Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reachable assertion in dbus_set_host_name #453

Closed
evverx opened this issue Apr 25, 2023 · 2 comments · Fixed by #494
Closed

Reachable assertion in dbus_set_host_name #453

evverx opened this issue Apr 25, 2023 · 2 comments · Fixed by #494
Labels
bug important High priority
Milestone
v0.9

Comments

@evverx
Copy link
Member

evverx commented Apr 25, 2023

It can be triggered by unprivileged local users unless 1c599d8 is backported.

busctl call org.freedesktop.Avahi / org.freedesktop.Avahi.Server2 SetHostName "s" 'A\.B'

dbus-protocol.c: interface=org.freedesktop.Avahi.Server2, path=/, member=SetHostName
domain.c:242: int avahi_domain_equal(const char *, const char *): Assertion `r' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff788ec0c in __pthread_kill_implementation () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install dbus-libs-1.14.4-1.fc36.x86_64 expat-2.5.0-1.fc36.x86_64 glibc-2.35-20.fc36.x86_64 libcap-2.48-4.fc36.x86_64 libdaemon-0.14-23.fc36.x86_64 libgcc-12.2.1-4.fc36.x86_64 libgpg-error-1.45-1.fc36.x86_64 libzstd-1.5.2-2.fc36.x86_64 lz4-libs-1.9.3-4.fc36.x86_64 sssd-client-2.7.4-1.fc36.x86_64 systemd-libs-250.8-1.fc36.x86_64 xz-libs-5.2.5-9.fc36.x86_64
(gdb) bt
#0  0x00007ffff788ec0c in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007ffff783e986 in raise () from /lib64/libc.so.6
#2  0x00007ffff78287f4 in abort () from /lib64/libc.so.6
#3  0x00007ffff782871b in __assert_fail_base.cold () from /lib64/libc.so.6
#4  0x00007ffff7837536 in __assert_fail () from /lib64/libc.so.6
#5  0x00007ffff7f962cc in avahi_domain_equal (a=<optimized out>, b=0x602000003ff2 "") at domain.c:242
#6  0x00007ffff7e36d0a in avahi_server_set_host_name (s=0x616000001880, host_name=<optimized out>) at server.c:1310
#7  0x000000000053f4b8 in dbus_set_host_name (c=0x612000001fc0, m=0x610000000740, error=<optimized out>) at dbus-protocol.c:261
#8  dbus_select_common_methods (c=<optimized out>, m=0x610000000740, userdata=<optimized out>, iface=<optimized out>, error=<optimized out>) at dbus-protocol.c:1010
#9  0x000000000053e719 in msg_server_impl (c=0x612000001fc0, m=0x610000000740, userdata=<optimized out>) at dbus-protocol.c:1191
#10 0x00007ffff7cf3d11 in dbus_connection_dispatch () from /lib64/libdbus-1.so.3
#11 0x0000000000562026 in dispatch_timeout_callback (t=t@entry=0x606000001dc0, userdata=0x603000002110) at ../avahi-common/dbus-watch-glue.c:105
#12 0x00007ffff7fa1c80 in timeout_callback (t=t@entry=0x606000001dc0) at simple-watch.c:447
#13 0x00007ffff7fa0d37 in avahi_simple_poll_dispatch (s=s@entry=0x60e000000120) at simple-watch.c:567
#14 0x00007ffff7fa1e7d in avahi_simple_poll_iterate (s=0x60e000000120, timeout=timeout@entry=-1) at simple-watch.c:605
#15 0x000000000051e503 in run_server (c=<optimized out>) at main.c:1268
#16 0x0000000000517bdf in main (argc=<optimized out>, argv=<optimized out>) at main.c:1686
@pemensik pemensik added bug important High priority labels Apr 25, 2023
@pemensik pemensik added this to the v0.9 milestone Apr 25, 2023
@evverx evverx mentioned this issue Apr 25, 2023
Open
@pemensik
Copy link
Member

PR #427 is already merged. That means this should be possible just by root. We want it fixed anyway. In general dots are quite poorly handled in almost all dbus methods using hostnames.

@carnil
Copy link

carnil commented Oct 5, 2023

This issue appears to have CVE-2023-38471 assigned.

@evverx evverx mentioned this issue Oct 11, 2023
Merged
msekletar added a commit to msekletar/avahi that referenced this issue Oct 23, 2023
@msekletar
core: extract host name using avahi_unescape_label()
4081dc1 
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "Foo\\.Bar" we have
created invalid name "Foo\\" and tried to set that as a hostname which
later crashed the daemon.

Fixes avahi#453

CVE-2023-38471
msekletar added a commit to msekletar/avahi that referenced this issue Oct 23, 2023
@msekletar
core: extract host name using avahi_unescape_label()
786d66a 
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "Foo\\.Bar" we have
created invalid name "Foo\\" and tried to set that as a hostname which
later crashed the daemon.

Fixes avahi#453

CVE-2023-38471
msekletar added a commit to msekletar/avahi that referenced this issue Oct 23, 2023
@msekletar
core: extract host name using avahi_unescape_label()
7ad90ed 
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as a hostname which
crashed the daemon.

Fixes avahi#453

CVE-2023-38471
msekletar added a commit to msekletar/avahi that referenced this issue Oct 23, 2023
@msekletar
core: extract host name using avahi_unescape_label()
7cd1159 
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as the host name
which crashed the daemon.

Fixes avahi#453

CVE-2023-38471
@msekletar msekletar mentioned this issue Oct 23, 2023
Merged
msekletar added a commit to msekletar/avahi that referenced this issue Oct 23, 2023
@msekletar
core: extract host name using avahi_unescape_label()
d486bca 
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as the host name
which crashed the daemon.

Fixes avahi#453

CVE-2023-38471
evverx pushed a commit that referenced this issue Oct 24, 2023
@msekletar @evverx
core: extract host name using avahi_unescape_label()
894f085 
Previously we could create invalid escape sequence when we split the
string on dot. For example, from valid host name "foo\\.bar" we have
created invalid name "foo\\" and tried to set that as the host name
which crashed the daemon.

Fixes #453

CVE-2023-38471
evverx added a commit to evverx/avahi that referenced this issue Oct 24, 2023
@evverx
smoke-test: call SetHostName with unusual names
fa1c232 
It's prompted by avahi#453
evverx added a commit to evverx/avahi that referenced this issue Oct 24, 2023
@evverx
smoke-test: call SetHostName with unusual names
04ac71f 
It's prompted by avahi#453
@Neustradamus Neustradamus mentioned this issue Oct 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug important High priority
Projects
None yet
Milestone
v0.9
Development

Successfully merging a pull request may close this issue.

core: extract host name using avahi_unescape_label() msekletar/avahi
3 participants
@carnil @evverx @pemensik