Debian Bug report logs -
#986018
avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#986018
; Package avahi-daemon
.
(Sat, 27 Mar 2021 22:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Kremer <bugs.debian@xorg.c-informatik.de>
:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Sat, 27 Mar 2021 22:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: avahi-daemon
Version: 0.8-5
Severity: important
Tags: security
Control: notfound -1 0.7-4+b1
Dear Maintainers,
I found another local denial-of-service vulnerability in avahi-daemon.
It can be triggered by trying to resolve badly-formatted hostnames on
the /run/avahi-daemon/socket interface (I stumbled upon it, accidentally
trying to resolve an IP as a hostname...)
This time the daemon just dies, and this time buster is not affected.
Steps to reproduce:
$ (echo "RESOLVE-HOSTNAME a"; sleep 3;) | socat - /run/avahi-daemon/socket
$ ps -FC avahi-daemon
Same results for these queries: "a.", ".a", "a..b", ".b.c", "a.b.."
Note that every local user has access to the socket.
Yours
Thomas Kremer
-- System Information:
Debian Release: 10.8
APT prefers stable
APT policy: (700, 'stable'), (500, 'oldoldstable'), (500,
'oldstable'), (450, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN,
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages avahi-daemon depends on:
ii adduser 3.118
ii bind9-host [host] 1:9.11.5.P4+dfsg-5.1+deb10u3
ii dbus 1.12.20-0+deb10u1
ii init-system-helpers 1.56+nmu1
ii libavahi-common3 0.8-5
ii libavahi-core7 0.8-5
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libdaemon0 0.14-7
ii libdbus-1-3 1.12.20-0+deb10u1
ii libexpat1 2.2.6-2+deb10u1
ii lsb-base 10.2019051400
Versions of packages avahi-daemon recommends:
ii libnss-mdns 0.14.1-1
Versions of packages avahi-daemon suggests:
pn avahi-autoipd <none>
-- no debconf information
Marked as fixed in versions avahi/0.7-4.
Request was from Thomas Kremer <bugs.debian@xorg.c-informatik.de>
to control@bugs.debian.org
.
(Sat, 27 Mar 2021 22:57:04 GMT) (full text, mbox, link).
No longer marked as fixed in versions avahi/0.7-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 16 Apr 2021 06:57:02 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 16 Apr 2021 06:57:04 GMT) (full text, mbox, link).
Changed Bug title to 'avahi: CVE-2021-3502: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames' from 'avahi-daemon: local DoS (daemon dies) on badly formatted hostname query to /run/avahi-daemon/socket'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 16 Apr 2021 06:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#986018
; Package avahi-daemon
.
(Fri, 16 Apr 2021 07:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Fri, 16 Apr 2021 07:00:02 GMT) (full text, mbox, link).
Message #18 received at 986018@bugs.debian.org (full text, mbox, reply):
Hi,
On Sat, Mar 27, 2021 at 11:48:08PM +0100, Thomas Kremer wrote:
> Package: avahi-daemon
> Version: 0.8-5
> Severity: important
> Tags: security
> Control: notfound -1 0.7-4+b1
>
> Dear Maintainers,
>
> I found another local denial-of-service vulnerability in avahi-daemon.
> It can be triggered by trying to resolve badly-formatted hostnames on
> the /run/avahi-daemon/socket interface (I stumbled upon it, accidentally
> trying to resolve an IP as a hostname...)
> This time the daemon just dies, and this time buster is not affected.
>
> Steps to reproduce:
> $ (echo "RESOLVE-HOSTNAME a"; sleep 3;) | socat - /run/avahi-daemon/socket
> $ ps -FC avahi-daemon
>
> Same results for these queries: "a.", ".a", "a..b", ".b.c", "a.b.."
>
> Note that every local user has access to the socket.
This is now CVE-2021-3502.
Have you reported the issue to upstream?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#986018
; Package avahi-daemon
.
(Fri, 16 Apr 2021 07:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Riccardo Schirone <rschiron@redhat.com>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Fri, 16 Apr 2021 07:06:03 GMT) (full text, mbox, link).
Message #23 received at 986018@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Red Hat assigned CVE-2021-3502 to this bug.
Some additional information can be found in [1].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1946914
Thanks,
--
Riccardo Schirone
Red Hat -- Product Security
Email: rschiron@redhat.com
PGP-Key ID: CF96E110
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Apr 16 08:06:42 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.