Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package avahi for openSUSE:Factory checked in at 2026-05-04 12:48:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/avahi (Old) and /work/SRC/openSUSE:Factory/.avahi.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "avahi" Mon May 4 12:48:20 2026 rev:177 rq:1350040 version:0.8 Changes: -------- --- /work/SRC/openSUSE:Factory/avahi/avahi.changes 2026-03-06 18:18:03.446823362 +0100 +++ /work/SRC/openSUSE:Factory/.avahi.new.30200/avahi.changes 2026-05-04 12:48:45.685731332 +0200 @@ -1,0 +2,13 @@ +Mon Apr 27 02:40:59 UTC 2026 - Xiaoguang Wang <[email protected]> + +- Add avahi-CVE-2026-34933.patch: refuse to accept publish flags + where both wide_area and multicast are set. + (CVE-2026-34933, bsc#1261546) + +------------------------------------------------------------------- +Wed Apr 22 15:36:01 UTC 2026 - Antonio Larrosa <[email protected]> + +- Make /var/lib/avahi-autoipd a ghost dir instead of packaging it + since avahi-autoipd creates it on start (jsc#PED-14836). + +------------------------------------------------------------------- New: ---- _scmsync.obsinfo avahi-CVE-2026-34933.patch build.specials.obscpio ----------(New B)---------- New: - Add avahi-CVE-2026-34933.patch: refuse to accept publish flags where both wide_area and multicast are set. ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ avahi.spec ++++++ --- /var/tmp/diff_new_pack.rIXMvo/_old 2026-05-04 12:48:50.821942824 +0200 +++ /var/tmp/diff_new_pack.rIXMvo/_new 2026-05-04 12:48:50.829943153 +0200 @@ -146,6 +146,8 @@ Patch41: avahi-CVE-2025-68471.patch # PATCH-FIX-UPSTREAM avahi-CVE-2025-68276.patch CVE-2025-68276 bsc#1256498 [email protected] -- refuse to create wide-area record browsers when wide-area is off. Patch42: avahi-CVE-2025-68276.patch +# PATCH-FIX-UPSTREAM avahi-CVE-2026-34933.patch bsc#1261546 [email protected] -- refuse to accept publish flags where both wide_area and multicast are set +Patch43: avahi-CVE-2026-34933.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gdbm-devel @@ -703,11 +705,9 @@ # do not remove this unless you plan to fix _all_ the references to # it. all (multiple) previous attempts have failed already #rm "%{buildroot}/%{_libdir}/libavahi-common.la" -install -d %{buildroot}/%{_localstatedir}/run/avahi-daemon ln -s avahi-compat-libdns_sd/dns_sd.h %{buildroot}/%{_includedir}/ ln -s avahi-compat-howl.pc %{buildroot}/%{_libdir}/pkgconfig/howl.pc install -d %{buildroot}/%{_prefix}/lib/avahi -install -d %{buildroot}/%{_localstatedir}/lib/avahi-autoipd install -d %{buildroot}/%{_datadir}/pixmaps install -d %{buildroot}%{_fillupdir} install -m 644 sysconfig.avahi* %{buildroot}%{_fillupdir}/ @@ -897,7 +897,7 @@ %files autoipd %doc avahi-autoipd/README.SUSE %{_mandir}/man8/avahi-autoipd.8%{ext_man} -%attr(-,avahi-autoipd,avahi-autoipd)%{_localstatedir}/lib/avahi-autoipd +%attr(-,avahi-autoipd,avahi-autoipd) %ghost %{_localstatedir}/lib/avahi-autoipd %{_sbindir}/avahi-autoipd %{_sysconfdir}/avahi/avahi-autoipd.action %{_fillupdir}/sysconfig.avahi-autoipd ++++++ _scmsync.obsinfo ++++++ mtime: 1777444456 commit: 00dc43da439a4ecee40a782ed12169acd2bfad8cfd501952e14cd92ff37277db url: https://src.opensuse.org/GNOME/avahi revision: 00dc43da439a4ecee40a782ed12169acd2bfad8cfd501952e14cd92ff37277db projectscmsync: https://src.opensuse.org/GNOME/_ObsPrj ++++++ avahi-CVE-2026-34933.patch ++++++ >From 3a884bca577eff37773067797adad99babadac3c Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin <[email protected]> Date: Wed, 1 Apr 2026 05:31:58 +0000 Subject: [PATCH] core: refuse to accept publish flags where both wide_area and multicast are set It fixes a bug where it was possible for unprivileged local users to crash avahi-daemon via D-Bus by calling EntryGroup methods accepting flags and passing both AVAHI_PUBLISH_USE_WIDE_AREA and AVAHI_PUBLISH_USE_MULTICAST there. For example when AddRecord was invoked like that avahi-daemon crashed with ``` dbus-entry-group.c: interface=org.freedesktop.Avahi.EntryGroup, path=/Client0/EntryGroup1, member=AddRecord avahi-daemon: entry.c:57: transport_flags_from_domain: Assertion `!