Bug 1946914 (CVE-2021-3502)
Summary: | CVE-2021-3502 avahi: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, darunesh, kaycoth, lpoetter, msekleta, pemensik, rdieter |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in avahi. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 12:23:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1946916, 1949949 | ||
Bug Blocks: | 1946920, 1950126, 1989383 |
Description
Marian Rehak
2021-04-07 08:57:22 UTC
Created avahi tracking bugs for this issue: Affects: fedora-all [bug 1946916] The avahi-daemon Linux service runs on client machines to perform network-based Zeroconf service discovery. Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. avahi running on the client machine, this may affect the openshift product but no the services Function avahi_s_host_name_resolver_start() in resolve-host-name.c: ``` void avahi_s_host_name_resolver_start(AvahiSHostNameResolver *r) { assert(r); if(r->record_browser_a) avahi_s_record_browser_start_query(r->record_browser_a); if(r->record_browser_aaaa) avahi_s_record_browser_start_query(r->record_browser_aaaa); } ``` The assert(r) may trigger when a user pass to RESOLVE-HOSTNAME functionality in /run/avahi-daemon/socket an invalid hostname. Invalid hostnames are determined through function avahi_is_valid_fqdn() in domain.c. In reply to comment #3: > The assert(r) may trigger when a user pass to RESOLVE-HOSTNAME functionality > in /run/avahi-daemon/socket an invalid hostname. Invalid hostnames are > determined through function avahi_is_valid_fqdn() in domain.c. The issue can be triggered even through dbus method org.freedesktop.Avahi.Server.ResolveHostName. If assertions are compiled out, this issue would result in a NULL pointer dereference, which would still constitute a local Denial of Service against the Avahi service. The vulnerability was introduced in upstream commit https://github.com/lathiat/avahi/commit/80c98fa16782e921f5b5d5c880f1d80f5c43bd49, which was shipped with upstream version 0.8. Statement: This issue did not affect the versions of avahi as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code. Has this been reported upstream? @Salvatore No report upstream by me. (In reply to Marian Rehak from comment #12) > @Salvatore No report upstream by me. Okay, I filled a report here https://github.com/lathiat/avahi/issues/338 *** Bug 1989381 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6707 https://access.redhat.com/errata/RHSA-2023:6707 |