[Pkg-utopia-maintainers] Bug#1028386: bullseye-pu: package avahi/0.8-5+deb11u2

Tue Jan 10 10:41:04 GMT 2023

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: avahi at packages.debian.org, carnil at debian.org
Control: affects -1 + src:avahi

Hi,

as discussed (internally) with Salvatore from the security team,
I'd like to make a stable upload for avahi, fixing CVE-2021-3468 / #984938.

The patch has been applied/reviewed upstream and was also uploaded to
unstable.

Full debdiff is attached.

Regards,
Michael
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 88166628..f4b6f9c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+avahi (0.8-5+deb11u2) bullseye; urgency=medium
+
+  * Avoid infinite-loop in avahi-daemon by handling HUP event in client_work.
+    Fixes a local DoS that could be triggered by writing long lines to
+    /run/avahi-daemon/socket. (CVE-2021-3468, Closes: #984938)
+
+ -- Michael Biebl <biebl at debian.org>  Tue, 10 Jan 2023 09:43:16 +0100
+
 avahi (0.8-5+deb11u1) bullseye; urgency=medium
 
   [ Simon McVittie ]
diff --git a/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch b/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
new file mode 100644
index 00000000..a29444da
--- /dev/null
+++ b/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
@@ -0,0 +1,38 @@
+From: Riccardo Schirone <sirmy15 at gmail.com>
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+
+(cherry picked from commit 447affe29991ee99c6b9732fc5f2c1048a611d3b)
+---
+ avahi-daemon/simple-protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb1..6c0274d 100644
+--- a/avahi-daemon/simple-protocol.c
++++ b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+         }
+     }
+ 
++    if (events & AVAHI_WATCH_HUP) {
++        client_free(c);
++        return;
++    }
++
+     c->server->poll_api->watch_update(
+         watch,
+         (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/debian/patches/series b/debian/patches/series
index 7b513a9c..cdfebce3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ build-db-Use-the-same-database-format-that-the-C-code-exp.patch
 avahi-discover-Escape-strings-substituted-into-Pango-mark.patch
 Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
 Fix-NULL-pointer-crashes-from-175.patch
+Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
