Hi everybody, Am Mittwoch, den 23.02.2011, 16:13 +0100 schrieb Michael Biebl: > A fixed package has been uploaded to unstable and stable-security (squeeze).
First the good news: I can confirm that upgrading *all* avahi packages
to 0.6.28-4 fixes the problem (only upgrading avahi-daemon does not!).
Am Donnerstag, den 24.02.2011, 13:27 +0100 schrieb Salvatore Bonaccorso:
> I can reproduce this too on lenny, can someone confirm that? Up to
> date lenny system with avahi-daemon 0.6.23-3lenny2.
Now the bad news: The Debian security tracker[1] says:
[lenny] - avahi <not-affected> (Vulnerable code not present, introduced
in 0.6.25)
That's wrong: Looking at the source code reveals this:
$ cat avahi-0.6.23/debian/patches/15_CVE-2010-2244.patch
--- a/avahi-core/socket.c
+++ avahi-0.6.23/avahi-core/socket.c
@@ -652,6 +652,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4(
goto fail;
}
+ /* corrupt packets have zero size */
+ if (!ms)
+ goto fail;
+
p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE);
io.iov_base = AVAHI_DNS_PACKET_DATA(p);
@@ -805,6 +809,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6(
goto fail;
}
+ /* corrupt packets have zero size */
+ if (!ms)
+ goto fail;
+
p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE);
io.iov_base = AVAHI_DNS_PACKET_DATA(p);
$
So, the code which introduced this vulnerability (CVE-2011-1002[1]) was
actually added[2] when fixing another vulnerability (CVE-2010-2244[3]).
As a consequence, lenny IS indeed vulnerable and needs to be fixed too.
Best regards and thank you very much for your work!
Alexander Kurtz
[1] http://security-tracker.debian.org/tracker/CVE-2011-1002
[2] http://packages.qa.debian.org/a/avahi/news/20100805T140231Z.html
[3] http://security-tracker.debian.org/tracker/CVE-2010-2244
signature.asc
Description: This is a digitally signed message part
