Description of problem:
Avahi 0.6.20 was issued fixing a local Denial of Service flaw, where a local
attacker could crash Avahi daemon by sending a crafted message via D-Bus.
Original report with PoC:
Created attachment 328453 [details]
Patch used by Ubuntu in USN-696
Looks like the issue may have been introduced in 0.6.17 via following commit:
Older versions use dbus_message_iter_get_array_len() and set k to "" when empty array is received.
Confirmed with upstream that this issue was indeed introduced in 0.6.17, as is now noted on the upstream security page:
avahi version shipped in Red Hat Enterprise Linux 5 is 0.6.16 and was not affected by this flaw. All current Fedora versions ship post-0.6.20 version and therefore have the fix included.
Reporter changed to security-response-team by request of Jay Turner.