gcc-c++
BuildRequires: libcap-devel expat-devel gdbm-devel make BuildRequires: libcap-devel expat-devel gdbm-devel make
BuildRequires: intltool perl-XML-Parser systemd libevent-devel BuildRequires: intltool perl-XML-Parser xmltoman systemd libevent-devel
BuildRequires: dbus-devel >= 0.90 dbus-glib-devel >= 0.70 libdaemon-devel >= 0.11 BuildRequires: dbus-devel >= 0.90 dbus-glib-devel >= 0.70 gtk3-devel >= 2.99.0 libdaemon-devel >= 0.11
BuildRequires: pkgconfig(libevent) >= 2.0.21 BuildRequires: pkgconfig(pygobject-3.0) pkgconfig(libevent) >= 2.0.21
%if 0%{?build_cross} == 0
BuildRequires: pkgconfig(pygobject-3.0) xmltoman gtk3-devel >= 2.99.0
%endif
%if %{WITH_QT5} %if %{WITH_QT5}
BuildRequires: qt5-qtbase-devel BuildRequires: qt5-qtbase-devel
%endif %endif
@ -83,7 +74,6 @@ Requires: python2-gobject-base
%description ui-tools %description ui-tools
Avahi Graphical user interface tools for mDNS services. Avahi Graphical user interface tools for mDNS services.
%if 0%{?build_cross} == 0
%package ui %package ui
Summary: Gtk uesr interface library for Avahi (Gtk2) Summary: Gtk uesr interface library for Avahi (Gtk2)
Requires: %{name}-libs = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release}
@ -92,7 +82,6 @@ Requires: gtk2
%description ui %description ui
This package contains a Gtk 2.x widget for browsing services. This package contains a Gtk 2.x widget for browsing services.
%endif
%package autoipd %package autoipd
Summary: Link-local IPv4 address automatic configuration daemon (IPv4LL) Summary: Link-local IPv4 address automatic configuration daemon (IPv4LL)
@ -211,7 +200,6 @@ Requires: %{name}-gobject%{?_isa} = %{version}-%{release}
The avahi-gobject-devel package contains the header files and libraries The avahi-gobject-devel package contains the header files and libraries
necessary for developing programs using avahi-gobject. necessary for developing programs using avahi-gobject.
%if 0%{?build_cross} == 0
%package ui-gtk3 %package ui-gtk3
Summary: Gtk user interface library for Avahi (Gtk+ 3 version) Summary: Gtk user interface library for Avahi (Gtk+ 3 version)
Requires: %{name}-libs = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release}
@ -230,7 +218,6 @@ Requires: %{name}-ui-gtk3%{?_isa} = %{version}-%{release}
%description ui-devel %description ui-devel
The avahi-ui-devel package contains the header files and libraries The avahi-ui-devel package contains the header files and libraries
necessary for developing programs using avahi-ui. necessary for developing programs using avahi-ui.
%endif
%package libs %package libs
Summary: Libraries for avahi run-time use Summary: Libraries for avahi run-time use
@ -274,11 +261,7 @@ NOCONFIGURE=1 ./autogen.sh
--with-systemdsystemunitdir=%{_unitdir} --enable-introspection=no \ --with-systemdsystemunitdir=%{_unitdir} --enable-introspection=no \
--enable-shared=yes --enable-static=no --disable-silent-rules \ --enable-shared=yes --enable-static=no --disable-silent-rules \
--enable-compat-libdns_sd --enable-compat-howl --disable-qt3 \ --enable-compat-libdns_sd --enable-compat-howl --disable-qt3 \
%if 0%{?build_cross} == 0
--disable-qt4 --disable-mono --enable-gtk\ --disable-qt4 --disable-mono --enable-gtk\
%else
--disable-qt4 --disable-mono --disable-gtk --disable-gtk3\
%endif
--with-distro=none\ --with-distro=none\
%if ! %{WITH_PYTHON} %if ! %{WITH_PYTHON}
--disable-python \ --disable-python \
@ -371,10 +354,6 @@ if [ "$1" -eq 1 -a -s /etc/localtime ]; then
