Debian Bug report logs -
#984938
avahi: CVE-2021-3468: local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#984938
; Package avahi-daemon
.
(Wed, 10 Mar 2021 16:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Kremer <bugs.debian@xorg.c-informatik.de>
:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Wed, 10 Mar 2021 16:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: avahi-daemon
Version: 0.7-4+b1
Severity: important
Tags: security
Dear Maintainers,
I found a local denial-of-service vulnerability in avahi-daemon. It can
be triggered by writing long lines to /run/avahi-daemon/socket and
results in an unresponsive busy-loop of the daemon.
Steps to reproduce:
$ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat -
/run/avahi-daemon/socket
$ top
--> check that avahi-daemon uses 100% CPU, does not react to any valid
requests anymore (at least not using that socket) and does not react to
SIGTERM.
Note that every local user has access to the socket.
Note that in [1], function "client_work()", the code reacts to the
filling of its input buffer with disabling the io-watcher, so the
io-watcher itself must be at fault (though this specific problem could
be fixed in that function by just dropping the whole connection the
moment the buffer fills up).
[1]
https://github.com/lathiat/avahi/blob/master/avahi-daemon/simple-protocol.c
Yours
Thomas Kremer
-- System Information:
Debian Release: 10.8
APT prefers stable
APT policy: (700, 'stable'), (500, 'oldoldstable'), (500,
'oldstable'), (450, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN,
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages avahi-daemon depends on:
ii adduser 3.118
ii bind9-host [host] 1:9.11.5.P4+dfsg-5.1+deb10u3
ii dbus 1.12.20-0+deb10u1
ii libavahi-common3 0.7-4+b1
ii libavahi-core7 0.7-4+b1
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libdaemon0 0.14-7
ii libdbus-1-3 1.12.20-0+deb10u1
ii libexpat1 2.2.6-2+deb10u1
ii lsb-base 10.2019051400
Versions of packages avahi-daemon recommends:
ii libnss-mdns 0.14.1-1
Versions of packages avahi-daemon suggests:
pn avahi-autoipd <none>
-- no debconf information
Marked as found in versions avahi/0.8-5.
Request was from Thomas Kremer <bugs.debian@xorg.c-informatik.de>
to control@bugs.debian.org
.
(Wed, 10 Mar 2021 16:48:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#984938
; Package avahi-daemon
.
(Fri, 26 Mar 2021 11:27:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Riccardo Schirone <rschiron@redhat.com>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Fri, 26 Mar 2021 11:27:10 GMT) (full text, mbox, link).
Message #12 received at 984938@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I have requested a CVE through Red Hat.
I'm proposing a patch upstream[1].
Additional details about the flaw at [2].
[1] https://github.com/lathiat/avahi/pull/330
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1939614#c3
Thanks,
--
Riccardo Schirone
Red Hat -- Product Security
Email: rschiron@redhat.com
PGP-Key ID: CF96E110
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#984938
; Package avahi-daemon
.
(Sat, 27 Mar 2021 19:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Sat, 27 Mar 2021 19:33:14 GMT) (full text, mbox, link).
Message #17 received at 984938@bugs.debian.org (full text, mbox, reply):
Control: forwarded -1 https://github.com/lathiat/avahi/pull/330
Control: retitle -1 avahi: CVE-2021-3468: local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket
On Fri, Mar 26, 2021 at 12:22:29PM +0100, Riccardo Schirone wrote:
> I have requested a CVE through Red Hat.
>
> I'm proposing a patch upstream[1].
> Additional details about the flaw at [2].
>
> [1] https://github.com/lathiat/avahi/pull/330
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1939614#c3
This has been assigned CVE-2021-3468.
Regards,
Salvatore
Changed Bug title to 'avahi: CVE-2021-3468: local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket' from 'avahi-daemon: local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 984938-submit@bugs.debian.org
.
(Sat, 27 Mar 2021 19:33:15 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 27 Mar 2021 19:36:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Mar 28 14:31:50 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.