Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-3502

Source

Debian Bug report logs - #986018
avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames

Package: avahi-daemon; Maintainer for avahi-daemon is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>; Source for avahi-daemon is src:avahi (PTS, buildd, popcon).

Reported by: Thomas Kremer <bugs.debian@xorg.c-informatik.de>

Date: Sat, 27 Mar 2021 22:51:04 UTC

Severity: important

Tags: security, upstream

Found in version avahi/0.8-5

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#986018; Package avahi-daemon. (Sat, 27 Mar 2021 22:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Kremer <bugs.debian@xorg.c-informatik.de>:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sat, 27 Mar 2021 22:51:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: avahi-daemon
Version: 0.8-5
Severity: important
Tags: security
Control: notfound -1 0.7-4+b1

Dear Maintainers,

I found another local denial-of-service vulnerability in avahi-daemon.
It can be triggered by trying to resolve badly-formatted hostnames on
the /run/avahi-daemon/socket interface (I stumbled upon it, accidentally
trying to resolve an IP as a hostname...)
This time the daemon just dies, and this time buster is not affected.

Steps to reproduce:
  $ (echo "RESOLVE-HOSTNAME a"; sleep 3;) | socat - /run/avahi-daemon/socket
  $ ps -FC avahi-daemon

Same results for these queries: "a.", ".a", "a..b", ".b.c", "a.b.."

Note that every local user has access to the socket.


Yours
Thomas Kremer


-- System Information:
Debian Release: 10.8
  APT prefers stable
  APT policy: (700, 'stable'), (500, 'oldoldstable'), (500,
'oldstable'), (450, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN,
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages avahi-daemon depends on:
ii  adduser              3.118
ii  bind9-host [host]    1:9.11.5.P4+dfsg-5.1+deb10u3
ii  dbus                 1.12.20-0+deb10u1
ii  init-system-helpers  1.56+nmu1
ii  libavahi-common3     0.8-5
ii  libavahi-core7       0.8-5
ii  libc6                2.28-10
ii  libcap2              1:2.25-2
ii  libdaemon0           0.14-7
ii  libdbus-1-3          1.12.20-0+deb10u1
ii  libexpat1            2.2.6-2+deb10u1
ii  lsb-base             10.2019051400

Versions of packages avahi-daemon recommends:
ii  libnss-mdns  0.14.1-1

Versions of packages avahi-daemon suggests:
pn  avahi-autoipd  <none>

-- no debconf information

Marked as fixed in versions avahi/0.7-4. Request was from Thomas Kremer <bugs.debian@xorg.c-informatik.de> to control@bugs.debian.org. (Sat, 27 Mar 2021 22:57:04 GMT) (full text, mbox, link).

No longer marked as fixed in versions avahi/0.7-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 16 Apr 2021 06:57:02 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 16 Apr 2021 06:57:04 GMT) (full text, mbox, link).

Changed Bug title to 'avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames' from 'avahi-daemon: local DoS (daemon dies) on badly formatted hostname query to /run/avahi-daemon/socket'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 16 Apr 2021 06:57:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#986018; Package avahi-daemon. (Fri, 16 Apr 2021 07:00:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 16 Apr 2021 07:00:02 GMT) (full text, mbox, link).

Message #18 received at 986018@bugs.debian.org (full text, mbox, reply):

Hi,

On Sat, Mar 27, 2021 at 11:48:08PM +0100, Thomas Kremer wrote:
> Package: avahi-daemon
> Version: 0.8-5
> Severity: important
> Tags: security
> Control: notfound -1 0.7-4+b1
> 
> Dear Maintainers,
> 
> I found another local denial-of-service vulnerability in avahi-daemon.
> It can be triggered by trying to resolve badly-formatted hostnames on
> the /run/avahi-daemon/socket interface (I stumbled upon it, accidentally
> trying to resolve an IP as a hostname...)
> This time the daemon just dies, and this time buster is not affected.
> 
> Steps to reproduce:
>   $ (echo "RESOLVE-HOSTNAME a"; sleep 3;) | socat - /run/avahi-daemon/socket
>   $ ps -FC avahi-daemon
> 
> Same results for these queries: "a.", ".a", "a..b", ".b.c", "a.b.."
> 
> Note that every local user has access to the socket.

This is now CVE-2021-3502.

Have you reported the issue to upstream?

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#986018; Package avahi-daemon. (Fri, 16 Apr 2021 07:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Riccardo Schirone <rschiron@redhat.com>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 16 Apr 2021 07:06:03 GMT) (full text, mbox, link).

Message #23 received at 986018@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Red Hat assigned CVE-2021-3502 to this bug.
Some additional information can be found in [1].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1946914

Thanks,
-- 
Riccardo Schirone
Red Hat -- Product Security
Email: rschiron@redhat.com
PGP-Key ID: CF96E110

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 16 08:06:42 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames

Debian Bug report logs - #986018
avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames

Vulmon Search

About

Products

Connect

avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames

Debian Bug report logs - #986018 avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames

Vulmon Search

About

Products

Connect

Debian Bug report logs - #986018
avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames