diff options
author | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-22 01:15:43 -0600 |
---|---|---|
committer | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-22 01:18:50 -0600 |
commit | 9a74d65c5d70f5150a6922934dbbfa8c92b48e77 (patch) | |
tree | 8b48d43512714954db6de1c9118d9be14e585cee | |
parent | 8f9f880e81250ea227f57ea64f8b99f62bd8b285 (diff) |
main/avahi: add mitigation for CVE-2021-3468
-rw-r--r-- | main/avahi/APKBUILD | 10 | ||||
-rw-r--r-- | main/avahi/CVE-2021-3468.patch | 37 |
2 files changed, 45 insertions, 2 deletions
diff --git a/main/avahi/APKBUILD b/main/avahi/APKBUILD index 87f02f9a66a..d0f8748d4d7 100644 --- a/main/avahi/APKBUILD +++ b/main/avahi/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=avahi pkgver=0.8 -pkgrel=2 +pkgrel=3 pkgdesc="A multicast/unicast DNS-SD framework" url="https://www.avahi.org/" arch="all" @@ -20,9 +20,12 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-tools $pkgname-glib $pkgname-compat-libdns_sd:lidns_sd $pkgname-lang " source="https://github.com/lathiat/avahi/releases/download/v$pkgver/avahi-$pkgver.tar.gz + CVE-2021-3468.patch " # secfixes: +# 0.8-r3: +# - CVE-2021-3468 # 0.7-r2: # - CVE-2017-6519 # - CVE-2018-1000845 @@ -118,4 +121,7 @@ lidns_sd() { "$subpkgdir"/usr/lib/ } -sha512sums="c6ba76feb6e92f70289f94b3bf12e5f5c66c11628ce0aeb3cadfb72c13a5d1a9bd56d71bdf3072627a76cd103b9b056d9131aa49ffe11fa334c24ab3b596c7de avahi-0.8.tar.gz" +sha512sums=" +c6ba76feb6e92f70289f94b3bf12e5f5c66c11628ce0aeb3cadfb72c13a5d1a9bd56d71bdf3072627a76cd103b9b056d9131aa49ffe11fa334c24ab3b596c7de avahi-0.8.tar.gz +743430a532b8ec246672cd0997b7831efc15c461cbfe0461faac5d6525293297efb7c06f759b2bcd71d1842ba165464fd334508534e6c247211d613061c49da5 CVE-2021-3468.patch +" diff --git a/main/avahi/CVE-2021-3468.patch b/main/avahi/CVE-2021-3468.patch new file mode 100644 index 00000000000..3e0725a6024 --- /dev/null +++ b/main/avahi/CVE-2021-3468.patch @@ -0,0 +1,37 @@ +From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <sirmy15@gmail.com> +Date: Fri, 26 Mar 2021 11:50:24 +0100 +Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in + client_work + +If a client fills the input buffer, client_work() disables the +AVAHI_WATCH_IN event, thus preventing the function from executing the +`read` syscall the next times it is called. However, if the client then +terminates the connection, the socket file descriptor receives a HUP +event, which is not handled, thus the kernel keeps marking the HUP event +as occurring. While iterating over the file descriptors that triggered +an event, the client file descriptor will keep having the HUP event and +the client_work() function is always called with AVAHI_WATCH_HUP but +without nothing being done, thus entering an infinite loop. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938 +--- + avahi-daemon/simple-protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c +index 3e0ebb11..6c0274d6 100644 +--- a/avahi-daemon/simple-protocol.c ++++ b/avahi-daemon/simple-protocol.c +@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv + } + } + ++ if (events & AVAHI_WATCH_HUP) { ++ client_free(c); ++ return; ++ } ++ + c->server->poll_api->watch_update( + watch, + (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) | |