Bug 14051

Summary:	[CVE21] avahi 0.8 CVEs
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Vladimir Potapov <v.potapov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	critical
Priority:	Highest	CC:	a.proklov, m.novosyolov
Version:	All	Flags:	v.potapov: qa_verified+ v.potapov: secteam_verified? a.proklov: published+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2021-26720,CVE-2023-38469,CVE-2023-38470,CVE-2023-38471,CVE-2023-38472,CVE-2023-38473
Whiteboard:
Platform:	---	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Vladimir Potapov 2023-11-28 18:09:18 MSK

CVE-2021-26720 High
CVE-2023-38469 Medium
CVE-2023-38473 Medium
CVE-2023-38470 Medium
CVE-2023-38472 Medium
CVE-2023-38471 Medium

Comment 1 Vladimir Potapov 2023-11-28 18:20:27 MSK

Патчи есть у центоса https://centos.pkgs.org/9-stream/centos-baseos-x86_64/avahi-0.8-20.el9.x86_64.rpm.html

Comment 2 Mikhail Novosyolov 2023-11-28 19:25:07 MSK

********** QA ADVISORY **********

avahi 0.8-12.git35bb1b.1
- update to git snapshot
- fixes of many CVEs
- fixes of crashes found by fuzzing
https://abf.io/build_lists/4840782
https://abf.io/build_lists/4840783
https://abf.io/build_lists/4840784
https://abf.io/build_lists/4840785
https://abf.io/build_lists/4840786

Проверил, что принтер по ipp-usb видится, сетевые не-usb принтеры тоже видятся.

Comment 3 Vladimir Potapov 2023-11-29 09:46:20 MSK

Печать по ipp после обновления не работает.
Проверил трехкратно, накатываешь новую аваху - отключается.
откатываешь дистросинком, перезагружаешься, включается.
накатываешь, перезагружаешься, отключается
откатываешь дистросинком, перезагружаешься, включается.

Воспроизведение:
1) Запускаешь firefox
2) Открываешь регламент тестирования ROSA
3) Нажимаешь ctrl+P

при ошибке даже диалог не открывается, в логах ошибка
[Parent 3915, Main Thread] WARNING: Unknown paper size : 'glib warning', file /builddir/build/BUILD/firefox-120.0/toolkit/xre/nsSigHandlers.cpp:187

Comment 4 Vladimir Potapov 2023-11-29 09:47:51 MSK

Принтер сетевой HP, не установлен в системе, ipp-usb стоит.

Comment 5 Mikhail Novosyolov 2023-11-29 12:43:37 MSK

А у меня в либрофисе показывало диалог печати.
Что в journalctl -b 0 -u avahi-daemon

Comment 6 Vladimir Potapov 2023-11-29 12:54:40 MSK

FF при открытии делает превью сразу.
Вот, только что 17:53 пробовал, ошибкв воспроизвелась.
В логах только старт
journalctl -b 0 -u avahi-daemon
-- Journal begins at Mon 2023-10-23 14:42:51 +08, ends at Wed 2023-11-29 17:53:12 +08. --
ноя 29 14:40:19 keleg-rosa systemd[1]: Starting Avahi mDNS/DNS-SD Stack...
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: Found user 'avahi' (UID 487) and group 'avahi' (GID 487).
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: Successfully dropped root privileges.
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: avahi-daemon 0.8 starting up.
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: Successfully called chroot().
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: Successfully dropped remaining capabilities.
ноя 29 14:40:19 keleg-rosa systemd[1]: Started Avahi mDNS/DNS-SD Stack.
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: No service file found in /etc/avahi/services.
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: New relevant interface lo.IPv4 for mDNS.
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: Network interface enumeration completed.
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: Registering new address record for ::1 on lo.*.
ноя 29 14:40:19 keleg-rosa avahi-daemon[1503]: Registering new address record for 127.0.0.1 on lo.IPv4.
ноя 29 14:40:20 keleg-rosa avahi-daemon[1503]: Server startup complete. Host name is keleg-rosa.local. Local service cookie is 159289118.
ноя 29 14:40:23 keleg-rosa avahi-daemon[1503]: Registering new address record for fe80::96de:80ff:fe62:83e2 on enp4s0.*.
ноя 29 14:40:23 keleg-rosa avahi-daemon[1503]: Joining mDNS multicast group on interface enp4s0.IPv4 with address 192.168.2.99.
ноя 29 14:40:23 keleg-rosa avahi-daemon[1503]: New relevant interface enp4s0.IPv4 for mDNS.
ноя 29 14:40:23 keleg-rosa avahi-daemon[1503]: Registering new address record for 192.168.2.99 on enp4s0.IPv4.

Comment 7 Vladimir Potapov 2023-12-01 16:57:14 MSK

О, у меня тестовая аваха еще и доступ по сети к smb-шаре на диске, подключенном к роутеру сломала.

Comment 8 Mikhail Novosyolov 2023-12-07 10:51:42 MSK

********** QA ADVISORY **********

Fixed path to socket

avahi 0.8-12.git35bb1b.1
- update to git snapshot
- fixes of many CVEs
- fixes of crashes found by fuzzing
https://abf.io/build_lists/4858547
https://abf.io/build_lists/4858548
https://abf.io/build_lists/4858549
https://abf.io/build_lists/4858550
https://abf.io/build_lists/4858551

Comment 9 Vladimir Potapov 2023-12-07 11:14:59 MSK

(In reply to Mikhail Novosyolov from comment #8)
> ********** QA ADVISORY **********
> 
> Fixed path to socket
> 
> avahi 0.8-12.git35bb1b.1
> - update to git snapshot
> - fixes of many CVEs
> - fixes of crashes found by fuzzing
> https://abf.io/build_lists/4858547
> https://abf.io/build_lists/4858548
> https://abf.io/build_lists/4858549
> https://abf.io/build_lists/4858550
> https://abf.io/build_lists/4858551
***********************************************
The update sent to testings

Comment 10 Mikhail Novosyolov 2023-12-07 11:30:12 MSK

commit a337a1ba7d15853fb56deef1f464529af6e3a1cf
Author: Evgeny Vereshchagin <evvers@ya.ru>
Date:   Mon Oct 23 20:29:31 2023 +0000

    core: reject overly long TXT resource records
    
    Closes https://github.com/lathiat/avahi/issues/455
    
    CVE-2023-38469

commit b448c9f771bada14ae8de175695a9729f8646797
Author: Michal Sekletar <msekleta@redhat.com>
Date:   Wed Oct 11 17:45:44 2023 +0200

    common: derive alternative host name from its unescaped version
    
    Normalization of input makes sure we don't have to deal with special
    cases like unescaped dot at the end of label.
    
    Fixes #451 #487
    CVE-2023-38473


commit 894f085f402e023a98cbb6f5a3d117bd88d93b09
Author: Michal Sekletar <msekleta@redhat.com>
Date:   Mon Oct 23 13:38:35 2023 +0200

    core: extract host name using avahi_unescape_label()
    
    Previously we could create invalid escape sequence when we split the
    string on dot. For example, from valid host name "foo\\.bar" we have
    created invalid name "foo\\" and tried to set that as the host name
    which crashed the daemon.
    
    Fixes #453
    
    CVE-2023-38471

commit b024ae5749f4aeba03478e6391687c3c9c8dee40
Author: Michal Sekletar <msekleta@redhat.com>
Date:   Thu Oct 19 17:36:44 2023 +0200

    core: make sure there is rdata to process before parsing it
    
    Fixes #452
    
    CVE-2023-38472



А CVE-2023-38470 исправляется вот эти коммитом (информация из https://github.com/avahi/avahi/issues/454 , куда ссылка на багзилле Редхата):

commit 94cb6489114636940ac683515417990b55b5d66c
Author: Petr Menšík <pemensik@redhat.com>
Date:   Tue Apr 11 15:29:59 2023 +0200

    Ensure each label is at least one byte long
    
    The only allowed exception is single dot, where it should return empty
    string.
    
    Fixes #454.

Comment 11 Vladimir Potapov 2023-12-13 17:42:22 MSK

avahi-0.8-12.git35bb1b.2
https://abf.io/build_lists/4858547
https://abf.io/build_lists/4858548
https://abf.io/build_lists/4858549
https://abf.io/build_lists/4858550
https://abf.io/build_lists/4858551
************************* Advisory *************************
- update to git snapshot
- fixes of many CVEs
- fixes of crashes found by fuzzing
*************************************************************
QA Verified