Bug 475394
Summary: | avahi-daemon Port Zero Remote Denial of Service Vulnerability | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Hugo Dias <hdias> | ||||
Component: | avahi | Assignee: | Lennart Poettering <lpoetter> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 10 | CC: | hdias, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-12-18 07:13:11 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 475964 | ||||||
Attachments: |
|
I am the Avahi maintainer upstream, too. I'll handle it. Thanks. Hugo, thank you for the report. Apart from the official upstream fix Lennart will come up with, I have some question related to the process of handling of security flaw: - I presume issue is not public, but you plan to publish some sort of advisory for this issue, once it is fixed upstream. Have you requested a CVE id for it? If not, we can assign one. - Can we share information about this flaw (possibly including your PoC) with other open source software vendors via non-public channels prior to the official public announcement? This is commonly done give vendors time to work on updates to minimize users exposure. We can propagate that info on your behalf, or you can let security teams of other vendors know via vendor-sec mailing list: http://oss-security.openwall.org/wiki/mailing-lists/vendor-sec - Can we credit you for discovery of this vulnerability in the security advisories? Tomas, - You're correct, it's not public. I will wait until it's fixed. I didn't request a CVE id, please assign one. - You can share all info with vendorsec. - Yes, please credit me for the discovery. This is my main goal. Please let me know if you need any further info. Thanks, Hugo Dias reflect_legacy_unicast_query_packet has similar assert. Lennart, is that one safe or need to be addressed as well? This is the fix BTW: http://git.0pointer.de/?p=avahi.git;a=commit;h=3093047f1aa36bed8a37fa79004bf0ee287929f4 It should fix both the original issue and the issue pointed out by thoger at the same time. I've tested this against the perl script. Seems to work fine. Hmm, bug 475964 now lists the CVE that has been assigned. This bug is now fixed in Rawhide as part of a larger update of the Avahi packages. Tomas, how should I proceed from now? Normally I'd simply cherry pick the necessary patches from the new rawhide packages and backport them to the F10 versions and mention the CVE in the changes section. Anything else I need to do on my side to get the bug fixed for F10 following the appropriate security bureaucracy? Next would then be dealing with RHEL as well. (In reply to comment #5) > http://git.0pointer.de/?p=avahi.git;a=commit;h=3093047f1aa36bed8a37fa79004bf0ee287929f4 Commit log is not quite obvious about the security implications of the flaw, but the announcement of 0.6.24 is: http://avahi.org/milestone/Avahi%200.6.24 So I consider this public now. (In reply to comment #7) > Tomas, how should I proceed from now? Normally I'd simply cherry pick the > necessary patches from the new rawhide packages and backport them to the F10 > versions and mention the CVE in the changes section. For Fedora, you can choose whether backport or rebase makes more sense. Please only refer to #475964 in the Bodhi update request. > Anything else I need to do on my side to get the bug fixed for F10 following > the appropriate security bureaucracy? Mentioning CVE id in the changelog is preferred. As this is public now, there's not much security bureaucracy left. Only update process bureaucracy. > Next would then be dealing with RHEL as well. I'll help you deal with this tomorrow. (In reply to comment #8) > (In reply to comment #5) > > http://git.0pointer.de/?p=avahi.git;a=commit;h=3093047f1aa36bed8a37fa79004bf0ee287929f4 > > Commit log is not quite obvious about the security implications of the flaw, > but the announcement of 0.6.24 is: > http://avahi.org/milestone/Avahi%200.6.24 I deliberately tried to stay a little bit vague on what is actually going on. > > (In reply to comment #7) > > Tomas, how should I proceed from now? Normally I'd simply cherry pick the > > necessary patches from the new rawhide packages and backport them to the F10 > > versions and mention the CVE in the changes section. > > For Fedora, you can choose whether backport or rebase makes more sense. Please > only refer to #475964 in the Bodhi update request. Will do. Opening bug, all info is public now via: http://www.synchlabs.com/advisories/200812-1.htm There's now a fix for this commited upstream (same as original debian fix). http://git.0pointer.de/?p=avahi.git;a=commit;h=6fabf9d5189cf0efb86af1cd57e5399f8e31112a avahi-0.6.25 which I uploaded a week or two ago fixes this issue btw. This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
Created attachment 326249 [details] Proof of Concept Description of problem: A vulnerabilty exists in avahi-daemon which can be exploited by to cause a remote Denial of Service. avahi-core/server.c : 828: static int originates_from_local_legacy_unicast_socket(...) 829: assert(s); 830: assert(address); 831: assert(port > 0); The "assert(port > 0)" line will cause avahi-daemon to terminate with SIGABORT if a crafted mDNS packet is sent with source port zero. Sending the packet to a multicast address will terminate all avahi daemons in the network (eg. 224.0.0.251). Version-Release number of selected component (if applicable): avahi-0.6.22-11.fc10 How reproducible: Please see attached Steps to Reproduce: Please see attached Actual results: Avahi-daemon terminates with SIGABORT Expected results: Not terminating Additional info: I'm not sure if I can report this issue here or I should contact avahi maintaners directly. If this is the case please let me know.