From 3f4ea9a62b5fa68d57724b2f83c35a191e33b7c8 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 23 Oct 2019 19:43:02 +0200 Subject: gnu: avahi: Fix CVE-2018-1000845 and duplicate CVE-2017-6519. * gnu/packages/avahi.scm (avahi/fixed): New variable. (avahi)[replacement]: Use it. * gnu/packages/patches/avahi-CVE-2018-1000845.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/avahi.scm | 11 ++++++ gnu/packages/patches/avahi-CVE-2018-1000845.patch | 42 +++++++++++++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 gnu/packages/patches/avahi-CVE-2018-1000845.patch diff --git a/gnu/local.mk b/gnu/local.mk index a8138a945c..50bcab514a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -706,6 +706,7 @@ dist_patch_DATA = \ %D%/packages/patches/ath9k-htc-firmware-objcopy.patch \ %D%/packages/patches/audacity-build-with-system-portaudio.patch \ %D%/packages/patches/automake-skip-amhello-tests.patch \ + %D%/packages/patches/avahi-CVE-2018-1000845.patch \ %D%/packages/patches/avahi-localstatedir.patch \ %D%/packages/patches/avogadro-boost148.patch \ %D%/packages/patches/avogadro-eigen3-update.patch \ diff --git a/gnu/packages/avahi.scm b/gnu/packages/avahi.scm index e71ffc2982..408be8ed57 100644 --- a/gnu/packages/avahi.scm +++ b/gnu/packages/avahi.scm @@ -35,6 +35,7 @@ (package (name "avahi") (version "0.7") + (replacement avahi/fixed) (home-page "http://avahi.org") (source (origin (method url-fetch) @@ -74,6 +75,16 @@ network. It is an implementation of the mDNS (for \"Multicast DNS\") and DNS-SD (for \"DNS-Based Service Discovery\") protocols.") (license lgpl2.1+))) +(define avahi/fixed + (package/inherit avahi + (source (origin + (inherit (package-source avahi)) + (patches + (append (search-patches "avahi-CVE-2018-1000845.patch") + (origin-patches (package-source avahi)))))) + ;; Hide a duplicate of the CVE fixed above. + (properties `((lint-hidden-cve . ("CVE-2017-6519")))))) + (define-public nss-mdns (package (name "nss-mdns") diff --git a/gnu/packages/patches/avahi-CVE-2018-1000845.patch b/gnu/packages/patches/avahi-CVE-2018-1000845.patch new file mode 100644 index 0000000000..e5b13e0bee --- /dev/null +++ b/gnu/packages/patches/avahi-CVE-2018-1000845.patch @@ -0,0 +1,42 @@ +From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001 +From: Trent Lloyd +Date: Sat, 22 Dec 2018 09:06:07 +0800 +Subject: [PATCH] Drop legacy unicast queries from address not on local link + +When handling legacy unicast queries, ensure that the source IP is +inside a subnet on the local link, otherwise drop the packet. + +Fixes #145 +Fixes #203 +CVE-2017-6519 +CVE-2018-100084 +--- + avahi-core/server.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index a2cb19a8..a2580e38 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + + if (avahi_dns_packet_is_query(p)) { + int legacy_unicast = 0; ++ char t[AVAHI_ADDRESS_STR_MAX]; + + /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the + * AR section completely here, so far. Until the day we add +@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + legacy_unicast = 1; + } + ++ if (!is_mdns_mcast_address(dst_address) && ++ !avahi_interface_address_on_link(i, src_address)) { ++ ++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol); ++ return; ++ } ++ + if (legacy_unicast) + reflect_legacy_unicast_query_packet(s, p, i, src_address, port); + -- cgit v1.2.3