Red Hat Bugzilla – Bug 475394
avahi-daemon Port Zero Remote Denial of Service Vulnerability
Last modified: 2009-12-18 02:13:11 EST
Created attachment 326249 [details]
Proof of Concept
Description of problem:
A vulnerabilty exists in avahi-daemon which can be exploited by
to cause a remote Denial of Service.
828: static int originates_from_local_legacy_unicast_socket(...)
831: assert(port > 0);
The "assert(port > 0)" line will cause avahi-daemon to terminate
with SIGABORT if a crafted mDNS packet is sent with source port zero.
Sending the packet to a multicast address will terminate all avahi
daemons in the network (eg. 126.96.36.199).
Version-Release number of selected component (if applicable):
Please see attached
Steps to Reproduce:
Please see attached
Avahi-daemon terminates with SIGABORT
I'm not sure if I can report this issue here or I should contact avahi maintaners directly. If this is the case please let me know.
I am the Avahi maintainer upstream, too. I'll handle it. Thanks.
Hugo, thank you for the report. Apart from the official upstream fix Lennart will come up with, I have some question related to the process of handling of security flaw:
- I presume issue is not public, but you plan to publish some sort of advisory for this issue, once it is fixed upstream. Have you requested a CVE id for it? If not, we can assign one.
- Can we share information about this flaw (possibly including your PoC) with other open source software vendors via non-public channels prior to the official public announcement? This is commonly done give vendors time to work on updates to minimize users exposure. We can propagate that info on your behalf, or you can let security teams of other vendors know via vendor-sec mailing list:
- Can we credit you for discovery of this vulnerability in the security advisories?
- You're correct, it's not public. I will wait until it's fixed. I didn't request a CVE id, please assign one.
- You can share all info with vendorsec.
- Yes, please credit me for the discovery. This is my main goal.
Please let me know if you need any further info.
reflect_legacy_unicast_query_packet has similar assert. Lennart, is that one safe or need to be addressed as well?
This is the fix BTW:
It should fix both the original issue and the issue pointed out by thoger at the same time.
I've tested this against the perl script. Seems to work fine.
Hmm, bug 475964 now lists the CVE that has been assigned.
This bug is now fixed in Rawhide as part of a larger update of the Avahi packages.
Tomas, how should I proceed from now? Normally I'd simply cherry pick the necessary patches from the new rawhide packages and backport them to the F10 versions and mention the CVE in the changes section. Anything else I need to do on my side to get the bug fixed for F10 following the appropriate security bureaucracy?
Next would then be dealing with RHEL as well.
(In reply to comment #5)
Commit log is not quite obvious about the security implications of the flaw, but the announcement of 0.6.24 is:
So I consider this public now.
(In reply to comment #7)
> Tomas, how should I proceed from now? Normally I'd simply cherry pick the
> necessary patches from the new rawhide packages and backport them to the F10
> versions and mention the CVE in the changes section.
For Fedora, you can choose whether backport or rebase makes more sense. Please only refer to #475964 in the Bodhi update request.
> Anything else I need to do on my side to get the bug fixed for F10 following
> the appropriate security bureaucracy?
Mentioning CVE id in the changelog is preferred. As this is public now, there's not much security bureaucracy left. Only update process bureaucracy.
> Next would then be dealing with RHEL as well.
I'll help you deal with this tomorrow.
(In reply to comment #8)
> (In reply to comment #5)
> > http://git.0pointer.de/?p=avahi.git;a=commit;h=3093047f1aa36bed8a37fa79004bf0ee287929f4
> Commit log is not quite obvious about the security implications of the flaw,
> but the announcement of 0.6.24 is:
I deliberately tried to stay a little bit vague on what is actually going on.
> (In reply to comment #7)
> > Tomas, how should I proceed from now? Normally I'd simply cherry pick the
> > necessary patches from the new rawhide packages and backport them to the F10
> > versions and mention the CVE in the changes section.
> For Fedora, you can choose whether backport or rebase makes more sense. Please
> only refer to #475964 in the Bodhi update request.
Opening bug, all info is public now via:
There's now a fix for this commited upstream (same as original debian fix).
avahi-0.6.25 which I uploaded a week or two ago fixes this issue btw.
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '10'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 10's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 10 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.