From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/avahi: upstream patch for CVE-2026-34933
Date: Fri, 10 Jul 2026 15:51:42 +0200 [thread overview]
Message-ID: <20260710135142.759288-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260626195937.49027-1-thomas.perale@mind.be>
In reply of:
> This fixes the following vulnerability:
>
> - CVE-2026-34933:
> Avahi is a system which facilitates service discovery on a local
> network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4,
> any unprivileged local user can crash avahi-daemon by sending a single
> D-Bus method call with conflicting publish flags. This issue has been
> patched in version 0.9-rc4.
>
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2026-34933
> - https://github.com/avahi/avahi/commit/0be89b6bb5c3983837b5e0febcbbbf452ecf7675
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Applied to 2026.05.x & 2025.02.x. Thanks
> ---
> ...both-wide-area-and-multicast-are-set.patch | 106 ++++++++++++++++++
> package/avahi/avahi.mk | 3 +
> 2 files changed, 109 insertions(+)
> create mode 100644 package/avahi/0017-core-refuse-to-accept-publish-flags-where-both-wide-area-and-multicast-are-set.patch
>
> diff --git a/package/avahi/0017-core-refuse-to-accept-publish-flags-where-both-wide-area-and-multicast-are-set.patch b/package/avahi/0017-core-refuse-to-accept-publish-flags-where-both-wide-area-and-multicast-are-set.patch
> new file mode 100644
> index 0000000000..de359b7d22
> --- /dev/null
> +++ b/package/avahi/0017-core-refuse-to-accept-publish-flags-where-both-wide-area-and-multicast-are-set.patch
> @@ -0,0 +1,106 @@
> +From 0be89b6bb5c3983837b5e0febcbbbf452ecf7675 Mon Sep 17 00:00:00 2001
> +From: Evgeny Vereshchagin <evvers@ya.ru>
> +Date: Wed, 1 Apr 2026 05:31:58 +0000
> +Subject: [PATCH] core: refuse to accept publish flags where both wide_area and
> + multicast are set
> +
> +It fixes a bug where it was possible for unprivileged local users to
> +crash avahi-daemon via D-Bus by calling EntryGroup methods accepting
> +flags and passing both AVAHI_PUBLISH_USE_WIDE_AREA and
> +AVAHI_PUBLISH_USE_MULTICAST there. For example when AddRecord was
> +invoked like that avahi-daemon crashed with
> +```
> +dbus-entry-group.c: interface=org.freedesktop.Avahi.EntryGroup, path=/Client0/EntryGroup1, member=AddRecord
> +avahi-daemon: entry.c:57: transport_flags_from_domain: Assertion `!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags & AVAHI_PUBLISH_USE_WIDE_AREA))' failed.
> +==84944==
> +==84944== Process terminating with default action of signal 6 (SIGABRT)
> +==84944== at 0x4B353BC: __pthread_kill_implementation (pthread_kill.c:44)
> +==84944== by 0x4ADE941: raise (raise.c:26)
> +==84944== by 0x4AC64AB: abort (abort.c:77)
> +==84944== by 0x4AC641F: __assert_fail_base.cold (assert.c:118)
> +==84944== by 0x48A9404: transport_flags_from_domain (entry.c:57)
> +==84944== by 0x48A9F8F: server_add_internal (entry.c:224)
> +==84944== by 0x48AA49F: avahi_server_add (entry.c:324)
> +==84944== by 0x401A670: avahi_dbus_msg_entry_group_impl (dbus-entry-group.c:348)
> +==84944== by 0x4A70741: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3)
> +==84944== by 0x4A5FB22: dbus_connection_dispatch (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3)
> +==84944== by 0x401D01D: dispatch_timeout_callback (dbus-watch-glue.c:105)
> +==84944== by 0x488E3AE: timeout_callback (simple-watch.c:447)
> +==84944==
> +```
> +It's a follow-up to fbce111b069aa1e4c701ed37ee1d9f6d6cefaac5 where
> +those flags were introduced and consistent with the other places
> +where wide_area/multicast flags are used.