fi fi
%systemd_post avahi-daemon.socket avahi-daemon.service %systemd_post avahi-daemon.socket avahi-daemon.service
if [ $1 -eq 1 ]; then
systemctl disable avahi-daemon.service
fi
%postun %postun
/sbin/ldconfig /sbin/ldconfig
%systemd_postun_with_restart avahi-daemon.socket avahi-daemon.service %systemd_postun_with_restart avahi-daemon.socket avahi-daemon.service
@ -396,11 +375,9 @@ fi
%postun compat-libdns_sd -p /sbin/ldconfig %postun compat-libdns_sd -p /sbin/ldconfig
%if 0%{?build_cross} == 0
%post ui -p /sbin/ldconfig %post ui -p /sbin/ldconfig
%postun ui -p /sbin/ldconfig %postun ui -p /sbin/ldconfig
%endif
%post libs -p /sbin/ldconfig %post libs -p /sbin/ldconfig
@ -410,11 +387,9 @@ fi
%postun glib -p /sbin/ldconfig %postun glib -p /sbin/ldconfig
%if 0%{?build_cross} == 0
%post ui-gtk3 -p /sbin/ldconfig %post ui-gtk3 -p /sbin/ldconfig
%postun ui-gtk3 -p /sbin/ldconfig %postun ui-gtk3 -p /sbin/ldconfig
%endif
%post gobject -p /sbin/ldconfig %post gobject -p /sbin/ldconfig
@ -484,7 +459,6 @@ fi
%{_includedir}/avahi-gobject %{_includedir}/avahi-gobject
%{_libdir}/pkgconfig/avahi-gobject.pc %{_libdir}/pkgconfig/avahi-gobject.pc
%if 0%{?build_cross} == 0
%files ui-gtk3 %files ui-gtk3
%{_libdir}/libavahi-ui-gtk3.so.* %{_libdir}/libavahi-ui-gtk3.so.*
@ -494,7 +468,6 @@ fi
%{_includedir}/avahi-ui %{_includedir}/avahi-ui
%{_libdir}/pkgconfig/avahi-ui.pc %{_libdir}/pkgconfig/avahi-ui.pc
%{_libdir}/pkgconfig/avahi-ui-gtk3.pc %{_libdir}/pkgconfig/avahi-ui-gtk3.pc
%endif
%files devel %files devel
%{_libdir}/libavahi-common.so %{_libdir}/libavahi-common.so
@ -505,9 +478,7 @@ fi
%{_libdir}/pkgconfig/avahi-client.pc %{_libdir}/pkgconfig/avahi-client.pc
%{_libdir}/pkgconfig/avahi-libevent.pc %{_libdir}/pkgconfig/avahi-libevent.pc
%{_includedir}/* %{_includedir}/*
%if 0%{?build_cross} == 0
%exclude %{_includedir}/avahi-ui %exclude %{_includedir}/avahi-ui
%endif
%exclude %{_includedir}/avahi-compat-howl %exclude %{_includedir}/avahi-compat-howl
%exclude %{_includedir}/avahi-compat-libdns_sd %exclude %{_includedir}/avahi-compat-libdns_sd
%exclude %{_includedir}/dns_sd.h %exclude %{_includedir}/dns_sd.h
@ -543,10 +514,8 @@ fi
%{python2_sitelib}/avahi_discover/ %{python2_sitelib}/avahi_discover/
%endif %endif
%if 0%{?build_cross} == 0
%files ui %files ui
%{_libdir}/libavahi-ui.so.* %{_libdir}/libavahi-ui.so.*
%endif
%files compat-howl %files compat-howl
%{_libdir}/libhowl.so.* %{_libdir}/libhowl.so.*
@ -588,24 +557,9 @@ fi
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Mon Jun 24 2024 zhangpan <zhangpan103@h-partners.com> - 0.8-20 * Wed Apr 12 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 0.8-15
- disable avahi-daemon.service default
* Sun Feb 4 2024 zhangpan <zhangpan103@h-partners.com> - 0.8-19
- delete redundant patch
* Mon Nov 6 2023 zhangpan <zhangpan103@h-partners.com> - 0.8-18
- fix CVE-2023-38469 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473
* Mon Oct 16 2023 zhangpan <zhangpan103@h-partners.com> - 0.8-17
- fix CVE-2023-38470
* Wed Apr 12 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 0.8-16
- fix CVE-2023-1981 - fix CVE-2023-1981
* Mon Mar 27 2023 zhangpan <zhangpan103@h-partners.com> - 0.8-15
- add build_cross to avoid install packages and files in self-build
* Tue Dec 20 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 0.8-14 * Tue Dec 20 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 0.8-14
- add BuildRequires make - add BuildRequires make

