Description of problem: Avahi 0.6.20 was issued fixing a local Denial of Service flaw, where a local attacker could crash Avahi daemon by sending a crafted message via D-Bus.
Upstream fix: http://avahi.org/changeset/b5daab9d464d239b0bf24379c6472ba09af35f66
Original report with PoC: http://lists.freedesktop.org/archives/avahi/2007-May/001058.html
Created attachment 328453 [details] Patch used by Ubuntu in USN-696 http://www.ubuntu.com/usn/usn-696-1
Looks like the issue may have been introduced in 0.6.17 via following commit: http://avahi.org/changeset/8b792d513254e334b7ead4e47dd3f37b23b06e77 Older versions use dbus_message_iter_get_array_len() and set k to "" when empty array is received.
Confirmed with upstream that this issue was indeed introduced in 0.6.17, as is now noted on the upstream security page: http://avahi.org/wiki/AvahiSecurity avahi version shipped in Red Hat Enterprise Linux 5 is 0.6.16 and was not affected by this flaw. All current Fedora versions ship post-0.6.20 version and therefore have the fix included.
Reporter changed to security-response-team by request of Jay Turner.