Message ID | 20190312222157.19390-1-panfilov.artyom@gmail.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [1/1] package/avahi: add upstream security fix | expand |
Hi Artem, On 12/03/2019 23:21, Artem Panfilov wrote: > Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7 > inadvertently responds to IPv6 unicast queries with source addresses > that are not on-link, which allows remote attackers to cause a denial > of service (traffic amplification) and may cause information leakage > by obtaining potentially sensitive information from the responding > device via port-5353 UDP packets. > > Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com> > --- > ...eries-from-address-not-on-local-link.patch | 42 +++++++++++++++++++ > 1 file changed, 42 insertions(+) > create mode 100644 package/avahi/0001-drop-legacy-unicast-queries-from-address-not-on-local-link.patch > > diff --git a/package/avahi/0001-drop-legacy-unicast-queries-from-address-not-on-local-link.patch b/package/avahi/0001-drop-legacy-unicast-queries-from-address-not-on-local-link.patch > new file mode 100644 > index 0000000000..e5b13e0bee > --- /dev/null > +++ b/package/avahi/0001-drop-legacy-unicast-queries-from-address-not-on-local-link.patch > @@ -0,0 +1,42 @@ > +From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001 > +From: Trent Lloyd <trent@lloyd.id.au> > +Date: Sat, 22 Dec 2018 09:06:07 +0800 > +Subject: [PATCH] Drop legacy unicast queries from address not on local link > + > +When handling legacy unicast queries, ensure that the source IP is > +inside a subnet on the local link, otherwise drop the packet. > + > +Fixes #145 > +Fixes #203 > +CVE-2017-6519 > +CVE-2018-100084 You need to add a Signed-off-by line for yourself. This is a short way for you to assert that you are entitled to contribute the patch under the license(s) of the avahi package. See http://elinux.org/Developer_Certificate_Of_Origin and https://buildroot.org/manual.html#_format_and_licensing_of_the_package_patches for more details. Regards, Arnout > +--- > + avahi-core/server.c | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +diff --git a/avahi-core/server.c b/avahi-core/server.c > +index a2cb19a8..a2580e38 100644 > +--- a/avahi-core/server.c > ++++ b/avahi-core/server.c > +@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres > + > + if (avahi_dns_packet_is_query(p)) { > + int legacy_unicast = 0; > ++ char t[AVAHI_ADDRESS_STR_MAX]; > + > + /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the > + * AR section completely here, so far. Until the day we add > +@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres > + legacy_unicast = 1; > + } > + > ++ if (!is_mdns_mcast_address(dst_address) && > ++ !avahi_interface_address_on_link(i, src_address)) { > ++ > ++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol); > ++ return; > ++ } > ++ > + if (legacy_unicast) > + reflect_legacy_unicast_query_packet(s, p, i, src_address, port); > + >
Hi Arnout, On 13.03.2019 1:47, Arnout Vandecappelle wrote: > You need to add a Signed-off-by line for yourself. This is a short way for you > to assert that you are entitled to contribute the patch under the license(s) of > the avahi package. See http://elinux.org/Developer_Certificate_Of_Origin and > https://buildroot.org/manual.html#_format_and_licensing_of_the_package_patches > for more details. Thank you, I resend "PATCH v2" with proper tags. Best regards, Artem
diff --git a/package/avahi/0001-drop-legacy-unicast-queries-from-address-not-on-local-link.patch b/package/avahi/0001-drop-legacy-unicast-queries-from-address-not-on-local-link.patch new file mode 100644 index 0000000000..e5b13e0bee --- /dev/null +++ b/package/avahi/0001-drop-legacy-unicast-queries-from-address-not-on-local-link.patch @@ -0,0 +1,42 @@ +From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001 +From: Trent Lloyd <trent@lloyd.id.au> +Date: Sat, 22 Dec 2018 09:06:07 +0800 +Subject: [PATCH] Drop legacy unicast queries from address not on local link + +When handling legacy unicast queries, ensure that the source IP is +inside a subnet on the local link, otherwise drop the packet. + +Fixes #145 +Fixes #203 +CVE-2017-6519 +CVE-2018-100084 +--- + avahi-core/server.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index a2cb19a8..a2580e38 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + + if (avahi_dns_packet_is_query(p)) { + int legacy_unicast = 0; ++ char t[AVAHI_ADDRESS_STR_MAX]; + + /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the + * AR section completely here, so far. Until the day we add +@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres + legacy_unicast = 1; + } + ++ if (!is_mdns_mcast_address(dst_address) && ++ !avahi_interface_address_on_link(i, src_address)) { ++ ++ avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol); ++ return; ++ } ++ + if (legacy_unicast) + reflect_legacy_unicast_query_packet(s, p, i, src_address, port); +
Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com> --- ...eries-from-address-not-on-local-link.patch | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 package/avahi/0001-drop-legacy-unicast-queries-from-address-not-on-local-link.patch