[Pkg-utopia-maintainers] Bug#767625: avahi-daemon leaks MAC address

Blue Beret debian_bts at ramus.wz.cz
Sat Nov 1 14:21:19 UTC 2014


Package: avahi-daemon
Version: 0.6.31-4
Severity: important
Tags: ipv6

Dear Maintainer,

I noticed that when I use NetworkManager to connect to a wired Ethernet network using a custom (or "cloned") MAC address, avahi-daemon has access to both MAC addresses and uses them inconsistently in MDNS queries, leaking them both.

To reproduce, create a wired connection in NetworkManager with a cloned MAC, then run a network sniffer such as Wireshark, connect to the network, and observe MDNS communication. You will see a MDNS query to ff02::fb containing a question in the format "hostname [MAC address]._workstation._tcp.local", where "hostname" is replaced by your machine's hostname and "MAC address" is the original (not cloned) MAC address of your Ethernet adapter.

Ideally, I would expect avahi-daemon to use the "cloned" MAC address, not the original one, in the query. The current behaviour causes an information leak where an eavesdropper can make a connection between your original MAC address and your "cloned" MAC address.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.utf8, LC_CTYPE=cs_CZ.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages avahi-daemon depends on:
ii  adduser              3.113+nmu3
ii  bind9-host [host]    1:9.9.5.dfsg-5
ii  dbus                 1.8.8-2
ii  host                 1:9.9.5.dfsg-5
ii  init-system-helpers  1.21
ii  libavahi-common3     0.6.31-4
ii  libavahi-core7       0.6.31-4
ii  libc6                2.19-12
ii  libcap2              1:2.24-6
ii  libdaemon0           0.14-6
ii  libdbus-1-3          1.8.8-2
ii  libexpat1            2.1.0-6
ii  lsb-base             4.1+Debian13+nmu1

Versions of packages avahi-daemon recommends:
ii  libnss-mdns  0.10-6

Versions of packages avahi-daemon suggests:
ii  avahi-autoipd  0.6.31-4

-- no debconf information



More information about the Pkg-utopia-maintainers mailing list