commit: 2cb38a305bb287c97344443ca4913f86bf30e96d Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> AuthorDate: Thu Jun 26 19:48:44 2025 +0000 Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> CommitDate: Thu Jun 26 19:49:35 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2cb38a30
net-dns/avahi: Revbump, add patch for CVE-2024-52615 (bug #959127) Bug: https://bugs.gentoo.org/959127 Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> net-dns/avahi/avahi-0.9_rc2-r1.ebuild | 204 +++++++++++++++++++ .../avahi/files/avahi-0.9_rc2-CVE-2024-52615.patch | 225 +++++++++++++++++++++ 2 files changed, 429 insertions(+) diff --git a/net-dns/avahi/avahi-0.9_rc2-r1.ebuild b/net-dns/avahi/avahi-0.9_rc2-r1.ebuild new file mode 100644 index 000000000000..37bb93805c41 --- /dev/null +++ b/net-dns/avahi/avahi-0.9_rc2-r1.ebuild @@ -0,0 +1,204 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..13} ) +PYTHON_REQ_USE="gdbm" +inherit autotools multilib-minimal python-single-r1 systemd + +DESCRIPTION="System which facilitates service discovery on a local network" +HOMEPAGE="https://avahi.org/"; +SRC_URI="https://github.com/lathiat/avahi/archive/v${PV/_/-}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/${PN}-${PV/_/-}" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="autoipd bookmarks +dbus doc gdbm gtk howl-compat +introspection ipv6 mdnsresponder-compat nls python qt5 selinux systemd test" + +REQUIRED_USE=" + python? ( dbus gdbm ${PYTHON_REQUIRED_USE} ) + bookmarks? ( python ) + howl-compat? ( dbus ) + mdnsresponder-compat? ( dbus ) + systemd? ( dbus ) +" + +RESTRICT="!test? ( test )" + +DEPEND=" + dev-libs/libdaemon + dev-libs/libevent:=[${MULTILIB_USEDEP}] + dev-libs/expat + dev-libs/glib:2[${MULTILIB_USEDEP}] + gdbm? ( sys-libs/gdbm:=[${MULTILIB_USEDEP}] ) + qt5? ( dev-qt/qtcore:5 ) + gtk? ( x11-libs/gtk+:3[${MULTILIB_USEDEP}] ) + dbus? ( sys-apps/dbus[${MULTILIB_USEDEP}] ) + kernel_linux? ( sys-libs/libcap ) + introspection? ( dev-libs/gobject-introspection:= ) + systemd? ( sys-apps/systemd:=[${MULTILIB_USEDEP}] ) + python? ( + ${PYTHON_DEPS} + $(python_gen_cond_dep ' + bookmarks? ( >=dev-python/twisted-16.0.0[${PYTHON_USEDEP}] ) + dbus? ( dev-python/dbus-python[${PYTHON_USEDEP}] ) + introspection? ( dev-python/pygobject:3[${PYTHON_USEDEP}] ) + ') + ) +" +RDEPEND=" + acct-user/avahi + acct-group/avahi + acct-group/netdev + autoipd? ( + acct-user/avahi-autoipd + acct-group/avahi-autoipd + ) + ${DEPEND} + selinux? ( sec-policy/selinux-avahi ) +" +BDEPEND=" + dev-util/glib-utils + doc? ( app-text/doxygen ) + app-text/xmltoman + sys-devel/gettext + virtual/pkgconfig +" + +MULTILIB_WRAPPED_HEADERS=( /usr/include/avahi-qt5/qt-watch.h ) + +PATCHES=( + "${FILESDIR}/avahi-0.9_rc1-disable-avahi-ui-sharp.patch" # bug 769062 + "${FILESDIR}/avahi-0.9_rc2-CVE-2024-52615.patch" +) + +pkg_setup() { + use python && python-single-r1_pkg_setup +} + +src_prepare() { + default + + if ! use ipv6; then + sed -i \ + -e "s/use-ipv6=yes/use-ipv6=no/" \ + avahi-daemon/avahi-daemon.conf || die + fi + + sed -i \ + -e "s:\\.\\./\\.\\./\\.