avahi: fix CVE-2024-52616

CVE-2024-52616: A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-52616] [https://github.com/avahi/avahi/security/advisories/GHSA-r9j3-vjjh-p8vm] Upstream patches: [https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7] (From OE-Core rev: 0376d69c39305333f2b2817ae7a1f4911f63e2e9) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry pick from commit: 28de3f131b17dc4165df927060ee51f0de3ada90) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2025-07-17 17:34:38 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-07-24 12:36:36 -0700
commit: ac2dec7e509c2cd4b583704092f741bdc2f85142 (patch)
tree: fc53ce58d43ca0e8b9950bd75d9585a9b0036410
parent: 67269d1b228e47858fdb3b09968345642927f64e (diff)
download: poky-ac2dec7e509c2cd4b583704092f741bdc2f85142.tar.gz
2 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 220160a7e1..734a73541f 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -35,6 +35,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
           file://CVE-2023-38471-2.patch \
           file://CVE-2023-38472.patch \
           file://CVE-2023-38473.patch \
+           file://CVE-2024-52616.patch \
           "
 GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch b/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch
new file mode 100644
index 0000000000..a156f98728
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch
@@ -0,0 +1,104 @@
+From f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 11 Nov 2024 00:56:09 +0100
+Subject: [PATCH] Properly randomize query id of DNS packets
+CVE: CVE-2024-52616
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ avahi-core/wide-area.c | 36 ++++++++++++++++++++++++++++--------
+ configure.ac           |  3 ++-
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
+index 971f5e714..00a15056e 100644
+--- a/avahi-core/wide-area.c
+++ b/avahi-core/wide-area.c
+@@ -40,6 +40,13 @@
+ #include "addr-util.h"
+ #include "rr-util.h"
+ 
+#ifdef HAVE_SYS_RANDOM_H
+#include <sys/random.h>
+#endif
+#ifndef HAVE_GETRANDOM
+#  define getrandom(d, len, flags) (-1)
+#endif
+
+ #define CACHE_ENTRIES_MAX 500
+ 
+ typedef struct AvahiWideAreaCacheEntry AvahiWideAreaCacheEntry;
+@@ -84,8 +91,6 @@ struct AvahiWideAreaLookupEngine {
+     int fd_ipv4, fd_ipv6;
+     AvahiWatch *watch_ipv4, *watch_ipv6;
+ 
+-    uint16_t next_id;
+-
+     /* Cache */
+     AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
+     AvahiHashmap *cache_by_key;
+@@ -201,6 +206,26 @@ static void sender_timeout_callback(AvahiTimeEvent *e, void *userdata) {
+     avahi_time_event_update(e, avahi_elapse_time(&tv, 1000, 0));
+ }
+ 
+static uint16_t get_random_uint16(void) {
+    uint16_t next_id;
+
+    if (getrandom(&next_id, sizeof(next_id), 0) == -1)
+        next_id = (uint16_t) rand();
+    return next_id;
+}
+
+static uint16_t avahi_wide_area_next_id(AvahiWideAreaLookupEngine *e) {
+    uint16_t next_id;
+
+    next_id = get_random_uint16();
+    while (find_lookup(e, next_id)) {
+        /* This ID is already used, get new. */
+        next_id = get_random_uint16();
+    }
+    return next_id;
+}
+
+
+ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     AvahiWideAreaLookupEngine *e,
+     AvahiKey *key,
+@@ -227,11 +252,7 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     /* If more than 65K wide area quries are issued simultaneously,
+      * this will break. This should be limited by some higher level */
+ 
+-    for (;; e->next_id++)
+-        if (!find_lookup(e, e->next_id))
+-            break; /* This ID is not yet used. */
+-
+-    l->id = e->next_id++;
+    l->id = avahi_wide_area_next_id(e);
+ 
+     /* We keep the packet around in case we need to repeat our query */
+     l->packet = avahi_dns_packet_new(0);
+@@ -604,7 +625,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
+         e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
+ 
+     e->n_dns_servers = e->current_dns_server = 0;
+-    e->next_id = (uint16_t) rand();
+ 
+     /* Initialize cache */
+     AVAHI_LLIST_HEAD_INIT(AvahiWideAreaCacheEntry, e->cache);
+diff --git a/configure.ac b/configure.ac
+index a3211b80e..31bce3d76 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -367,7 +367,8 @@ AC_FUNC_SELECT_ARGTYPES
+ # whether libc's malloc does too. (Same for realloc.)
+ #AC_FUNC_MALLOC
+ #AC_FUNC_REALLOC
+-AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname])
+AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname getrandom])
+AC_CHECK_HEADERS([sys/random.h])
+ 
+ AC_FUNC_CHOWN
+ AC_FUNC_STAT
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2025-07-17 17:34:38 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-07-24 12:36:36 -0700
commit	ac2dec7e509c2cd4b583704092f741bdc2f85142 (patch)
tree	fc53ce58d43ca0e8b9950bd75d9585a9b0036410
parent	67269d1b228e47858fdb3b09968345642927f64e (diff)
download	poky-ac2dec7e509c2cd4b583704092f741bdc2f85142.tar.gz