106
backport-CVE-2023-38469.patch
View File

@ -1,106 +0,0 @@
From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Mon, 23 Oct 2023 20:29:31 +0000
Subject: [PATCH 1/2] core: reject overly long TXT resource records
Closes https://github.com/lathiat/avahi/issues/455
CVE-2023-38469
Reference:https://github.com/lathiat/avahi/commit/61b9874ff91dd20a12483db07df29fe7f35db77f
Conflict:Adaptation Context
---
avahi-core/rr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/avahi-core/rr.c b/avahi-core/rr.c
index 2bb89244..9c04ebbd 100644
--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
@@ -32,6 +32,7 @@
#include <avahi-common/malloc.h>
#include <avahi-common/defs.h>
+#include "dns.h"
#include "rr.h"
#include "log.h"
#include "util.h"
@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
case AVAHI_DNS_TYPE_TXT: {
AvahiStringList *strlst;
+ size_t used = 0;
- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
if (strlst->size > 255 || strlst->size <= 0)
return 0;
+ used += 1+strlst->size;
+ if (used > AVAHI_DNS_RDATA_MAX)
+ return 0;
+ }
+
return 1;
}
}
From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Wed, 25 Oct 2023 18:15:42 +0000
Subject: [PATCH 2/2] tests: pass overly long TXT resource records
to make sure they don't crash avahi any more.
It reproduces https://github.com/lathiat/avahi/issues/455
---
avahi-client/client-test.c | 14 ++++++++++++++
1 files changed, 14 insertions(+)
diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
index ba979988..da0e43ad 100644
--- a/avahi-client/client-test.c
+++ b/avahi-client/client-test.c
@@ -22,6 +22,7 @@
#endif
#include <stdio.h>
+#include <string.h>
#include <assert.h>
#include <avahi-client/client.h>
@@ -33,6 +34,8 @@
#include <avahi-common/malloc.h>
#include <avahi-common/timeval.h>
+#include <avahi-core/dns.h>
+
static const AvahiPoll *poll_api = NULL;
static AvahiSimplePoll *simple_poll = NULL;
@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
uint32_t cookie;
struct timeval tv;
AvahiAddress a;
+ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
+ AvahiStringList *txt = NULL;
+ int r;
simple_poll = avahi_simple_poll_new();
poll_api = avahi_simple_poll_get(simple_poll);
@@ -261,6 +267,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
assert(error != AVAHI_OK);
+ memset(rdata, 1, sizeof(rdata));
+ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
+ assert(r >= 0);
+ assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
+ error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
+ assert(error == AVAHI_ERR_INVALID_RECORD);
+ avahi_string_list_free(txt);
+
avahi_entry_group_commit (group);
domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");

56
backport-CVE-2023-38470.patch
View File

@ -1,56 +0,0 @@
From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 11 Apr 2023 15:29:59 +0200
Subject: [PATCH] Ensure each label is at least one byte long
The only allowed exception is single dot, where it should return empty
string.
Fixes #454.
Reference:https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
Conflict:NA
---
avahi-common/domain-test.c | 14 ++++++++++++++
avahi-common/domain.c | 2 +-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
index cf763eca6..3acc1c1e4 100644
--- a/avahi-common/domain-test.c
+++ b/avahi-common/domain-test.c
@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
avahi_free(s);
+ printf("%s\n", s = avahi_normalize_name_strdup("."));
+ avahi_free(s);
+
+ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
+ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
+ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
+ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
+ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
+ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
+ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
+ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
+ "}.?.?.?.}.=.?.?.}");
+ assert(s == NULL);
+
printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
printf("%i\n", avahi_domain_equal("A", "a"));
diff --git a/avahi-common/domain.c b/avahi-common/domain.c
index 3b1ab6834..e66d2416c 100644
--- a/avahi-common/domain.c
+++ b/avahi-common/domain.c
@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
}
if (!empty) {
- if (size < 1)
+ if (size < 2)
return NULL;
*(r++) = '.';

