diff --git a/0001-socket-Still-read-corrupt-packets-from-the-sockets.patch b/0001-socket-Still-read-corrupt-packets-from-the-sockets.patch new file mode 100644 index 0000000..845ba34 --- /dev/null +++ b/0001-socket-Still-read-corrupt-packets-from-the-sockets.patch @@ -0,0 +1,71 @@ +From 46109dfec75534fe270c0ab902576f685d5ab3a6 Mon Sep 17 00:00:00 2001 +From: Vincent Untz +Date: Fri, 18 Feb 2011 23:37:00 +0100 +Subject: [PATCH] socket: Still read corrupt packets from the sockets + +Else, we end up with an infinite loop with 100% CPU. + +http://www.avahi.org/ticket/325 +https://bugzilla.redhat.com/show_bug.cgi?id=667187 +--- + avahi-core/socket.c | 21 +++++++++++---------- + 1 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/avahi-core/socket.c b/avahi-core/socket.c +index be62105..e69ec7d 100644 +--- a/avahi-core/socket.c ++++ b/avahi-core/socket.c +@@ -653,10 +653,6 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4( + goto fail; + } + +- /* For corrupt packets FIONREAD returns zero size (See rhbz #607297) */ +- if (!ms) +- goto fail; +- + p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); + + io.iov_base = AVAHI_DNS_PACKET_DATA(p); +@@ -683,10 +679,14 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv4( + goto fail; + } + +- if (sa.sin_addr.s_addr == INADDR_ANY) { ++ /* For corrupt packets FIONREAD returns zero size (See rhbz #607297). So ++ * fail after having read them. */ ++ if (!ms) ++ goto fail; ++ ++ if (sa.sin_addr.s_addr == INADDR_ANY) + /* Linux 2.4 behaves very strangely sometimes! */ + goto fail; +- } + + assert(!(msg.msg_flags & MSG_CTRUNC)); + assert(!(msg.msg_flags & MSG_TRUNC)); +@@ -810,10 +810,6 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6( + goto fail; + } + +- /* For corrupt packets FIONREAD returns zero size (See rhbz #607297) */ +- if (!ms) +- goto fail; +- + p = avahi_dns_packet_new(ms + AVAHI_DNS_PACKET_EXTRA_SIZE); + + io.iov_base = AVAHI_DNS_PACKET_DATA(p); +@@ -841,6 +837,11 @@ AvahiDnsPacket *avahi_recv_dns_packet_ipv6( + goto fail; + } + ++ /* For corrupt packets FIONREAD returns zero size (See rhbz #607297). So ++ * fail after having read them. */ ++ if (!ms) ++ goto fail; ++ + assert(!(msg.msg_flags & MSG_CTRUNC)); + assert(!(msg.msg_flags & MSG_TRUNC)); + +-- +1.7.4.1 + diff --git a/avahi.spec b/avahi.spec index 0b23bfa..dfad056 100644 --- a/avahi.spec +++ b/avahi.spec @@ -6,7 +6,7 @@ %endif Name: avahi Version: 0.6.27 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Local network service discovery Group: System Environment/Base License: LGPLv2 @@ -44,6 +44,7 @@ BuildRequires: mono-devel >= 1.1.13 %endif Obsoletes: howl Source0: http://avahi.org/download/%{name}-%{version}.tar.gz +Patch0: 0001-socket-Still-read-corrupt-packets-from-the-sockets.patch %description Avahi is a system which facilitates service discovery on @@ -300,6 +301,7 @@ fashion with mDNS. %prep %setup -q +%patch0 -p1 %build %configure --with-distro=fedora --disable-monodoc --with-avahi-user=avahi --with-avahi-group=avahi --with-avahi-priv-access-group=avahi --with-autoipd-user=avahi-autoipd --with-autoipd-group=avahi-autoipd --with-systemdsystemunitdir=/lib/systemd/system --enable-introspection=no \ @@ -644,6 +646,9 @@ fi %endif %changelog +* Wed Mar 9 2011 Lennart Poettering - 0.6.27-4 +- Fix CVE-2011-1002 + * Wed Aug 4 2010 Lennart Poettering - 0.6.27-3 - convert from systemd-install to systemctl enable