Bug 475394

Summary: avahi-daemon Port Zero Remote Denial of Service Vulnerability
Product: [Fedora] Fedora Reporter: Hugo Dias <hdias>
Component: avahiAssignee: Lennart Poettering <lpoetter>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 10CC: hdias, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-18 07:13:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 475964    
Attachments:
Description Flags
Proof of Concept none

Description Hugo Dias 2008-12-09 02:16:17 UTC
Created attachment 326249 [details]
Proof of Concept

Description of problem:

A vulnerabilty exists in avahi-daemon which can be exploited by 
to cause a remote Denial of Service.

avahi-core/server.c :

828: static int originates_from_local_legacy_unicast_socket(...)
829:    assert(s);
830:    assert(address);
831:    assert(port > 0);

The "assert(port > 0)" line will cause avahi-daemon to terminate
with SIGABORT if a crafted mDNS packet is sent with source port zero.

Sending the packet to a multicast address will terminate all avahi
daemons in the network (eg. 224.0.0.251).

Version-Release number of selected component (if applicable):

avahi-0.6.22-11.fc10

How reproducible:

Please see attached

Steps to Reproduce:

Please see attached
  
Actual results:

Avahi-daemon terminates with SIGABORT

Expected results:

Not terminating

Additional info:

I'm not sure if I can report this issue here or I should contact avahi maintaners directly. If this is the case please let me know.

Comment 1 Lennart Poettering 2008-12-09 10:12:04 UTC
I am the Avahi maintainer upstream, too. I'll handle it. Thanks.

Comment 2 Tomas Hoger 2008-12-10 15:55:05 UTC
Hugo, thank you for the report.  Apart from the official upstream fix Lennart will come up with, I have some question related to the process of handling of security flaw:

- I presume issue is not public, but you plan to publish some sort of advisory for this issue, once it is fixed upstream.  Have you requested a CVE id for it?  If not, we can assign one.

- Can we share information about this flaw (possibly including your PoC) with other open source software vendors via non-public channels prior to the official public announcement?  This is commonly done give vendors time to work on updates to minimize users exposure.  We can propagate that info on your behalf, or you can let security teams of other vendors know via vendor-sec mailing list:
  http://oss-security.openwall.org/wiki/mailing-lists/vendor-sec

- Can we credit you for discovery of this vulnerability in the security advisories?

Comment 3 Hugo Dias 2008-12-10 17:49:19 UTC
Tomas,

- You're correct, it's not public. I will wait until it's fixed. I didn't request a CVE id, please assign one.

- You can share all info with vendorsec. 

- Yes, please credit me for the discovery. This is my main goal.

Please let me know if you need any further info.

Thanks,

Hugo Dias

Comment 4 Tomas Hoger 2008-12-11 10:07:50 UTC
reflect_legacy_unicast_query_packet has similar assert.  Lennart, is that one safe or need to be addressed as well?

Comment 5 Lennart Poettering 2008-12-12 18:32:08 UTC
This is the fix BTW:

http://git.0pointer.de/?p=avahi.git;a=commit;h=3093047f1aa36bed8a37fa79004bf0ee287929f4

It should fix both the original issue and the issue pointed out by thoger at the same time.

I've tested this against the perl script. Seems to work fine.

Comment 6 Lennart Poettering 2008-12-13 11:01:45 UTC
Hmm, bug 475964 now lists the CVE that has been assigned.

Comment 7 Lennart Poettering 2008-12-13 11:11:17 UTC
This bug is now fixed in Rawhide as part of a larger update of the Avahi packages.

Tomas, how should I proceed from now? Normally I'd simply cherry pick the necessary patches from the new rawhide packages and backport them to the F10 versions and mention the CVE in the changes section. Anything else I need to do on my side to get the bug fixed for F10 following the appropriate security bureaucracy?

Next would then be dealing with RHEL as well.

Comment 8 Tomas Hoger 2008-12-14 10:41:14 UTC
(In reply to comment #5)
> http://git.0pointer.de/?p=avahi.git;a=commit;h=3093047f1aa36bed8a37fa79004bf0ee287929f4

Commit log is not quite obvious about the security implications of the flaw, but the announcement of 0.6.24 is:
  http://avahi.org/milestone/Avahi%200.6.24

So I consider this public now.

(In reply to comment #7)
> Tomas, how should I proceed from now? Normally I'd simply cherry pick the
> necessary patches from the new rawhide packages and backport them to the F10
> versions and mention the CVE in the changes section.

For Fedora, you can choose whether backport or rebase makes more sense.  Please only refer to #475964 in the Bodhi update request.

> Anything else I need to do on my side to get the bug fixed for F10 following
> the appropriate security bureaucracy?

Mentioning CVE id in the changelog is preferred.  As this is public now, there's not much security bureaucracy left.  Only update process bureaucracy.

> Next would then be dealing with RHEL as well.

I'll help you deal with this tomorrow.

Comment 9 Lennart Poettering 2008-12-14 19:28:41 UTC
(In reply to comment #8)
> (In reply to comment #5)
> > http://git.0pointer.de/?p=avahi.git;a=commit;h=3093047f1aa36bed8a37fa79004bf0ee287929f4
> 
> Commit log is not quite obvious about the security implications of the flaw,
> but the announcement of 0.6.24 is:
>   http://avahi.org/milestone/Avahi%200.6.24

I deliberately tried to stay a little bit vague on what is actually going on.

> 
> (In reply to comment #7)
> > Tomas, how should I proceed from now? Normally I'd simply cherry pick the
> > necessary patches from the new rawhide packages and backport them to the F10
> > versions and mention the CVE in the changes section.
> 
> For Fedora, you can choose whether backport or rebase makes more sense.  Please
> only refer to #475964 in the Bodhi update request.

Will do.

Comment 11 Tomas Hoger 2008-12-19 08:41:20 UTC
Opening bug, all info is public now via:
  http://www.synchlabs.com/advisories/200812-1.htm

Comment 12 Lennart Poettering 2009-03-31 23:46:24 UTC
There's now a fix for this commited upstream (same as original debian fix).

http://git.0pointer.de/?p=avahi.git;a=commit;h=6fabf9d5189cf0efb86af1cd57e5399f8e31112a

Comment 13 Lennart Poettering 2009-04-20 16:37:47 UTC
avahi-0.6.25 which I uploaded a week or two ago fixes this issue btw.

Comment 14 Bug Zapper 2009-11-18 09:39:26 UTC
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 15 Bug Zapper 2009-12-18 07:13:11 UTC
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.