Bugzilla – Bug 1188083
VUL-0: CVE-2021-36217: avahi: local DoS against avahi-daemon via D-Bus interface
Last modified: 2021-08-16 19:56:46 UTC
While reviewing the avahi-daemon source code I noticed that we are missing a couple of fixes that have not been released by upstream and that also didn't receive a CVE assignment. The upstream fix is in commit 9d31939e [1]. [1]: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c Two reproducers that can trigger these code paths a local unprivileged user: dbus-send --system --print-reply --dest=org.freedesktop.Avahi / org.freedesktop.Avahi.Server.ResolveHostName int32:1 int32:0 string:localhost int32:0 uint32:0 dbus-send --system --print-reply --dest=org.freedesktop.Avahi / org.freedesktop.Avahi.Server.ResolveService int32:1 int32:0 string:ssh string: string: int32:0 uint32:0 The result will be that avahi-daemon triggers an assertion and fails with SIGABRT, consequently suffering a local DoS. The Factory version is affected by this, I didn't look into our SLE versions.
making this public as commit is public too.
only affects version v0.8 (based on git tag --contains 8f75a04, see [1]) [1] https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c
This is a dup of bug 1184846.
(In reply to Michael Gorse from comment #4) > This is a dup of bug 1184846. crap, I will update the CVE with mitre
(In reply to Robert Frohl from comment #5) > (In reply to Michael Gorse from comment #4) > > This is a dup of bug 1184846. > > crap, I will update the CVE with mitre Hey there, I'm Garrett, a Product Security Engineer at Red Hat. Did you end up updating the CVE as a dup with Mitre? We just had this CVE assignment come in and also noticed that it was a dup, but it seems to not have been updated by mitre. Just wanted to check in on that status since it still seems to be listed as it's own CVE.
(In reply to Garrett Tucker from comment #6) > (In reply to Robert Frohl from comment #5) > > (In reply to Michael Gorse from comment #4) > > > This is a dup of bug 1184846. > > > > crap, I will update the CVE with mitre > > Hey there, I'm Garrett, a Product Security Engineer at Red Hat. Did you end > up updating the CVE as a dup with Mitre? We just had this CVE assignment > come in and also noticed that it was a dup, but it seems to not have been > updated by mitre. Just wanted to check in on that status since it still > seems to be listed as it's own CVE. I actually did, but I see no change. I will follow up again.
(In reply to Robert Frohl from comment #7) > I actually did, but I see no change. I will follow up again. I also did only got the response that mitre received my request, but not that the update was published.
(In reply to Robert Frohl from comment #8) > (In reply to Robert Frohl from comment #7) > > I actually did, but I see no change. I will follow up again. > > I also did only got the response that mitre received my request, but not > that the update was published. Hm, that is odd. Hopefully mitre takes action after another follow up. Perhaps the request just fell through the cracks. Thanks for following up on this Robert!
(In reply to Garrett Tucker from comment #9) > (In reply to Robert Frohl from comment #8) > > (In reply to Robert Frohl from comment #7) > > > I actually did, but I see no change. I will follow up again. > > > > I also did only got the response that mitre received my request, but not > > that the update was published. > > Hm, that is odd. Hopefully mitre takes action after another follow up. > Perhaps the request just fell through the cracks. Thanks for following up on > this Robert! Just as an update: there is still no update from mitre, not sure if they are struggling with the current load and not looking at all requests.
(In reply to Robert Frohl from comment #10) > (In reply to Garrett Tucker from comment #9) > > (In reply to Robert Frohl from comment #8) > > > (In reply to Robert Frohl from comment #7) > > > > I actually did, but I see no change. I will follow up again. > > > > > > I also did only got the response that mitre received my request, but not > > > that the update was published. > > > > Hm, that is odd. Hopefully mitre takes action after another follow up. > > Perhaps the request just fell through the cracks. Thanks for following up on > > this Robert! > > Just as an update: there is still no update from mitre, not sure if they are > struggling with the current load and not looking at all requests. They did actually update it a few days ago: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36217 this hasn't yet been reflected by NIST though. Mitre has not been replying to most requests though, I have sent a few unrelated to this and it seems they just make the changes and do not update or send confirmation of such. Either way, this seems to be fixed now. Thanks for helping out Robert! :)