avahi: Import patches for security fixes
authorHirokazu MORIKAWA <morikw2@gmail.com>
Thu, 8 Jun 2023 05:37:38 +0000 (14:37 +0900)
committerRosen Penev <rosenp@gmail.com>
Fri, 9 Jun 2023 11:47:07 +0000 (14:47 +0300)
commit779af4d40ccdc0f2a798ee6b6849abb37d202f1b
tree4d7c3736cd48de99aae31b14e412a2dc6d1a50e6
parent808f67d6152fcac09dcda4d66e2bb285878fb3d4
avahi: Import patches for security fixes

Imported patches included in debian and other package.

* 200-Fix-NULL-pointer-crashes-from-175.patch
  CVE-2021-3502
   A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.

* 201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
  CVE-2021-3468
   A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

* 202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch
   avahi_dns_packet_consume_uint32 left shifts uint8_t values by 8, 16 and 24 bits to combine them into a 32-bit value. This produces an undefined behavior warning with gcc -fsanitize when fed input values of 128 or 255 however in testing no actual unexpected behavior occurs in practice and the 32-bit uint32_t is always correctly produced as the final value is immediately stored into a uint32_t and the compiler appears to handle this "correctly".
Cast the intermediate values to uint32_t to prevent this warning and ensure the intended result is explicit.

* 203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
   This was causing timeouts to never be removed from the linked list that tracks them, resulting in both memory and CPU usage to grow larger over time.

* 204-Emit-error-if-requested-service-is-not-found.patch
   It currently just crashes instead of replying with error. Check return
value and emit error instead of passing NULL pointer to reply.

* 205-conf-file-line-lengths.patch
   Allow avahi-daemon.conf file to have lines longer than 256 characters (new limit 1024).

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
libs/avahi/Makefile
libs/avahi/patches/200-Fix-NULL-pointer-crashes-from-175.patch [new file with mode: 0644]
libs/avahi/patches/201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch [new file with mode: 0644]
libs/avahi/patches/202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch [new file with mode: 0644]
libs/avahi/patches/203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch [new file with mode: 0644]
libs/avahi/patches/204-Emit-error-if-requested-service-is-not-found.patch [new file with mode: 0644]
libs/avahi/patches/205-conf-file-line-lengths.patch [new file with mode: 0644]