OpenSUSE has issued an advisory on May 10:
Proposed patch upstream:
MGA8TOO, MGA7TOOStatus comment:
Patch available from upstreamSource RPM:
This SRPM has no obvious maintainer, so assigning this globally.
The updated packages fix a security vulnerability:
Avoid infinite loop by handling HUP event in client_work. (CVE-2021-3468)
Updated packages in 7/core/updates_testing:
Updated packages in 8/core/updates_testing:
MGA8TOO, MGA7TOO =>
Patch available from upstream =>
Made sure that all the listed packages were installed.
$ systemctl status avahi*
● avahi-daemon.service - Avahi mDNS/DNS-SD Stack
Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.service; enabled; vendo>
Active: active (running) since Tue 2021-05-11 10:51:51 BST; 2 days ago
$ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat -
--> check that avahi-daemon uses 100% CPU, does not react to any valid
requests anymore (at least not using that socket) and does not react to
1016 avahi 20 0 6036 3552 3196 R 100.0 0.0 1:11.54 avahi-daemon
$ sudo kill -9 1016
That worked. So, the problem can be reproduced.
Updated the packages and restarted the avahi daemon.
Ran the perl command again to test the PoC. top did not register any abnormal activity with respect to avahi. So, the issue is fixed.
$ avahi-browse --all -t
No relevant services.
Commands available are:
$ ls /usr/bin | grep avahi
Relevant services can be listed:
$ avahi-browse -b
PulseAudio Sound Server
WebDAV File Share
Thousand Parsec Server
FTP File Transfer
SubEthaEdit Collaborative Text Editor
72 in all.
Tried playing some music to give pulseaudio a sound sink but nothing is registered.
Not sure what to do at this point.
Installed the listed packages - noted a complaint - something about a scriptlet failed for avahi-sharp. Lost the details.
Started the avahi-daemon.
$ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat - /run/avahi-daemon/socket
386616 avahi 20 0 7112 3852 3312 R 100.0 0.0 0:48.09 avahi-daemon
Mageia8 is vulnerable to the bug.
Updated packages from testing and noted that there was a problem with avahi-sharp-doc, something like invalid file format.
Restarted the avahi daemon and repeated the PoC. No CPU hogging so the issue is solved.
Not taking this any further just now. Very limited understanding of zeroconf services. Can only imagine that they are services available on the network that are actively touting for business. Not likely to find such on a simple home network.
Note if you have an AirPrint compatible Network Printer, it should appear in "Print" menu by itself because it uses zeroconf service and cups to be set up.
On MGA7 and MGA8 x86_64, applying updates. Able to print to my shared Networked printer, avahi (zeroconf) OK.
MGA7TOO MGA7-64-OK MGA8-64-OK
Further to comment 4, tried this:
*** WARNING: Detected another IPv4 mDNS stack running on this host. This makes mDNS unreliable and is thus not recommended. ***
*** WARNING: Detected another IPv6 mDNS stack running on this host. This makes mDNS unreliable and is thus not recommended. ***
Joining mDNS multicast group on interface eno1.IPv6 with address fe80::1a31:bfff:fe6a:66e3.
New relevant interface eno1.IPv6 for mDNS.
Joining mDNS multicast group on interface eno1.IPv4 with address 192.168.1.100.
New relevant interface eno1.IPv4 for mDNS.
Joining mDNS multicast group on interface lo.IPv6 with address ::1.
New relevant interface lo.IPv6 for mDNS.
Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
New relevant interface lo.IPv4 for mDNS.
Network interface enumeration completed.
sendmsg() to ff02::fb failed: Network is unreachable
A gui was displayed, listing the network printer on "eno1 IPv4" and _ssh._tcp
Remote Access on this machine and the fileserver. Clicking on an entry supplies further information, like Domain Name and LAN address.
@Aurelien in reply to comment 5.
Thanks, but where do you see "Print" menu? Do you mean the CUPS interface in a browser?
(In reply to Len Lawrence from comment #7)
> @Aurelien in reply to comment 5.
> Thanks, but where do you see "Print" menu? Do you mean the CUPS interface
> in a browser?
Yes, for sure.
Ah. In that case it does not work for me. All that shows is the the usual entry for the printer, which is "okda" for the Photosmart 5520, nothing about avahi.
The avahi-discover-standalone command lists lots of entries, all about the printer then times out on "Network is unreachable".
When it was first configured on this system 'network printer' was found and set up without any problem.
Yes, but you should open zeroconf stuff in shorewall firewall under Mageia Control Centre.
OK, done that. But, no luck. I think we shall have to be satisfied that it works for you. At least you know what you are doing.
Validating. Advisory in Comment 2.
An update for this issue has been pushed to the Mageia Updates repository.