[Pkg-utopia-maintainers] Bug#986018: avahi-daemon: local DoS (daemon dies) on badly formatted hostname query to /run/avahi-daemon/socket

Thomas Kremer bugs.debian at xorg.c-informatik.de
Sat Mar 27 22:48:08 GMT 2021 

Package: avahi-daemon
Version: 0.8-5
Severity: important
Tags: security
Control: notfound -1 0.7-4+b1

Dear Maintainers,

I found another local denial-of-service vulnerability in avahi-daemon.
It can be triggered by trying to resolve badly-formatted hostnames on
the /run/avahi-daemon/socket interface (I stumbled upon it, accidentally
trying to resolve an IP as a hostname...)
This time the daemon just dies, and this time buster is not affected.

Steps to reproduce:
  $ (echo "RESOLVE-HOSTNAME a"; sleep 3;) | socat - /run/avahi-daemon/socket
  $ ps -FC avahi-daemon

Same results for these queries: "a.", ".a", "a..b", ".b.c", "a.b.."

Note that every local user has access to the socket.


Yours
Thomas Kremer


-- System Information:
Debian Release: 10.8
  APT prefers stable
  APT policy: (700, 'stable'), (500, 'oldoldstable'), (500,
'oldstable'), (450, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN,
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages avahi-daemon depends on:
ii  adduser              3.118
ii  bind9-host [host]    1:9.11.5.P4+dfsg-5.1+deb10u3
ii  dbus                 1.12.20-0+deb10u1
ii  init-system-helpers  1.56+nmu1
ii  libavahi-common3     0.8-5
ii  libavahi-core7       0.8-5
ii  libc6                2.28-10
ii  libcap2              1:2.25-2
ii  libdaemon0           0.14-7
ii  libdbus-1-3          1.12.20-0+deb10u1
ii  libexpat1            2.2.6-2+deb10u1
ii  lsb-base             10.2019051400

Versions of packages avahi-daemon recommends:
ii  libnss-mdns  0.14.1-1

Versions of packages avahi-daemon suggests:
pn  avahi-autoipd  <none>

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list