> +
> +It was discovered by
> +Guillaume Meunier - Head of Vulnerability Operations Center France - Orange Cyberdefense
> +
> +https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc
> +
> +CVE: CVE-2026-34933
> +Upstream: https://github.com/avahi/avahi/commit/0be89b6bb5c3983837b5e0febcbbbf452ecf7675
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + avahi-core/entry.c | 7 +++++++
> + 1 file changed, 7 insertions(+)
> +
> +diff --git a/avahi-core/entry.c b/avahi-core/entry.c
> +index 0d862133d..06eb12076 100644
> +--- a/avahi-core/entry.c
> ++++ b/avahi-core/entry.c
> +@@ -207,6 +207,7 @@ static AvahiEntry * server_add_internal(
> + AVAHI_PUBLISH_UPDATE|
> + AVAHI_PUBLISH_USE_WIDE_AREA|
> + AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> ++ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_domain_name(r->key->name), AVAHI_ERR_INVALID_HOST_NAME);
> + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, r->ttl != 0, AVAHI_ERR_INVALID_TTL);
> + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !avahi_key_is_pattern(r->key), AVAHI_ERR_IS_PATTERN);
> +@@ -454,6 +455,7 @@ int avahi_server_add_address(
> + AVAHI_PUBLISH_UPDATE|
> + AVAHI_PUBLISH_USE_WIDE_AREA|
> + AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> ++ AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY(s, !name || avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME);
> +
> + /* Prepare the host naem */
> +@@ -595,6 +597,7 @@ static int server_add_service_strlst_nocopy(
> + AVAHI_PUBLISH_UPDATE|
> + AVAHI_PUBLISH_USE_WIDE_AREA|
> + AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> ++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
> +@@ -754,6 +757,7 @@ static int server_update_service_txt_strlst_nocopy(
> + AVAHI_PUBLISH_NO_COOKIE|
> + AVAHI_PUBLISH_USE_WIDE_AREA|
> + AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> ++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
> +@@ -843,6 +847,7 @@ int avahi_server_add_service_subtype(
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS);
> ++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
> + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
> +@@ -910,6 +915,7 @@ static AvahiEntry *server_add_dns_server_name(
> + assert(name);
> +
> + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> ++ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, port != 0, AVAHI_ERR_INVALID_PORT);
> + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME);
> +@@ -967,6 +973,7 @@ int avahi_server_add_dns_server_address(
> + AVAHI_CHECK_VALIDITY(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE);
> + AVAHI_CHECK_VALIDITY(s, AVAHI_PROTO_VALID(protocol) && AVAHI_PROTO_VALID(address->proto), AVAHI_ERR_INVALID_PROTOCOL);
> + AVAHI_CHECK_VALIDITY(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS);
> ++ AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS);
> + AVAHI_CHECK_VALIDITY(s, port != 0, AVAHI_ERR_INVALID_PORT);
> + AVAHI_CHECK_VALIDITY(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
> diff --git a/package/avahi/avahi.mk b/package/avahi/avahi.mk
> index bcba0a0a4f..0a674182bc 100644
> --- a/package/avahi/avahi.mk
> +++ b/package/avahi/avahi.mk
> @@ -60,6 +60,9 @@ AVAHI_IGNORE_CVES += CVE-2025-68471
> # 0016-core-fix-uncontrolled-recursion-bug-using-a-simple-loop-detection-algorithm.patch
> AVAHI_IGNORE_CVES += CVE-2026-24401
>
> +# 0017-core-refuse-to-accept-publish-flags-where-both-wide-area-and-multicast-are-set.patch
> +AVAHI_IGNORE_CVES += CVE-2026-34933
> +
> AVAHI_CONF_ENV = \
> avahi_cv_sys_cxx_works=yes \
> DATADIRNAME=share
> --
> 2.54.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-07-10 13:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 19:59 [Buildroot] [PATCH 1/1] package/avahi: upstream patch for CVE-2026-34933 Thomas Perale via buildroot
2026-07-05 9:51 ` Julien Olivain via buildroot
2026-07-10 13:51 ` Thomas Perale via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710135142.759288-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox