[Pkg-utopia-maintainers] Bug#984938: avahi-daemon: local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket

Thomas Kremer bugs.debian at xorg.c-informatik.de
Wed Mar 10 16:29:47 GMT 2021 

Package: avahi-daemon
Version: 0.7-4+b1
Severity: important
Tags: security

Dear Maintainers,

I found a local denial-of-service vulnerability in avahi-daemon. It can
be triggered by writing long lines to /run/avahi-daemon/socket and
results in an unresponsive busy-loop of the daemon.

Steps to reproduce:
  $ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat -
/run/avahi-daemon/socket
  $ top
  --> check that avahi-daemon uses 100% CPU, does not react to any valid
requests anymore (at least not using that socket) and does not react to
SIGTERM.

Note that every local user has access to the socket.
Note that in [1], function "client_work()", the code reacts to the
filling of its input buffer with disabling the io-watcher, so the
io-watcher itself must be at fault (though this specific problem could
be fixed in that function by just dropping the whole connection the
moment the buffer fills up).

[1]
https://github.com/lathiat/avahi/blob/master/avahi-daemon/simple-protocol.c


Yours
Thomas Kremer


-- System Information:
Debian Release: 10.8
  APT prefers stable
  APT policy: (700, 'stable'), (500, 'oldoldstable'), (500,
'oldstable'), (450, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN,
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages avahi-daemon depends on:
ii  adduser            3.118
ii  bind9-host [host]  1:9.11.5.P4+dfsg-5.1+deb10u3
ii  dbus               1.12.20-0+deb10u1
ii  libavahi-common3   0.7-4+b1
ii  libavahi-core7     0.7-4+b1
ii  libc6              2.28-10
ii  libcap2            1:2.25-2
ii  libdaemon0         0.14-7
ii  libdbus-1-3        1.12.20-0+deb10u1
ii  libexpat1          2.2.6-2+deb10u1
ii  lsb-base           10.2019051400

Versions of packages avahi-daemon recommends:
ii  libnss-mdns  0.14.1-1

Versions of packages avahi-daemon suggests:
pn  avahi-autoipd  <none>

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list