71
backport-CVE-2023-38471.patch
View File

@ -1,71 +0,0 @@
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 23 Oct 2023 13:38:35 +0200
Subject: [PATCH] core: extract host name using avahi_unescape_label()
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as the host name
which crashed the daemon.
Fixes #453
CVE-2023-38471
Reference:https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
Conflict:NA
---
avahi-core/server.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/avahi-core/server.c b/avahi-core/server.c
index c32637af8..f6a21bb77 100644
--- a/avahi-core/server.c
+++ b/avahi-core/server.c
@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
}
int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
- char *hn = NULL;
+ char label_escaped[AVAHI_LABEL_MAX*4+1];
+ char label[AVAHI_LABEL_MAX];
+ char *hn = NULL, *h;
+ size_t len;
+
assert(s);
AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
else
hn = avahi_normalize_name_strdup(host_name);
- hn[strcspn(hn, ".")] = 0;
+ h = hn;
+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+ avahi_free(h);
+ return AVAHI_ERR_INVALID_HOST_NAME;
+ }
+
+ avahi_free(h);
+
+ h = label_escaped;
+ len = sizeof(label_escaped);
+ if (!avahi_escape_label(label, strlen(label), &h, &len))
+ return AVAHI_ERR_INVALID_HOST_NAME;
- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
- avahi_free(hn);
+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
- }
withdraw_host_rrs(s);
avahi_free(s->host_name);
- s->host_name = hn;
+ s->host_name = avahi_strdup(label_escaped);
+ if (!s->host_name)
+ return AVAHI_ERR_NO_MEMORY;
update_fqdn(s);

44
backport-CVE-2023-38472.patch
View File

@ -1,44 +0,0 @@
From d886dc5b1d3d2b76aaa38289245acfdfa979ca6c Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 19 Oct 2023 17:36:44 +0200
Subject: [PATCH] core: make sure there is rdata to process before parsing it
Fixes #452
CVE-2023-38472
Reference:https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
Conflict:NA
---
avahi-client/client-test.c | 3 +++
avahi-daemon/dbus-entry-group.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
index b3366d848..ba9799881 100644
--- a/avahi-client/client-test.c
+++ b/avahi-client/client-test.c
@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+ assert(error != AVAHI_OK);
+
avahi_entry_group_commit (group);
domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
index 4e879a5ba..aa23d4b6b 100644
--- a/avahi-daemon/dbus-entry-group.c
+++ b/avahi-daemon/dbus-entry-group.c
@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
- if (avahi_rdata_parse (r, rdata, size) < 0) {
+ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
avahi_record_unref (r);
return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
}

108
backport-CVE-2023-38473.patch
View File

@ -1,108 +0,0 @@
From 5edc17b7913cac824daa09fca9976c9c19e88822 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 11 Oct 2023 17:45:44 +0200
Subject: [PATCH] common: derive alternative host name from its unescaped
version
Normalization of input makes sure we don't have to deal with special
cases like unescaped dot at the end of label.
Fixes #451 #487
CVE-2023-38473
Reference:https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797
Conflict:NA
---
avahi-common/alternative-test.c | 3 +++
avahi-common/alternative.c | 27 +++++++++++++++++++--------
2 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
index 9255435ec..681fc15b8 100644
--- a/avahi-common/alternative-test.c
+++ b/avahi-common/alternative-test.c
@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
const char* const test_strings[] = {
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
+ ").",
+ "\\.",
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
"gurke",
"-",
" #",
diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
index b3d39f0ed..a094e6d76 100644
--- a/avahi-common/alternative.c
+++ b/avahi-common/alternative.c
@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
}
char *avahi_alternative_host_name(const char *s) {
+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
+ char *alt, *r, *ret;
const char *e;
- char *r;
+ size_t len;
assert(s);
if (!avahi_is_valid_host_name(s))
return NULL;
- if ((e = strrchr(s, '-'))) {
+ if (!avahi_unescape_label(&s, label, sizeof(label)))
+ return NULL;
+
+ if ((e = strrchr(label, '-'))) {
const char *p;
e++;
@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
if (e) {
char *c, *m;
- size_t l;
int n;
n = atoi(e)+1;
if (!(m = avahi_strdup_printf("%i", n)))
return NULL;
- l = e-s-1;
+ len = e-label-1;
- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
- if (!(c = avahi_strndup(s, l))) {
+ if (!(c = avahi_strndup(label, len))) {
avahi_free(m);
return NULL;
}
@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
} else {
char *c;
- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
return NULL;
drop_incomplete_utf8(c);
@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
avahi_free(c);
}
+ alt = alternative;
+ len = sizeof(alternative);
+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
+
+ avahi_free(r);
+ r = avahi_strdup(ret);
+
assert(avahi_is_valid_host_name(r));
return r;