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags & AVAHI_PUBLISH_USE_WIDE_AREA))' failed. ==84944== ==84944== Process terminating with default action of signal 6 (SIGABRT) ==84944== at 0x4B353BC: __pthread_kill_implementation (pthread_kill.c:44) ==84944== by 0x4ADE941: raise (raise.c:26) ==84944== by 0x4AC64AB: abort (abort.c:77) ==84944== by 0x4AC641F: __assert_fail_base.cold (assert.c:118) ==84944== by 0x48A9404: transport_flags_from_domain (entry.c:57) ==84944== by 0x48A9F8F: server_add_internal (entry.c:224) ==84944== by 0x48AA49F: avahi_server_add (entry.c:324) ==84944== by 0x401A670: avahi_dbus_msg_entry_group_impl (dbus-entry-group.c:348) ==84944== by 0x4A70741: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3) ==84944== by 0x4A5FB22: dbus_connection_dispatch (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3) ==84944== by 0x401D01D: dispatch_timeout_callback (dbus-watch-glue.c:105) ==84944== by 0x488E3AE: timeout_callback (simple-watch.c:447) ==84944== ``` It's a follow-up to fbce111b069aa1e4c701ed37ee1d9f6d6cefaac5 where those flags were introduced and consistent with the other places where wide_area/multicast flags are used. It was discovered by Guillaume Meunier - Head of Vulnerability Operations Center France - Orange Cyberdefense https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc CVE-2026-34933 --- avahi-core/entry.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/avahi-core/entry.c b/avahi-core/entry.c index 0d862133d..06eb12076 100644 --- a/avahi-core/entry.c +++ b/avahi-core/entry.c @@ -207,6 +207,7 @@ static AvahiEntry * server_add_internal( AVAHI_PUBLISH_UPDATE| AVAHI_PUBLISH_USE_WIDE_AREA| AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_domain_name(r->key->name), AVAHI_ERR_INVALID_HOST_NAME); AVAHI_CHECK_VALIDITY_RETURN_NULL(s, r->ttl != 0, AVAHI_ERR_INVALID_TTL); AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !avahi_key_is_pattern(r->key), AVAHI_ERR_IS_PATTERN); @@ -454,6 +455,7 @@ int avahi_server_add_address( AVAHI_PUBLISH_UPDATE| AVAHI_PUBLISH_USE_WIDE_AREA| AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY(s, !name || avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME); /* Prepare the host naem */ @@ -595,6 +597,7 @@ static int server_add_service_strlst_nocopy( AVAHI_PUBLISH_UPDATE| AVAHI_PUBLISH_USE_WIDE_AREA| AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); @@ -754,6 +757,7 @@ static int server_update_service_txt_strlst_nocopy( AVAHI_PUBLISH_NO_COOKIE| AVAHI_PUBLISH_USE_WIDE_AREA| AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); @@ -843,6 +847,7 @@ int avahi_server_add_service_subtype( AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE); AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); @@ -910,6 +915,7 @@ static AvahiEntry *server_add_dns_server_name( assert(name); AVAHI_CHECK_VALIDITY_RETURN_NULL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY_RETURN_NULL(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY_RETURN_NULL(s, port != 0, AVAHI_ERR_INVALID_PORT); AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME); @@ -967,6 +973,7 @@ int avahi_server_add_dns_server_address( AVAHI_CHECK_VALIDITY(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE); AVAHI_CHECK_VALIDITY(s, AVAHI_PROTO_VALID(protocol) && AVAHI_PROTO_VALID(address->proto), AVAHI_ERR_INVALID_PROTOCOL); AVAHI_CHECK_VALIDITY(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS); AVAHI_CHECK_VALIDITY(s, port != 0, AVAHI_ERR_INVALID_PORT); AVAHI_CHECK_VALIDITY(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-29 08:34:16.000000000 +0200 @@ -0,0 +1,4 @@ +*.obscpio +*.osc +_build.* +.pbuild
