A local Dos in avahi-daemon that can be triggered by trying to resolve badly-formatted hostnames on the /run/avahi-daemon/socket interface. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986018
Created avahi tracking bugs for this issue: Affects: fedora-all [bug 1946916]
The avahi-daemon Linux service runs on client machines to perform network-based Zeroconf service discovery. Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. avahi running on the client machine, this may affect the openshift product but no the services
Function avahi_s_host_name_resolver_start() in resolve-host-name.c: ``` void avahi_s_host_name_resolver_start(AvahiSHostNameResolver *r) { assert(r); if(r->record_browser_a) avahi_s_record_browser_start_query(r->record_browser_a); if(r->record_browser_aaaa) avahi_s_record_browser_start_query(r->record_browser_aaaa); } ``` The assert(r) may trigger when a user pass to RESOLVE-HOSTNAME functionality in /run/avahi-daemon/socket an invalid hostname. Invalid hostnames are determined through function avahi_is_valid_fqdn() in domain.c.
In reply to comment #3: > The assert(r) may trigger when a user pass to RESOLVE-HOSTNAME functionality > in /run/avahi-daemon/socket an invalid hostname. Invalid hostnames are > determined through function avahi_is_valid_fqdn() in domain.c. The issue can be triggered even through dbus method org.freedesktop.Avahi.Server.ResolveHostName.
If assertions are compiled out, this issue would result in a NULL pointer dereference, which would still constitute a local Denial of Service against the Avahi service.
The vulnerability was introduced in upstream commit https://github.com/lathiat/avahi/commit/80c98fa16782e921f5b5d5c880f1d80f5c43bd49, which was shipped with upstream version 0.8.
Statement: This issue did not affect the versions of avahi as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code.
Has this been reported upstream?
@Salvatore No report upstream by me.
(In reply to Marian Rehak from comment #12) > @Salvatore No report upstream by me. Okay, I filled a report here https://github.com/lathiat/avahi/issues/338
*** Bug 1989381 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6707 https://access.redhat.com/errata/RHSA-2023:6707