--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: avahi@packages.debian.org
Control: affects -1 + src:avahi
Please unblock package avahi
[ Reason ]
The main issue is the fix for CVE-2023-1981, a local denial of service
that can be executed by unprivileged users.
The removal of the bind9-host dependency is a change that had already
been committed to git and I didn't want to revert it.
Updating debian/watch doesn't affect the binary package itself.
[ Impact ]
If the package is not updated, users are vulnerable to CVE-2023-1981.
[ Tests ]
No automated tests for the affected code is available.
[ Risks ]
I consider the risk rather low as it's a targetted fix which has been
approved/applied upstream.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
(Anything else the release team should know.)
unblock avahi/0.8-10
diff --git a/debian/changelog b/debian/changelog
index 81e976a7..8efca465 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+avahi (0.8-10) unstable; urgency=medium
+
+ [ Felix Geyer ]
+ * Remove dependency on bind9-host.
+ Originally added in #433030, no longer needed as the
+ avahi-daemon-check-dns.sh script is no longer shipped.
+
+ [ Michael Biebl ]
+ * Emit error if requested service is not found.
+ Fixes a potential local DoS where the avahi daemon could be crashed by
+ an unprivileged user via a D-Bus call.
+ (CVE-2023-1981, Closes: #1034594)
+ * Update watch file to get tarballs directly from avahi.org again.
+ The recent changes in GitHub broke the current watch file.
+ As new releases are again uploaded to avahi.org, get the release
+ tarballs from there.
+
+ -- Michael Biebl <biebl@debian.org> Wed, 19 Apr 2023 13:51:49 +0200
+
avahi (0.8-9) unstable; urgency=medium
[ Gioele Barabucci ]
diff --git a/debian/control b/debian/control
index 6210237d..2ee1cdc1 100644
--- a/debian/control
+++ b/debian/control
@@ -38,7 +38,6 @@ Depends: ${shlibs:Depends},
${misc:Depends},
adduser,
default-dbus-system-bus | dbus-system-bus,
- bind9-host | host
Recommends: libnss-mdns,
Suggests: avahi-autoipd
Multi-Arch: foreign
diff --git a/debian/patches/Emit-error-if-requested-service-is-not-found.patch b/debian/patches/Emit-error-if-requested-service-is-not-found.patch
new file mode 100644
index 00000000..19eb2b96
--- /dev/null
+++ b/debian/patches/Emit-error-if-requested-service-is-not-found.patch
@@ -0,0 +1,54 @@
+From: =?utf-8?b?UGV0ciBNZW7FocOtaw==?= <pemensik@redhat.com>
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+(cherry picked from commit a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f)
+---
+ avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687..406d0b4 100644
+--- a/avahi-daemon/dbus-protocol.c
++++ b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM
+ }
+
+ t = avahi_alternative_host_name(n);
+- avahi_dbus_respond_string(c, m, t);
+- avahi_free(t);
++ if (t) {
++ avahi_dbus_respond_string(c, m, t);
++ avahi_free(t);
+
+- return DBUS_HANDLER_RESULT_HANDLED;
++ return DBUS_HANDLER_RESULT_HANDLED;
++ } else {
++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
++ }
+ }
+
+ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) {
+@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB
+ }
+
+ t = avahi_alternative_service_name(n);
+- avahi_dbus_respond_string(c, m, t);
+- avahi_free(t);
++ if (t) {
++ avahi_dbus_respond_string(c, m, t);
++ avahi_free(t);
+
+- return DBUS_HANDLER_RESULT_HANDLED;
++ return DBUS_HANDLER_RESULT_HANDLED;
++ } else {
++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
++ }
+ }
+
+ static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) {
diff --git a/debian/patches/dbus-Use-non-deprecated-installation-path.patch b/debian/patches/dbus-Use-non-deprecated-installation-path.patch
index 796c97dc..cb348788 100644
--- a/debian/patches/dbus-Use-non-deprecated-installation-path.patch
+++ b/debian/patches/dbus-Use-non-deprecated-installation-path.patch
@@ -1,6 +1,7 @@
From: Jan Tojnar <jtojnar@gmail.com>
Date: Sat, 21 May 2022 19:02:11 +0200
Subject: dbus: Use non-deprecated installation path
+
Origin: https://github.com/lathiat/avahi/commit/0ab222c6601535f078f88e9d72b2c70cba03de23
Applied-Upstream: https://github.com/lathiat/avahi/commit/0ab222c6601535f078f88e9d72b2c70cba03de23
diff --git a/debian/patches/series b/debian/patches/series
index 8be38672..31026118 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ Fix-NULL-pointer-crashes-from-175.patch
Fix-encoding-of-avahi-common-domain.h-to-be-UTF-8.patch
Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
dbus-Use-non-deprecated-installation-path.patch
+Emit-error-if-requested-service-is-not-found.patch
diff --git a/debian/watch b/debian/watch
index 67c7e412..fbfcf52d 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,2 +1,2 @@
-version=3
-https://github.com/lathiat/avahi/releases/ .*/avahi-([\d\.]+)\.tar\.gz
+version=4
+https://avahi.org/download/@PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@
--- End Message ---