Hugo Dias of the Synchron Security Labs discovered a remote denial of service flaw in the avahi daemon. A crafted multicast DNS (mDNS) packet with source port 0 can trigger assertion in originates_from_local_legacy_unicast_socket() function in avahi-core/server.c -- assert(port > 0); -- causing the daemon to call abort() and exit unexpectedly. Scope of this attack is usually limited to a single LAN.
Public now via new upstream release 0.6.24: http://avahi.org/milestone/Avahi%200.6.24 Upstream patch: http://git.0pointer.de/?p=avahi.git;a=commitdiff;h=3093047f1aa36bed8a37fa79004bf0ee287929f4
avahi-0.6.22-12.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/avahi-0.6.22-12.fc10
Hugo Dias' advisory: http://www.synchlabs.com/advisories/200812-1.htm
avahi-0.6.22-12.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
https://www.redhat.com/security/data/cve/CVE-2008-5081.html