[Pkg-utopia-maintainers] Bug#614785: Found too in oldstable/lenny?

Alexander Kurtz kurtz.alex at googlemail.com
Thu Feb 24 14:48:09 UTC 2011 

Hi everybody,

Am Mittwoch, den 23.02.2011, 16:13 +0100 schrieb Michael Biebl: 
> A fixed package has been uploaded to unstable and stable-security (squeeze).

First the good news: I can confirm that upgrading *all* avahi packages
to 0.6.28-4 fixes the problem (only upgrading avahi-daemon does not!).

Am Donnerstag, den 24.02.2011, 13:27 +0100 schrieb Salvatore Bonaccorso: 
> I can reproduce this too on lenny, can someone confirm that? Up to
> date lenny system with avahi-daemon 0.6.23-3lenny2.

Now the bad news: The Debian security tracker[1] says:

	[lenny] - avahi <not-affected> (Vulnerable code not present, introduced in 0.6.25)

That's wrong: Looking at the source code reveals this:

	$ cat avahi-0.6.23/debian/patches/15_CVE-2010-2244.patch 
	--- a/avahi-core/socket.c	
	+++ avahi-0.6.23/avahi-core/socket.c	
	@@ -652,6 +652,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4(
		 goto fail;
	     }
	 
	+    /* corrupt packets have zero size */
	+    if (!ms)
	+        goto fail;
	+
	     p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE);
	 
	     io.iov_base = AVAHI_DNS_PACKET_DATA(p);
	@@ -805,6 +809,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6(
		 goto fail;
	     }
	 
	+    /* corrupt packets have zero size */
	+    if (!ms)
	+        goto fail;
	+
	     p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE);
	 
	     io.iov_base = AVAHI_DNS_PACKET_DATA(p);
	$

So, the code which introduced this vulnerability (CVE-2011-1002[1]) was
actually added[2] when fixing another vulnerability (CVE-2010-2244[3]).
As a consequence, lenny IS indeed vulnerable and needs to be fixed too.

Best regards and thank you very much for your work!

Alexander Kurtz

[1] http://security-tracker.debian.org/tracker/CVE-2011-1002
[2] http://packages.qa.debian.org/a/avahi/news/20100805T140231Z.html
[3] http://security-tracker.debian.org/tracker/CVE-2010-2244
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20110224/302055dc/attachment.pgp>

More information about the Pkg-utopia-maintainers mailing list