aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2019-07-16 22:46:19 -0300
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-07-17 06:38:42 +0000
commit6dd2468d5d955ed31de8344012436b2523cb0e45 (patch)
treedcd3563333c9d1ccc1bfa275a35b0759d3241a07
parente417e312a2460b385bd5003089c29af549f19b14 (diff)
downloadaports-6dd2468d5d955ed31de8344012436b2523cb0e45.tar.gz
aports-6dd2468d5d955ed31de8344012436b2523cb0e45.tar.bz2
aports-6dd2468d5d955ed31de8344012436b2523cb0e45.tar.xz
main/avahi: fix CVE-2017-6519 and CVE-2018-1000845
Fixes #9242 Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
-rw-r--r--main/avahi/APKBUILD14
-rw-r--r--main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch27
2 files changed, 37 insertions, 4 deletions
diff --git a/main/avahi/APKBUILD b/main/avahi/APKBUILD
index 4d76fbc2c8..df85dd28b3 100644
--- a/main/avahi/APKBUILD
+++ b/main/avahi/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=avahi
pkgver=0.6.32
-pkgrel=4
+pkgrel=5
pkgdesc="A multicast/unicast DNS-SD framework"
url="http://www.avahi.org/"
arch="all"
@@ -20,9 +20,16 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-tools $pkgname-glib
py-avahi:py"
source="https://github.com/lathiat/avahi/releases/download/v$pkgver/avahi-$pkgver.tar.gz
openrc-run.patch
+ CVE-2017-6519-and-CVE-2018-1000845.patch
"
builddir="$srcdir"/$pkgname-$pkgver
+
+# secfixes:
+# 0.6.32-r5:
+# - CVE-2017-6519
+# - CVE-2018-1000845
+
prepare() {
default_prepare
autoreconf -vif
@@ -115,7 +122,6 @@ py() {
mkdir -p "$subpkgdir"/usr/lib
mv "$pkgdir"/usr/lib/py* "$subpkgdir"/usr/lib/
}
-
-
sha512sums="6f8d0a64292439cbb989c531a4ba2f25a53ee9cf7ad9df04dedf73149489a92612f3b5955e10aa4b1c76496c34b90ad75590e8aa49468249508267c1c8b899ee avahi-0.6.32.tar.gz
-2754d11bf027676f30de6322eb9251ae83df5ef8f7b354793263224d432514a49e021d8f819f5525eeaeead04b544e15bfd2183ac8bc9f97e871d246e2b6a108 openrc-run.patch"
+2754d11bf027676f30de6322eb9251ae83df5ef8f7b354793263224d432514a49e021d8f819f5525eeaeead04b544e15bfd2183ac8bc9f97e871d246e2b6a108 openrc-run.patch
+dc5c9fde8d1244e70e3cf1c09bc274b094458d2fad982f5a79bcbf3cbddc43a0cf79e9ba106b3b0446a6f0b006fd3beeee48a03bd3d8a06cf8d9821f6945ffed CVE-2017-6519-and-CVE-2018-1000845.patch"
diff --git a/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch b/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch
new file mode 100644
index 0000000000..513489fa5b
--- /dev/null
+++ b/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch
@@ -0,0 +1,27 @@
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index a2cb19a..a2580e3 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+
+ if (avahi_dns_packet_is_query(p)) {
+ int legacy_unicast = 0;
++ char t[AVAHI_ADDRESS_STR_MAX];
+
+ /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
+ * AR section completely here, so far. Until the day we add
+@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+ legacy_unicast = 1;
+ }
+
++ if (!is_mdns_mcast_address(dst_address) &&
++ !avahi_interface_address_on_link(i, src_address)) {
++
++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
++ return;
++ }
++
+ if (legacy_unicast)
+ reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
+
+