Hi everybody, Am Mittwoch, den 23.02.2011, 16:13 +0100 schrieb Michael Biebl: > A fixed package has been uploaded to unstable and stable-security (squeeze). First the good news: I can confirm that upgrading *all* avahi packages to 0.6.28-4 fixes the problem (only upgrading avahi-daemon does not!). Am Donnerstag, den 24.02.2011, 13:27 +0100 schrieb Salvatore Bonaccorso: > I can reproduce this too on lenny, can someone confirm that? Up to > date lenny system with avahi-daemon 0.6.23-3lenny2. Now the bad news: The Debian security tracker[1] says: [lenny] - avahi <not-affected> (Vulnerable code not present, introduced in 0.6.25) That's wrong: Looking at the source code reveals this: $ cat avahi-0.6.23/debian/patches/15_CVE-2010-2244.patch --- a/avahi-core/socket.c +++ avahi-0.6.23/avahi-core/socket.c @@ -652,6 +652,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4( goto fail; } + /* corrupt packets have zero size */ + if (!ms) + goto fail; + p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); io.iov_base = AVAHI_DNS_PACKET_DATA(p); @@ -805,6 +809,10 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6( goto fail; } + /* corrupt packets have zero size */ + if (!ms) + goto fail; + p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); io.iov_base = AVAHI_DNS_PACKET_DATA(p); $ So, the code which introduced this vulnerability (CVE-2011-1002[1]) was actually added[2] when fixing another vulnerability (CVE-2010-2244[3]). As a consequence, lenny IS indeed vulnerable and needs to be fixed too. Best regards and thank you very much for your work! Alexander Kurtz [1] http://security-tracker.debian.org/tracker/CVE-2011-1002 [2] http://packages.qa.debian.org/a/avahi/news/20100805T140231Z.html [3] http://security-tracker.debian.org/tracker/CVE-2010-2244
Attachment:
signature.asc
Description: This is a digitally signed message part