Bug 31811

Assigning this globally as no one packager is in evidence for avahi.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Prevent crashes on some invalid DBus calls. (CVE-2023-1981)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1981
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VCTAFULPERZVYFFVHM7IEYXYRNHQDJAU/
========================

Updated packages in core/updates_testing:
========================
avahi-0.8-6.3.mga8
avahi-dnsconfd-0.8-6.3.mga8
avahi-sharp-0.8-6.3.mga8
avahi-sharp-doc-0.8-6.3.mga8
avahi-x11-0.8-6.3.mga8
lib(64)avahicore-gir0.6-0.8-6.3.mga8
lib(64)avahi-client3-0.8-6.3.mga8
lib(64)avahi-client-devel-0.8-6.3.mga8
lib(64)avahi-common3-0.8-6.3.mga8
lib(64)avahi-common-devel-0.8-6.3.mga8
lib(64)avahi-compat-howl0-0.8-6.3.mga8
lib(64)avahi-compat-howl-devel-0.8-6.3.mga8
lib(64)avahi-compat-libdns_sd1-0.8-6.3.mga8
lib(64)avahi-compat-libdns_sd-devel-0.8-6.3.mga8
lib(64)avahi-core7-0.8-6.3.mga8
lib(64)avahi-core-devel-0.8-6.3.mga8
lib(64)avahi-gir0.6-0.8-6.3.mga8
lib(64)avahi-glib1-0.8-6.3.mga8
lib(64)avahi-glib-devel-0.8-6.3.mga8
lib(64)avahi-gobject0-0.8-6.3.mga8
lib(64)avahi-gobject-devel-0.8-6.3.mga8
lib(64)avahi-libevent1-0.8-6.3.mga8
lib(64)avahi-libevent-devel-0.8-6.3.mga8
lib(64)avahi-qt5_1-0.8-6.3.mga8
lib(64)avahi-qt5-devel-0.8-6.3.mga8
lib(64)avahi-ui-gtk3_0-0.8-6.3.mga8
lib(64)avahi-ui-gtk3-devel-0.8-6.3.mga8

from SRPM:
avahi-0.8-6.3.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8
CVE: (none) => CVE-2023-1981
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status comment: Patch available from Fedora => (none)

mageia8, x86_64

Not much information about this vulnerability online.  Installed  everything before updating then used qarepo and MageiaUpdate to update all the packages.

It looks like the service avahi-daemon was restarted on installation.
Tried some commands.
$ avahi-resolve-host-name localhost.localdomain
localhost.localdomain	127.0.0.1
$ avahi-browse --all -t
+   eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus  _ipps._tcp           local
+   eno1 IPv4 HP Photosmart 5520 @ canopus            _ipps._tcp           local
+     lo IPv4 HP Officejet 100 Mobile l411 @ canopus  _ipps._tcp           local
+     lo IPv4 HP Photosmart 5520 @ canopus            _ipps._tcp           local
+   eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus  _printer._tcp        local
+   eno1 IPv4 HP Photosmart 5520 @ canopus            _printer._tcp        local
+     lo IPv4 HP Officejet 100 Mobile l411 @ canopus  _printer._tcp        local
+     lo IPv4 HP Photosmart 5520 @ canopus            _printer._tcp        local
+   eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus  _ipp._tcp            local
+   eno1 IPv4 HP Photosmart 5520 @ canopus            _ipp._tcp            local
+     lo IPv4 HP Officejet 100 Mobile l411 @ canopus  _ipp._tcp            local
+     lo IPv4 HP Photosmart 5520 @ canopus            _ipp._tcp            local
+   eno1 IPv4 canopus                                 _ssh._tcp            local
+   eno1 IPv4 Remote Access on canopus                _ssh._tcp            local
+     lo IPv4 canopus                                 _ssh._tcp            local
+     lo IPv4 Remote Access on canopus                _ssh._tcp            local
+   eno1 IPv4 Remote Access on canopus                _sftp-ssh._tcp       local
+   eno1 IPv4 Remote Access on gomeisa                _sftp-ssh._tcp       local
+     lo IPv4 Remote Access on canopus                _sftp-ssh._tcp       local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _ipp._tcp            local
+   eno1 IPv4 gomeisa                                 _ssh._tcp            local
+   eno1 IPv4 Remote Access on gomeisa                _ssh._tcp            local
+   eno1 IPv4 spica                                   _http._tcp           local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _pdl-datastream._tcp local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _http._tcp           local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _scanner._tcp        local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _http-alt._tcp       local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _uscan._tcp          local
$ ls /usr/bin | grep avahi
avahi-browse*
avahi-browse-domains@
avahi-discover-standalone*
avahi-publish*
avahi-publish-address@
avahi-publish-service@
avahi-resolve*
avahi-resolve-address@
avahi-resolve-host-name@
avahi-set-host-name*
$ avahi-discover-standalone
This lists a number of devices and pops up a widget 'Avahi discovery' which displays the list of devices against the interface name.  Clicking on any entry gives more information about the device.

The other commands require more knowledge so this is as far as it goes.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0158.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED