gnu: avahi: Fix CVE-2018-1000845 and duplicate CVE-2017-6519.

* gnu/packages/avahi.scm (avahi/fixed): New variable.
(avahi)[replacement]: Use it.
* gnu/packages/patches/avahi-CVE-2018-1000845.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

3 files changed, 54 insertions, 0 deletions

diff --git a/gnu/local.mk b/gnu/local.mk
index a8138a945c..50bcab514a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -706,6 +706,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ath9k-htc-firmware-objcopy.patch		\
   %D%/packages/patches/audacity-build-with-system-portaudio.patch \
   %D%/packages/patches/automake-skip-amhello-tests.patch	\
+  %D%/packages/patches/avahi-CVE-2018-1000845.patch		\
   %D%/packages/patches/avahi-localstatedir.patch		\
   %D%/packages/patches/avogadro-boost148.patch			\
   %D%/packages/patches/avogadro-eigen3-update.patch		\
diff --git a/gnu/packages/avahi.scm b/gnu/packages/avahi.scm
index e71ffc2982..408be8ed57 100644
--- a/gnu/packages/avahi.scm
+++ b/gnu/packages/avahi.scm
@@ -35,6 +35,7 @@
   (package
     (name "avahi")
     (version "0.7")
+    (replacement avahi/fixed)
     (home-page "http://avahi.org")
     (source (origin
              (method url-fetch)
@@ -74,6 +75,16 @@ network.  It is an implementation of the mDNS (for \"Multicast DNS\") and
 DNS-SD (for \"DNS-Based Service Discovery\") protocols.")
     (license lgpl2.1+)))
 
+(define avahi/fixed
+  (package/inherit avahi
+    (source (origin
+              (inherit (package-source avahi))
+              (patches
+               (append (search-patches "avahi-CVE-2018-1000845.patch")
+                       (origin-patches (package-source avahi))))))
+    ;; Hide a duplicate of the CVE fixed above.
+    (properties `((lint-hidden-cve . ("CVE-2017-6519"))))))
+
 (define-public nss-mdns
   (package
     (name "nss-mdns")
diff --git a/gnu/packages/patches/avahi-CVE-2018-1000845.patch b/gnu/packages/patches/avahi-CVE-2018-1000845.patch
new file mode 100644
index 0000000000..e5b13e0bee
--- /dev/null
+++ b/gnu/packages/patches/avahi-CVE-2018-1000845.patch
@@ -0,0 +1,42 @@
+From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001
+From: Trent Lloyd <trent@lloyd.id.au>
+Date: Sat, 22 Dec 2018 09:06:07 +0800
+Subject: [PATCH] Drop legacy unicast queries from address not on local link
+
+When handling legacy unicast queries, ensure that the source IP is
+inside a subnet on the local link, otherwise drop the packet.
+
+Fixes #145
+Fixes #203
+CVE-2017-6519
+CVE-2018-100084
+---
+ avahi-core/server.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index a2cb19a8..a2580e38 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+ 
+     if (avahi_dns_packet_is_query(p)) {
+         int legacy_unicast = 0;
++        char t[AVAHI_ADDRESS_STR_MAX];
+ 
+         /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
+          * AR section completely here, so far. Until the day we add
+@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+             legacy_unicast = 1;
+         }
+ 
++        if (!is_mdns_mcast_address(dst_address) &&
++            !avahi_interface_address_on_link(i, src_address)) {
++
++            avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
++            return;
++        }
++
+         if (legacy_unicast)
+             reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
+