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index 220160a7e1..734a73541f 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -35,6 +35,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
35	file://CVE-2023-38471-2.patch \	35	file://CVE-2023-38471-2.patch \
36	file://CVE-2023-38472.patch \	36	file://CVE-2023-38472.patch \
37	file://CVE-2023-38473.patch \	37	file://CVE-2023-38473.patch \
		38	file://CVE-2024-52616.patch \
38	"	39	"
39		40
40	GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"	41	GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"


diff --git a/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch b/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch new file mode 100644 index 0000000000..a156f98728 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch
@@ -0,0 +1,104 @@
		1	From f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
		3	Date: Mon, 11 Nov 2024 00:56:09 +0100
		4	Subject: [PATCH] Properly randomize query id of DNS packets
		5
		6	CVE: CVE-2024-52616
		7	Upstream-Status: Backport [https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7]
		8
		9	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		10	---
		11	avahi-core/wide-area.c \| 36 ++++++++++++++++++++++++++++--------
		12	configure.ac \| 3 ++-
		13	2 files changed, 30 insertions(+), 9 deletions(-)
		14
		15	diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
		16	index 971f5e714..00a15056e 100644
		17	--- a/avahi-core/wide-area.c
		18	+++ b/avahi-core/wide-area.c
		19	@@ -40,6 +40,13 @@
		20	#include "addr-util.h"
		21	#include "rr-util.h"
		22
		23	+#ifdef HAVE_SYS_RANDOM_H
		24	+#include <sys/random.h>
		25	+#endif
		26	+#ifndef HAVE_GETRANDOM
		27	+# define getrandom(d, len, flags) (-1)
		28	+#endif
		29	+
		30	#define CACHE_ENTRIES_MAX 500
		31
		32	typedef struct AvahiWideAreaCacheEntry AvahiWideAreaCacheEntry;
		33	@@ -84,8 +91,6 @@ struct AvahiWideAreaLookupEngine {
		34	int fd_ipv4, fd_ipv6;
		35	AvahiWatch watch_ipv4, watch_ipv6;
		36
		37	- uint16_t next_id;
		38	-
		39	/* Cache */
		40	AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
		41	AvahiHashmap *cache_by_key;
		42	@@ -201,6 +206,26 @@ static void sender_timeout_callback(AvahiTimeEvent e, void userdata) {
		43	avahi_time_event_update(e, avahi_elapse_time(&tv, 1000, 0));
		44	}
		45
		46	+static uint16_t get_random_uint16(void) {
		47	+ uint16_t next_id;
		48	+
		49	+ if (getrandom(&next_id, sizeof(next_id), 0) == -1)
		50	+ next_id = (uint16_t) rand();
		51	+ return next_id;
		52	+}
		53	+
		54	+static uint16_t avahi_wide_area_next_id(AvahiWideAreaLookupEngine *e) {
		55	+ uint16_t next_id;
		56	+
		57	+ next_id = get_random_uint16();
		58	+ while (find_lookup(e, next_id)) {
		59	+ /* This ID is already used, get new. */
		60	+ next_id = get_random_uint16();
		61	+ }
		62	+ return next_id;
		63	+}
		64	+
		65	+
		66	AvahiWideAreaLookup *avahi_wide_area_lookup_new(
		67	AvahiWideAreaLookupEngine *e,
		68	AvahiKey *key,
		69	@@ -227,11 +252,7 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
		70	/* If more than 65K wide area quries are issued simultaneously,
		71	* this will break. This should be limited by some higher level */
		72
		73	- for (;; e->next_id++)
		74	- if (!find_lookup(e, e->next_id))
		75	- break; /* This ID is not yet used. */
		76	-
		77	- l->id = e->next_id++;
		78	+ l->id = avahi_wide_area_next_id(e);
		79
		80	/* We keep the packet around in case we need to repeat our query */
		81	l->packet = avahi_dns_packet_new(0);
		82	@@ -604,7 +625,6 @@ AvahiWideAreaLookupEngine avahi_wide_area_engine_new(AvahiServer s) {
		83	e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
		84
		85	e->n_dns_servers = e->current_dns_server = 0;
		86	- e->next_id = (uint16_t) rand();
		87
		88	/* Initialize cache */
		89	AVAHI_LLIST_HEAD_INIT(AvahiWideAreaCacheEntry, e->cache);
		90	diff --git a/configure.ac b/configure.ac
		91	index a3211b80e..31bce3d76 100644
		92	--- a/configure.ac
		93	+++ b/configure.ac
		94	@@ -367,7 +367,8 @@ AC_FUNC_SELECT_ARGTYPES
		95	# whether libc's malloc does too. (Same for realloc.)
		96	#AC_FUNC_MALLOC
		97	#AC_FUNC_REALLOC
		98	-AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname])
		99	+AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname getrandom])
		100	+AC_CHECK_HEADERS([sys/random.h])
		101
		102	AC_FUNC_CHOWN
		103	AC_FUNC_STAT
		104