2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc
index 6acedb5412..25bb41b738 100644
--- a/meta/recipes-connectivity/avahi/avahi.inc
+++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -21,6 +21,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
 SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
           file://fix-CVE-2017-6519.patch \
+           file://CVE-2021-3468.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
new file mode 100644
index 0000000000..638a1f6071
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
@@ -0,0 +1,42 @@
+From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <sirmy15@gmail.com>
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+Upstream-Status: Backport
+CVE: CVE-2021-3468
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ avahi-daemon/simple-protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb11..6c0274d6 100644
+--- a/avahi-daemon/simple-protocol.c
+++ b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+         }
+     }
+ 
+    if (events & AVAHI_WATCH_HUP) {
+        client_free(c);
+        return;
+    }
+
+     c->server->poll_api->watch_update(
+         watch,
+         (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |

diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc index 6acedb5412..25bb41b738 100644 --- a/meta/recipes-connectivity/avahi/avahi.inc +++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -21,6 +21,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
21		21
22	SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \	22	SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
23	file://fix-CVE-2017-6519.patch \	23	file://fix-CVE-2017-6519.patch \
		24	file://CVE-2021-3468.patch \
24	"	25	"
25		26
26	UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"	27	UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"


diff --git a/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch new file mode 100644 index 0000000000..638a1f6071 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
@@ -0,0 +1,42 @@
		1	From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
		2	From: Riccardo Schirone <sirmy15@gmail.com>
		3	Date: Fri, 26 Mar 2021 11:50:24 +0100
		4	Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
		5	client_work
		6
		7	If a client fills the input buffer, client_work() disables the
		8	AVAHI_WATCH_IN event, thus preventing the function from executing the
		9	`read` syscall the next times it is called. However, if the client then
		10	terminates the connection, the socket file descriptor receives a HUP
		11	event, which is not handled, thus the kernel keeps marking the HUP event
		12	as occurring. While iterating over the file descriptors that triggered
		13	an event, the client file descriptor will keep having the HUP event and
		14	the client_work() function is always called with AVAHI_WATCH_HUP but
		15	without nothing being done, thus entering an infinite loop.
		16
		17	See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
		18
		19	Upstream-Status: Backport
		20	CVE: CVE-2021-3468
		21	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		22
		23	---
		24	avahi-daemon/simple-protocol.c \| 5 +++++
		25	1 file changed, 5 insertions(+)
		26
		27	diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
		28	index 3e0ebb11..6c0274d6 100644
		29	--- a/avahi-daemon/simple-protocol.c
		30	+++ b/avahi-daemon/simple-protocol.c
		31	@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
		32	}
		33	}
		34
		35	+ if (events & AVAHI_WATCH_HUP) {
		36	+ client_free(c);
		37	+ return;
		38	+ }
		39	+
		40	c->server->poll_api->watch_update(
		41	watch,
		42	(c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) \|