diff --git a/CVE-2010-2244.patch b/CVE-2010-2244.patch new file mode 100644 index 0000000..9d5784b --- /dev/null +++ b/CVE-2010-2244.patch @@ -0,0 +1,41 @@ +From 2b2844b10d7b7e5c97f9c667d664d9418bb7769a Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Wed, 19 May 2010 15:43:44 +0200 +Subject: [PATCH] socket: ignore packet if FIONREAD returns zero + +zero size is reported for corrupt packets. recvmsg() later could +nevertheless get data from a good packet that followed the bad one. +So get out early to avoid hitting an assertion. +--- + avahi-core/socket.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +diff --git a/avahi-core/socket.c b/avahi-core/socket.c +index 4146d5a..f9b90a2 100644 +--- a/avahi-core/socket.c ++++ b/avahi-core/socket.c +@@ -652,6 +652,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4( + goto fail; + } + ++ /* For corrupt packets FIONREAD returns zero size (See rhbz #607297) */ ++ if (!ms) ++ goto fail; ++ + p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); + + io.iov_base = AVAHI_DNS_PACKET_DATA(p); +@@ -805,6 +809,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6( + goto fail; + } + ++ /* For corrupt packets FIONREAD returns zero size (See rhbz #607297) */ ++ if (!ms) ++ goto fail; ++ + p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); + + io.iov_base = AVAHI_DNS_PACKET_DATA(p); +-- +1.6.3.3 + diff --git a/avahi.spec b/avahi.spec index a56180d..61195ee 100644 --- a/avahi.spec +++ b/avahi.spec @@ -6,7 +6,7 @@ %endif Name: avahi Version: 0.6.25 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Local network service discovery Group: System Environment/Base License: LGPLv2 @@ -574,6 +574,9 @@ fi %endif %changelog +* Wed Jun 30 2010 Lennart Poettering 0.6.25-7 +- Forgot patch + * Wed Jun 30 2010 Lennart Poettering 0.6.25-6 - Fix CVE-2010-2244, rhbz 607297