Bug 29239

Summary:	avahi new security issue CVE-2021-3502
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, nicolas.salguero, ouaurelien, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	avahi-0.8-6.1.mga8.src.rpm	CVE:	CVE-2021-3502
Status comment:

Description David Walser 2021-07-08 16:50:27 CEST

Ubuntu has issued an advisory on July 7:
https://ubuntu.com/security/notices/USN-5008-1

Mageia 8 is also affected.

David Walser 2021-07-08 16:50:58 CEST

Status comment: (none) => Patch available from upstream and Ubuntu
CC: (none) => nicolas.salguero

Comment 1 Nicolas Salguero 2021-07-09 10:38:51 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability. (CVE-2021-3502)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3502
https://ubuntu.com/security/notices/USN-5008-1
========================

Updated packages in core/updates_testing:
========================
lib(64)avahi-core7-0.8-6.2.mga8
avahi-0.8-6.2.mga8
lib(64)avahi-compat-howl-devel-0.8-6.2.mga8
lib(64)avahi-gobject-devel-0.8-6.2.mga8
lib(64)avahi-compat-libdns_sd-devel-0.8-6.2.mga8
lib(64)avahi-client3-0.8-6.2.mga8
lib(64)avahi-common-devel-0.8-6.2.mga8
lib(64)avahi-ui-gtk3_0-0.8-6.2.mga8
lib(64)avahi-compat-howl0-0.8-6.2.mga8
avahi-x11-0.8-6.2.mga8
lib(64)avahi-common3-0.8-6.2.mga8
lib(64)avahi-core-devel-0.8-6.2.mga8
avahi-sharp-0.8-6.2.mga8
lib(64)avahi-gobject0-0.8-6.2.mga8
lib(64)avahi-compat-libdns_sd1-0.8-6.2.mga8
avahi-sharp-doc-0.8-6.2.mga8
lib(64)avahi-client-devel-0.8-6.2.mga8
avahi-dnsconfd-0.8-6.2.mga8
lib(64)avahi-gir0.6-0.8-6.2.mga8
lib(64)avahi-libevent1-0.8-6.2.mga8
lib(64)avahi-glib1-0.8-6.2.mga8
lib(64)avahi-qt5_1-0.8-6.2.mga8
lib(64)avahi-libevent-devel-0.8-6.2.mga8
lib(64)avahi-glib-devel-0.8-6.2.mga8
lib(64)avahi-ui-gtk3-devel-0.8-6.2.mga8
lib(64)avahicore-gir0.6-0.8-6.2.mga8
lib(64)avahi-qt5-devel-0.8-6.2.mga8

from SRPM:
avahi-0.8-6.2.mga8.src.rpm

CVE: (none) => CVE-2021-3502
Assignee: bugsquad => qa-bugs
Status comment: Patch available from upstream and Ubuntu => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8

Comment 2 David Walser 2021-07-09 19:41:06 CEST

Check "systemctl status -l avahi-daemon" before running the PoC and update, note the PIDs.

Run PoC:
$ (echo "RESOLVE-HOSTNAME a"; sleep 3;) | socat - /run/avahi-daemon/socket

Check "systemctl status -l avahi-daemon" again and note that the avahi-daemon process died (noted in the log messages) and there are new PIDs because it automatically restarted.  No console output from the PoC command itself.

After the update:
$ (echo "RESOLVE-HOSTNAME a"; sleep 3;) | socat - /run/avahi-daemon/socket
-3 Invalid host name

Check "systemctl status -l avahi-daemon" and note it was unaffected this time.

Looks good for Mageia 8 x86_64.

Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2021-07-10 13:46:20 CEST

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-07-10 20:28:22 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 4 Mageia Robot 2021-07-10 22:02:06 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0339.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 5 David Walser 2021-08-30 16:04:19 CEST

*** Bug 29340 has been marked as a duplicate of this bug. ***