summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteve Sakoman <steve@sakoman.com>2021-07-21 07:33:19 -1000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-08-10 11:14:11 +0100
commit1d36ed33069d76898115eaf271fa1f15dea9b657 (patch)
treea8b586014cd27057e9289f719d9d9437a65716aa
parentf30d69e51f475773bf8e05a7ed328b9f908879b7 (diff)
downloadpoky-1d36ed33069d76898115eaf271fa1f15dea9b657.tar.gz
avahi: fix CVE-2021-3468
A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered. https://nvd.nist.gov/vuln/detail/CVE-2021-3468 CVE: CVE-2021-3468 (From OE-Core rev: 7ca7aeb7c703bfa22c9f128849e11b62f93d81b5) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/avahi/avahi.inc1
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch42
2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc
index 6acedb5412..25bb41b738 100644
--- a/meta/recipes-connectivity/avahi/avahi.inc
+++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -21,6 +21,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
21 21
22SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ 22SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
23 file://fix-CVE-2017-6519.patch \ 23 file://fix-CVE-2017-6519.patch \
24 file://CVE-2021-3468.patch \
24 " 25 "
25 26
26UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" 27UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
new file mode 100644
index 0000000000..638a1f6071
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
@@ -0,0 +1,42 @@
1From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
2From: Riccardo Schirone <sirmy15@gmail.com>
3Date: Fri, 26 Mar 2021 11:50:24 +0100
4Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
5 client_work
6
7If a client fills the input buffer, client_work() disables the
8AVAHI_WATCH_IN event, thus preventing the function from executing the
9`read` syscall the next times it is called. However, if the client then
10terminates the connection, the socket file descriptor receives a HUP
11event, which is not handled, thus the kernel keeps marking the HUP event
12as occurring. While iterating over the file descriptors that triggered
13an event, the client file descriptor will keep having the HUP event and
14the client_work() function is always called with AVAHI_WATCH_HUP but
15without nothing being done, thus entering an infinite loop.
16
17See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
18
19Upstream-Status: Backport
20CVE: CVE-2021-3468
21Signed-off-by: Steve Sakoman <steve@sakoman.com>
22
23---
24 avahi-daemon/simple-protocol.c | 5 +++++
25 1 file changed, 5 insertions(+)
26
27diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
28index 3e0ebb11..6c0274d6 100644
29--- a/avahi-daemon/simple-protocol.c
30+++ b/avahi-daemon/simple-protocol.c
31@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
32 }
33 }
34
35+ if (events & AVAHI_WATCH_HUP) {
36+ client_free(c);
37+ return;
38+ }
39+
40 c->server->poll_api->watch_update(
41 watch,
42 (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |