Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
avahi-glib2.33718
avahi-CVE-2023-38471.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File avahi-CVE-2023-38471.patch of Package avahi-glib2.33718
From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 From: Michal Sekletar <msekleta@redhat.com> Date: Mon, 23 Oct 2023 13:38:35 +0200 Subject: [PATCH] core: extract host name using avahi_unescape_label() Previously we could create invalid escape sequence when we split the string on dot. For example, from valid host name "foo\\.bar" we have created invalid name "foo\\" and tried to set that as the host name which crashed the daemon. Fixes #453 CVE-2023-38471 --- avahi-core/server.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/avahi-core/server.c b/avahi-core/server.c index c32637a..f6a21bb 100644 --- a/avahi-core/server.c +++ b/avahi-core/server.c @@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { } int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { - char *hn = NULL; + char label_escaped[AVAHI_LABEL_MAX*4+1]; + char label[AVAHI_LABEL_MAX]; + char *hn = NULL, *h; + size_t len; + assert(s); AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); @@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { else hn = avahi_normalize_name_strdup(host_name); - hn[strcspn(hn, ".")] = 0; + h = hn; + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { + avahi_free(h); + return AVAHI_ERR_INVALID_HOST_NAME; + } + + avahi_free(h); + + h = label_escaped; + len = sizeof(label_escaped); + if (!avahi_escape_label(label, strlen(label), &h, &len)) + return AVAHI_ERR_INVALID_HOST_NAME; - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { - avahi_free(hn); + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); - } withdraw_host_rrs(s); avahi_free(s->host_name); - s->host_name = hn; + s->host_name = avahi_strdup(label_escaped); + if (!s->host_name) + return AVAHI_ERR_NO_MEMORY; update_fqdn(s); -- 2.44.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor