packages/libs/avahi, branch master

treewide: cleanup URLs

2026-05-08T20:28:27Z

This commit converts plain HTTP URLs to HTTPS, and updates old or outdated URLs. Signed-off-by: Yanase Yuki

avahi: update to 0.9-rc4

2026-05-06T06:05:08Z

Fixes https://github.com/openwrt/packages/issues/27952 Update avahi from 0.8 to 0.9-rc4. The 0.9 development line accumulates four years of bug and security fixes since the 0.8 release (2020-02-18). Notable improvements in 0.9-rc4 over 0.8: Security (all CVEs previously backported as patches, now removed): - CVE-2023-38469: reject TXT records whose total rdata exceeds AVAHI_DNS_RDATA_MAX, preventing heap-buffer reads under crafted mDNS - CVE-2023-38470: ensure each DNS label is at least one byte, preventing an infinite loop on malformed packets - CVE-2023-38471: extract host name via avahi_unescape_label() before generating an alternative to avoid operating on a raw escaped string - CVE-2023-38472: check that rdata pointer is non-NULL before passing to avahi_rdata_parse() from dbus-entry-group - CVE-2023-38473: derive alternative host name from its unescaped form, fixing incorrect hostname collision resolution with escaped labels Bug fixes (previously backported): - Fix NULL-pointer crashes in avahi_s_*_browser_new() (#175) - Avoid infinite loop in avahi-daemon simple-protocol by handling AVAHI_WATCH_HUP event in client_work - Fix potential undefined behaviour in avahi_dns_packet_consume_uint32: cast uint8_t operands to uint32_t before shifting - Fix memory/CPU leak in the simple event loop: cleanup_watches() was zeroing timeout_req_cleanup instead of watch_req_cleanup, so completed watches were never removed from the linked list - Emit D-Bus error reply when avahi-daemon cannot resolve a hostname or service, rather than crashing with a NULL dereference - Increase ini-file-parser line buffer from 256 to 1024 bytes to handle longer configuration values without silent truncation Other changes: - P2P tunnel support: IFF_MULTICAST is no longer required for point-to-point interfaces when allow-point-to-point=yes - Runtime directory: configure.ac now derives the socket path from ${runstatedir} (defaults to ${localstatedir}/run), so the explicit patch reverting the /run hardcoding is no longer needed - Patch 010-pkgconfig.patch (pkgconfig prefix alignment) is retained as it has not been merged upstream Dropped patches (all merged upstream): 020-revert-runtime-dir-systemd-change.patch 100-p2p-no-iff_multicast-required.patch 200-Fix-NULL-pointer-crashes-from-175.patch 201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch 202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch 203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch 204-Emit-error-if-requested-service-is-not-found.patch 205-conf-file-line-lengths.patch 300-CVE-2023-38469.patch through 304-CVE-2023-38473.patch Library SONAMES unchanged: libavahi-common.so.3, libavahi-core.so.7, libavahi-client.so.3 — no reverse dependency rebuilds required. Disable libsystemd (not available on OpenWrt) avahi 0.9-rc4 added --enable-libsystemd which defaults to enabled and fails configure when libsystemd is not found via pkg-config. OpenWrt does not provide libsystemd; disable it explicitly. Also pass --with-systemdsystemunitdir=no to suppress the pkg-config lookup for the systemd unit directory. Drop po/ subdir from build The 0.9-rc4 tarball is a raw git archive; po/Makefile.in.in is not pre-generated as it was in the 0.8 release tarball. autopoint (from gettext) is needed to install it, but is not available in the OpenWrt SDK. Since OpenWrt does not use NLS translations, remove po/ from SUBDIRS in Makefile.am to avoid the missing po/Makefile.in.in error during configure. In 0.9-rc4 the D-Bus system.d directory changed from $(sysconfdir)/dbus-1/system.d to $(datadir)/dbus-1/system.d, so avahi-dbus.conf is now installed under usr/share/dbus-1/system.d. Update the install rule source path accordingly; keep the on-device destination at /etc/dbus-1/system.d for compatibility. Signed-off-by: Alexandru Ardelean

treewide: set me where PKG_MAINTAINER empty

2026-04-16T18:48:36Z

Seems a lot of packages are just getting abandoned by people. Will pick these up and see them through. Signed-off-by: Alexandru Ardelean

avahi: fix implementation of avahi user

2025-10-27T21:33:06Z

All avahi subpackages should run the daemon as a dedicated user insteead of as the nobody user. This is helpful in troubleshooting and better for security and to help avoid resource conflicts. Build system: x86/64 Build-tested: x86/64-glibc Run-tested: x86/64-glibc (avahi-dbus-daemon) Signed-off-by: John Audia

avahi: backport CVE fixes from upstream

2024-02-11T02:34:55Z

Signed-off-by: Rosen Penev

avahi: remove compat library

2023-11-17T05:08:18Z

It seems this is meant for distributions that lack mdnsresponder. It's heavier than it as dbus is required. Since this happens to conflict with mdnsresponder, just remove it. Signed-off-by: Rosen Penev

avahi: Import patches for security fixes

2023-06-09T11:47:07Z

Imported patches included in debian and other package. * 200-Fix-NULL-pointer-crashes-from-175.patch CVE-2021-3502 A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability. * 201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch CVE-2021-3468 A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered. * 202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch avahi_dns_packet_consume_uint32 left shifts uint8_t values by 8, 16 and 24 bits to combine them into a 32-bit value. This produces an undefined behavior warning with gcc -fsanitize when fed input values of 128 or 255 however in testing no actual unexpected behavior occurs in practice and the 32-bit uint32_t is always correctly produced as the final value is immediately stored into a uint32_t and the compiler appears to handle this "correctly". Cast the intermediate values to uint32_t to prevent this warning and ensure the intended result is explicit. * 203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch This was causing timeouts to never be removed from the linked list that tracks them, resulting in both memory and CPU usage to grow larger over time. * 204-Emit-error-if-requested-service-is-not-found.patch It currently just crashes instead of replying with error. Check return value and emit error instead of passing NULL pointer to reply. * 205-conf-file-line-lengths.patch Allow avahi-daemon.conf file to have lines longer than 256 characters (new limit 1024). Signed-off-by: Hirokazu MORIKAWA

avahi: Changed the target file for the patch

2022-02-13T03:35:47Z

Fixed the affected issue in the latest commit daemon.err avahi-daemon[xxx]: mkdir("/run/avahi-daemon/"): No such file or directory Signed-off-by: Hirokazu MORIKAWA

avahi: fix build on some distributions

2022-02-10T00:05:14Z

This seems to happen only on some distributions (Void, Arch): /usr/lib/libgcc_s.so.1: file not recognized: file format not recognized collect2: error: ld returned 1 exit status libtool: error: error: relink 'libdns_sd.la' with the above command before installing it Signed-off-by: Michal Vasilek

treewide: Run refresh on all packages

2021-02-21T00:02:15Z

The crude loop I wrote to come up with this changeset: find -L package/feeds/packages/ -name patches | \ sed 's/patches$/refresh/' | sort | xargs make Signed-off-by: Ilya Lipnitskiy