475964 – (CVE-2008-5081) CVE-2008-5081 avahi: avahi-daemon DoS (application abort) via packet with source port 0

Bug 475964 (CVE-2008-5081) - CVE-2008-5081 avahi: avahi-daemon DoS (application abort) via packet with source port 0

Summary: CVE-2008-5081 avahi: avahi-daemon DoS (application abort) via packet with sou...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-5081
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	475394 476496 476497
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-11 11:05 UTC by Tomas Hoger
Modified:	2019-09-29 12:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-29 08:48:08 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:0013	0	normal	SHIPPED_LIVE	Moderate: avahi security update	2009-01-12 14:09:09 UTC

Description Tomas Hoger 2008-12-11 11:05:57 UTC

Hugo Dias of the Synchron Security Labs discovered a remote denial of service flaw in the avahi daemon.  A crafted multicast DNS (mDNS) packet with source port 0 can trigger assertion in originates_from_local_legacy_unicast_socket() function in avahi-core/server.c -- assert(port > 0); -- causing the daemon to call abort() and exit unexpectedly.

Scope of this attack is usually limited to a single LAN.

Comment 2 Tomas Hoger 2008-12-14 10:26:34 UTC

Public now via new upstream release 0.6.24:
  http://avahi.org/milestone/Avahi%200.6.24

Upstream patch:
http://git.0pointer.de/?p=avahi.git;a=commitdiff;h=3093047f1aa36bed8a37fa79004bf0ee287929f4

Comment 3 Fedora Update System 2008-12-14 19:49:27 UTC

avahi-0.6.22-12.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/avahi-0.6.22-12.fc10

Comment 5 Tomas Hoger 2008-12-19 08:40:39 UTC

Hugo Dias' advisory:
  http://www.synchlabs.com/advisories/200812-1.htm

Comment 6 Fedora Update System 2009-01-07 09:33:06 UTC

avahi-0.6.22-12.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Tomas Hoger 2010-03-29 08:48:08 UTC

https://www.redhat.com/security/data/cve/CVE-2008-5081.html

Note You need to log in before you can comment on or make changes to this bug.