31811 – avahi new security issue CVE-2023-1981

Bug 31811 - avahi new security issue CVE-2023-1981

Summary: avahi new security issue CVE-2023-1981

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-04-18 13:48 CEST by David Walser
Modified:	2023-05-06 20:20 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	avahi-0.8-9.mga9.src.rpm
CVE:	CVE-2023-1981
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-18 13:48:02 CEST

Fedora has issued an advisory today (April 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VCTAFULPERZVYFFVHM7IEYXYRNHQDJAU/

Mageia 8 is also affected.

David Walser 2023-04-18 13:48:14 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-04-18 19:47:38 CEST

Assigning this globally as no one packager is in evidence for avahi.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-04-19 11:04:30 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Prevent crashes on some invalid DBus calls. (CVE-2023-1981)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1981
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VCTAFULPERZVYFFVHM7IEYXYRNHQDJAU/
========================

Updated packages in core/updates_testing:
========================
avahi-0.8-6.3.mga8
avahi-dnsconfd-0.8-6.3.mga8
avahi-sharp-0.8-6.3.mga8
avahi-sharp-doc-0.8-6.3.mga8
avahi-x11-0.8-6.3.mga8
lib(64)avahicore-gir0.6-0.8-6.3.mga8
lib(64)avahi-client3-0.8-6.3.mga8
lib(64)avahi-client-devel-0.8-6.3.mga8
lib(64)avahi-common3-0.8-6.3.mga8
lib(64)avahi-common-devel-0.8-6.3.mga8
lib(64)avahi-compat-howl0-0.8-6.3.mga8
lib(64)avahi-compat-howl-devel-0.8-6.3.mga8
lib(64)avahi-compat-libdns_sd1-0.8-6.3.mga8
lib(64)avahi-compat-libdns_sd-devel-0.8-6.3.mga8
lib(64)avahi-core7-0.8-6.3.mga8
lib(64)avahi-core-devel-0.8-6.3.mga8
lib(64)avahi-gir0.6-0.8-6.3.mga8
lib(64)avahi-glib1-0.8-6.3.mga8
lib(64)avahi-glib-devel-0.8-6.3.mga8
lib(64)avahi-gobject0-0.8-6.3.mga8
lib(64)avahi-gobject-devel-0.8-6.3.mga8
lib(64)avahi-libevent1-0.8-6.3.mga8
lib(64)avahi-libevent-devel-0.8-6.3.mga8
lib(64)avahi-qt5_1-0.8-6.3.mga8
lib(64)avahi-qt5-devel-0.8-6.3.mga8
lib(64)avahi-ui-gtk3_0-0.8-6.3.mga8
lib(64)avahi-ui-gtk3-devel-0.8-6.3.mga8

from SRPM:
avahi-0.8-6.3.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8
CVE: (none) => CVE-2023-1981
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status comment: Patch available from Fedora => (none)

Comment 3 Len Lawrence 2023-04-25 21:59:12 CEST

mageia8, x86_64

Not much information about this vulnerability online.  Installed  everything before updating then used qarepo and MageiaUpdate to update all the packages.

It looks like the service avahi-daemon was restarted on installation.
Tried some commands.
$ avahi-resolve-host-name localhost.localdomain
localhost.localdomain	127.0.0.1
$ avahi-browse --all -t
+   eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus  _ipps._tcp           local
+   eno1 IPv4 HP Photosmart 5520 @ canopus            _ipps._tcp           local
+     lo IPv4 HP Officejet 100 Mobile l411 @ canopus  _ipps._tcp           local
+     lo IPv4 HP Photosmart 5520 @ canopus            _ipps._tcp           local
+   eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus  _printer._tcp        local
+   eno1 IPv4 HP Photosmart 5520 @ canopus            _printer._tcp        local
+     lo IPv4 HP Officejet 100 Mobile l411 @ canopus  _printer._tcp        local
+     lo IPv4 HP Photosmart 5520 @ canopus            _printer._tcp        local
+   eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus  _ipp._tcp            local
+   eno1 IPv4 HP Photosmart 5520 @ canopus            _ipp._tcp            local
+     lo IPv4 HP Officejet 100 Mobile l411 @ canopus  _ipp._tcp            local
+     lo IPv4 HP Photosmart 5520 @ canopus            _ipp._tcp            local
+   eno1 IPv4 canopus                                 _ssh._tcp            local
+   eno1 IPv4 Remote Access on canopus                _ssh._tcp            local
+     lo IPv4 canopus                                 _ssh._tcp            local
+     lo IPv4 Remote Access on canopus                _ssh._tcp            local
+   eno1 IPv4 Remote Access on canopus                _sftp-ssh._tcp       local
+   eno1 IPv4 Remote Access on gomeisa                _sftp-ssh._tcp       local
+     lo IPv4 Remote Access on canopus                _sftp-ssh._tcp       local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _ipp._tcp            local
+   eno1 IPv4 gomeisa                                 _ssh._tcp            local
+   eno1 IPv4 Remote Access on gomeisa                _ssh._tcp            local
+   eno1 IPv4 spica                                   _http._tcp           local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _pdl-datastream._tcp local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _http._tcp           local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _scanner._tcp        local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _http-alt._tcp       local
+   eno1 IPv4 Photosmart 5520 series [DF8761]         _uscan._tcp          local
$ ls /usr/bin | grep avahi
avahi-browse*
avahi-browse-domains@
avahi-discover-standalone*
avahi-publish*
avahi-publish-address@
avahi-publish-service@
avahi-resolve*
avahi-resolve-address@
avahi-resolve-host-name@
avahi-set-host-name*
$ avahi-discover-standalone
This lists a number of devices and pops up a widget 'Avahi discovery' which displays the list of devices against the interface name.  Clicking on any entry gives more information about the device.

The other commands require more knowledge so this is as far as it goes.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2023-04-26 15:16:25 CEST

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-06 18:09:56 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-05-06 20:20:34 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0158.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.