From f7e6d39e9d692ef73c40edf94d262646b02d1f36 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Dec 14 2008 19:26:25 +0000 Subject: Fix a couple of issues, rhbz #475394, avahi bts #209, rhbz #438013, avahi bts #251, avahi bts #231. This includes low risk security issue CVE-2008-5081. --- diff --git a/0001-Don-t-get-confused-by-UDP-packets-with-a-source-port.patch b/0001-Don-t-get-confused-by-UDP-packets-with-a-source-port.patch new file mode 100644 index 0000000..36dc5ee --- /dev/null +++ b/0001-Don-t-get-confused-by-UDP-packets-with-a-source-port.patch @@ -0,0 +1,32 @@ +From 3093047f1aa36bed8a37fa79004bf0ee287929f4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 11 Dec 2008 20:57:45 +0100 +Subject: [PATCH] Don't get confused by UDP packets with a source port that is zero + +This is a fix for rhbz 475394. + +Problem identified by Hugo Dias. +--- + avahi-core/server.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index c4980af..11ab6cf 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -898,6 +898,12 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + return; + } + ++ if (port <= 0) { ++ /* This fixes RHBZ #475394 */ ++ avahi_log_warn("Received packet from invalid source port."); ++ return; ++ } ++ + if (avahi_address_is_ipv4_in_ipv6(src_address)) + /* This is an IPv4 address encapsulated in IPv6, so let's ignore it. */ + return; +-- +1.6.0.5 + diff --git a/0001-Fix-force-bind-logic.patch b/0001-Fix-force-bind-logic.patch new file mode 100644 index 0000000..730486d --- /dev/null +++ b/0001-Fix-force-bind-logic.patch @@ -0,0 +1,54 @@ +From f8ef650e9d7b633c67509666599c15f205fa5baf Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 12 Dec 2008 21:26:27 +0100 +Subject: [PATCH] Fix --force-bind logic + +Quoting Cocagne: + + "line 1280 of autoipd's main.c: "else if (event == + EVENT_ROUTABLE_ADDR_CONFIGURED)" is missing '&& !force_bind' in + the conditional. The lack of this condition causes the local + link IP to be released even if the --force-bind arugment is + passed. + + The problem was noticed when attempting to use avahi-autoipd + acquire a link-local address during the early-userspace in a + Linux initramfs. Immediately after the call-out script assinged + the ll-address to the device, the daemon released the address + via this conditional. It's suspicious that the daemon would + consider this address "routable" but, even if it were, + --force-bind should prevent the address from being released. + + After adding the && !force_bind to the conditional the daemon + appeard to behave as expected." + +Closes #209. +--- + avahi-autoipd/main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/avahi-autoipd/main.c b/avahi-autoipd/main.c +index ef529b9..eb71c3b 100644 +--- a/avahi-autoipd/main.c ++++ b/avahi-autoipd/main.c +@@ -1281,7 +1281,7 @@ static int loop(int iface, uint32_t addr) { + DEBUG(daemon_log(LOG_DEBUG, "Ignoring irrelevant ARP packet.")); + } + +- } else if (event == EVENT_ROUTABLE_ADDR_CONFIGURED) { ++ } else if (event == EVENT_ROUTABLE_ADDR_CONFIGURED && !force_bind) { + + daemon_log(LOG_INFO, "A routable address has been configured."); + +@@ -1306,7 +1306,7 @@ static int loop(int iface, uint32_t addr) { + elapse_time(&next_wakeup, 0, PROBE_WAIT*1000); + next_wakeup_valid = 1; + +- } else if (event == EVENT_REFRESH_REQUEST && state == STATE_RUNNING && !force_bind) { ++ } else if (event == EVENT_REFRESH_REQUEST && state == STATE_RUNNING) { + + /* The user requested a reannouncing of the address by a SIGHUP */ + daemon_log(LOG_INFO, "Reannouncing address."); +-- +1.6.0.5 + diff --git a/0001-Include-host-in-invalid-packet-messages.patch b/0001-Include-host-in-invalid-packet-messages.patch new file mode 100644 index 0000000..0f67d0b --- /dev/null +++ b/0001-Include-host-in-invalid-packet-messages.patch @@ -0,0 +1,54 @@ +From 1e14daab904b4c74e1ee4edd081d42478aa5d12a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 11 Dec 2008 20:11:42 +0100 +Subject: [PATCH] Include host in invalid packet messages + +Include the source host in warning messages about invalid packets. + +This is a result of rhbz #438013 +--- + avahi-core/server.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index 453db09..c4980af 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -941,26 +941,30 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + handle_query_packet(s, p, i, src_address, port, legacy_unicast, from_local_iface); + + } else { ++ char t[AVAHI_ADDRESS_STR_MAX]; ++ + if (port != AVAHI_MDNS_PORT) { +- avahi_log_warn("Received response with invalid source port %u on interface '%s.%i'", port, i->hardware->name, i->protocol); ++ avahi_log_warn("Received response from host %s with invalid source port %u on interface '%s.%i'", avahi_address_snprint(t, sizeof(t), src_address), port, i->hardware->name, i->protocol); + return; + } + + if (ttl != 255 && s->config.check_response_ttl) { +- avahi_log_warn("Received response with invalid TTL %u on interface '%s.%i'.", ttl, i->hardware->name, i->protocol); ++ avahi_log_warn("Received response from host %s with invalid TTL %u on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), ttl, i->hardware->name, i->protocol); + return; + } + + if (!is_mdns_mcast_address(dst_address) && + !avahi_interface_address_on_link(i, src_address)) { +- avahi_log_warn("Received non-local response on interface '%s.%i'.", i->hardware->name, i->protocol); ++ ++ avahi_log_warn("Received non-local response from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol); + return; + } + + if (avahi_dns_packet_get_field(p, AVAHI_DNS_FIELD_QDCOUNT) != 0 || + avahi_dns_packet_get_field(p, AVAHI_DNS_FIELD_ANCOUNT) == 0 || + avahi_dns_packet_get_field(p, AVAHI_DNS_FIELD_NSCOUNT) != 0) { +- avahi_log_warn("Invalid response packet."); ++ ++ avahi_log_warn("Invalid response packet from host %s.", avahi_address_snprint(t, sizeof(t), src_address)); + return; + } + +-- +1.6.0.5 + diff --git a/0001-actually-set-thread_running.-Closes-251.patch b/0001-actually-set-thread_running.-Closes-251.patch new file mode 100644 index 0000000..251cd91 --- /dev/null +++ b/0001-actually-set-thread_running.-Closes-251.patch @@ -0,0 +1,25 @@ +From df0f904f29312efd82cdbf55adb37b10cee47a6e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 12 Dec 2008 19:37:24 +0100 +Subject: [PATCH] actually set thread_running. Closes #251 + +--- + avahi-common/thread-watch.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/avahi-common/thread-watch.c b/avahi-common/thread-watch.c +index 1a5d9d2..4f23608 100644 +--- a/avahi-common/thread-watch.c ++++ b/avahi-common/thread-watch.c +@@ -136,6 +136,8 @@ int avahi_threaded_poll_start(AvahiThreadedPoll *p) { + if (pthread_create(&p->thread_id, NULL, thread, p) < 0) + return -1; + ++ p->thread_running = 1; ++ + return 0; + } + +-- +1.6.0.5 + diff --git a/0001-guarantee-that-we-never-calculate-an-invalid-ip-addr.patch b/0001-guarantee-that-we-never-calculate-an-invalid-ip-addr.patch new file mode 100644 index 0000000..10968bb --- /dev/null +++ b/0001-guarantee-that-we-never-calculate-an-invalid-ip-addr.patch @@ -0,0 +1,30 @@ +From d6ce91c0b5258c2e107415704413f42edfab2c30 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 5 Aug 2008 15:53:23 +0200 +Subject: [PATCH] guarantee that we never calculate an invalid ip address from the mac address + +--- + avahi-autoipd/main.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +diff --git a/avahi-autoipd/main.c b/avahi-autoipd/main.c +index 01ccc79..ef529b9 100644 +--- a/avahi-autoipd/main.c ++++ b/avahi-autoipd/main.c +@@ -1144,9 +1144,13 @@ static int loop(int iface, uint32_t addr) { + for (i = 0; i < ETHER_ADDRLEN; i++) + a += hw_address[i]*i; + ++ a = (a % 0xFE00) + 0x0100; ++ + addr = htonl(IPV4LL_NETWORK | (uint32_t) a); + } + ++ assert(is_ll_address(addr)); ++ + set_state(st, 1, addr); + + daemon_log(LOG_INFO, "Starting with address %s", inet_ntop(AF_INET, &addr, buf, sizeof(buf))); +-- +1.6.0.5 + diff --git a/avahi.spec b/avahi.spec index 126541b..d69c58c 100644 --- a/avahi.spec +++ b/avahi.spec @@ -6,7 +6,7 @@ %endif Name: avahi Version: 0.6.22 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Local network service discovery Group: System Environment/Base License: LGPLv2 @@ -42,6 +42,11 @@ Source0: http://avahi.org/download/%{name}-%{version}.tar.gz Patch2: avahi-0.6.3-MONO_SHARED_DIR.patch Patch3: avahi-0.6.22-vncviewer.patch Patch4: avahi-0.6.22-update-de.patch +Patch5: 0001-actually-set-thread_running.-Closes-251.patch +Patch6: 0001-Don-t-get-confused-by-UDP-packets-with-a-source-port.patch +Patch7: 0001-Fix-force-bind-logic.patch +Patch8: 0001-guarantee-that-we-never-calculate-an-invalid-ip-addr.patch +Patch9: 0001-Include-host-in-invalid-packet-messages.patch %description Avahi is a system which facilitates service discovery on @@ -267,6 +272,11 @@ fashion with mDNS. %endif %patch3 -p1 -b .vncviewer %patch4 -p1 -b .update-de +%patch5 -p1 -b .0001-actually-set-thread_running.-Closes-251 +%patch6 -p1 -b .0001-Don-t-get-confused-by-UDP-packets-with-a-source-port +%patch7 -p1 -b .0001-Fix-force-bind-logic +%patch8 -p1 -b .0001-guarantee-that-we-never-calculate-an-invalid-ip-addr +%patch9 -p1 -b .0001-Include-host-in-invalid-packet-messages # nuke rpath, TODO: double-check if still required on new releases autoreconf @@ -563,6 +573,11 @@ fi %endif %changelog +* Sun Dec 14 2008 Lennart Poettering - 0.6.22-12 +- Fix a couple of issues, rhbz #475394, avahi bts #209, rhbz #438013, avahi bts + #251, avahi bts #231. This includes low risk security issue CVE-2008-5081. + All backported from upstream 0.6.24 + * Wed Jun 04 2008 Rex Dieter - 0.6.22-11 - qt4 bindings (#446904) - devel: BR: pkgconfig