\\./doc/avahi-docs/html/:../../../doc/${PF}/html/:" \ + doxygen_to_devhelp.xsl || die + + eautoreconf + + # bundled manpages + multilib_copy_sources +} + +multilib_src_configure() { + local myconf=( + --disable-gtk + --disable-mono + --disable-monodoc + --disable-python-dbus + --disable-qt3 + --disable-qt4 + --disable-static + --enable-manpages + --enable-glib + --enable-gobject + --enable-xmltoman + --localstatedir="${EPREFIX}/var" + --runstatedir="${EPREFIX}/run" + --with-distro=gentoo + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" + $(use_enable dbus) + $(use_enable gdbm) + $(use_enable gtk gtk3) + $(use_enable howl-compat compat-howl) + $(use_enable mdnsresponder-compat compat-libdns_sd) + $(use_enable nls) + $(use_enable systemd libsystemd) + $(multilib_native_use_enable autoipd) + $(multilib_native_use_enable doc doxygen-doc) + $(multilib_native_use_enable introspection) + $(multilib_native_use_enable python) + $(multilib_native_use_enable test tests) + ) + + if use python; then + myconf+=( + $(multilib_native_use_enable dbus python-dbus) + $(multilib_native_use_enable introspection pygobject) + ) + fi + + if ! multilib_is_native_abi; then + myconf+=( + # used by daemons only + --disable-libdaemon + --with-xml=none + ) + fi + + myconf+=( $(multilib_native_use_enable qt5) ) + + econf "${myconf[@]}" +} + +multilib_src_compile() { + emake + + multilib_is_native_abi && use doc && emake avahi.devhelp +} + +multilib_src_install() { + emake install DESTDIR="${D}" + + if ! use bookmarks || ! use python || ! use dbus; then + rm -f "${ED}"/usr/bin/avahi-bookmarks || die + fi + + # https://github.com/lathiat/avahi/issues/28 + use howl-compat && dosym avahi-compat-howl.pc /usr/$(get_libdir)/pkgconfig/howl.pc + use mdnsresponder-compat && dosym avahi-compat-libdns_sd/dns_sd.h /usr/include/dns_sd.h + + if multilib_is_native_abi && use doc; then + docinto html + dodoc -r doxygen/html/. + insinto /usr/share/devhelp/books/avahi + doins avahi.devhelp + fi + + # The build system creates an empty "/run" directory, so we clean it up here + rmdir "${ED}"/run || die +} + +multilib_src_install_all() { + use python && python_optimize + + if use autoipd; then + insinto /lib/rcscripts/net + doins "${FILESDIR}"/autoipd.sh + + insinto /lib/netifrc/net + newins "${FILESDIR}"/autoipd-openrc.sh autoipd.sh + fi + + dodoc docs/{AUTHORS,NEWS,README,TODO} + + find "${ED}" -name '*.la' -type f -delete || die +} + +pkg_postinst() { + if use autoipd; then + elog + elog "To use avahi-autoipd to configure your interfaces with IPv4LL (RFC3927)" + elog "addresses, just set config_<interface>=( autoipd ) in /etc/conf.d/net!" + elog + fi + + systemd_reenable avahi-daemon.service +} diff --git a/net-dns/avahi/files/avahi-0.9_rc2-CVE-2024-52615.patch b/net-dns/avahi/files/avahi-0.9_rc2-CVE-2024-52615.patch new file mode 100644 index 000000000000..40cb5b539e48 --- /dev/null +++ b/net-dns/avahi/files/avahi-0.9_rc2-CVE-2024-52615.patch @@ -0,0 +1,225 @@ +commit 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942 +Author: Michal Sekletar <[email protected]> +Date: Wed Nov 27 18:07:32 2024 +0100 + + core/wide-area: fix for CVE-2024-52615 + +diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c +index 00a1505..06df7af 100644 +--- a/avahi-core/wide-area.c ++++ b/avahi-core/wide-area.c +@@ -81,6 +81,10 @@ struct AvahiWideAreaLookup { + + AvahiAddress dns_server_used; + ++ int fd; ++ AvahiWatch *watch; ++ AvahiProtocol proto; ++ + AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, lookups); + AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, by_key); + }; +@@ -88,9 +92,6 @@ struct AvahiWideAreaLookup { + struct AvahiWideAreaLookupEngine { + AvahiServer *server; + +- int fd_ipv4, fd_ipv6; +- AvahiWatch *watch_ipv4, *watch_ipv6; +- + /* Cache */ + AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache); + AvahiHashmap *cache_by_key; +@@ -125,35 +126,67 @@ static AvahiWideAreaLookup* find_lookup(AvahiWideAreaLookupEngine *e, uint16_t i + return l; + } + ++static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata); ++ + static int send_to_dns_server(AvahiWideAreaLookup *l, AvahiDnsPacket *p) { ++ AvahiWideAreaLookupEngine *e; + AvahiAddress *a; ++ AvahiServer *s; ++ AvahiWatch *w; ++ int r; + + assert(l); + assert(p); + +- if (l->engine->n_dns_servers <= 0) ++ e = l->engine; ++ assert(e); ++ ++ s = e->server; ++ assert(s); ++ ++ if (e->n_dns_servers <= 0) + return -1; + +- assert(l->engine->current_dns_server < l->engine->n_dns_servers); ++ assert(e->current_dns_server < e->n_dns_servers); + +- a = &l->engine->dns_servers[l->engine->current_dns_server]; ++ a = &e->dns_servers[e->current_dns_server]; + l->dns_server_used = *a; + +- if (a->proto == AVAHI_PROTO_INET) { ++ if (l->fd >= 0) { ++ /* We are reusing lookup object and sending packet to another server so let's cleanup before we establish connection to new server. */ ++ s->poll_api->watch_free(l->watch); ++ l->watch = NULL; + +- if (l->engine->fd_ipv4 < 0) +- return -1; +- +- return avahi_send_dns_packet_ipv4(l->engine->fd_ipv4, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT); +- +- } else { +- assert(a->proto == AVAHI_PROTO_INET6); +- +- if (l->engine->fd_ipv6 < 0) +- return -1; +- +- return avahi_send_dns_packet_ipv6(l->engine->fd_ipv6, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT); ++ close(l->fd); ++ l->fd = -EBADF; + } ++ ++ assert(a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6); ++ ++ if (a->proto == AVAHI_PROTO_INET) ++ r = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1; ++ else ++ r = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1; ++ ++ if (r < 0) { ++ avahi_log_error(__FILE__ ": Failed to create socket for wide area lookup"); ++ return -1; ++ } ++ ++ w = s->poll_api->watch_new(s->poll_api, r, AVAHI_WATCH_IN, socket_event, l); ++ if (!w) { ++ close(r); ++ avahi_log_error(__FILE__ ": Failed to create socket watch for wide area lookup"); ++ return -1; ++ } ++ ++ l->fd = r; ++ l->watch = w; ++ l->proto = a->proto; ++ ++ return a->proto == AVAHI_PROTO_INET ? ++ avahi_send_dns_packet_ipv4(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT): ++ avahi_send_dns_packet_ipv6(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT); + } + + static void next_dns_server(AvahiWideAreaLookupEngine *e) { +@@ -246,6 +279,9 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new( + l->dead = 0; + l->key = avahi_key_ref(key); + l->cname_key = avahi_key_new_cname(l->key); ++ l->fd = -EBADF; ++ l->watch = NULL; ++ l->proto = AVAHI_PROTO_UNSPEC; + l->callback = callback; + l->userdata = userdata; + +@@ -314,6 +350,12 @@ static void lookup_destroy(AvahiWideAreaLookup *l) { + if (l->cname_key) + avahi_key_unref(l->cname_key); + ++ if (l->watch) ++ l->engine->server->poll_api->watch_free(l->watch); ++ ++ if (l->fd >= 0) ++ close(l->fd); ++ + avahi_free(l); + } + +@@ -572,14 +614,20 @@ finish: + } + + static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata) { +- AvahiWideAreaLookupEngine *e = userdata; ++ AvahiWideAreaLookup *l = userdata; ++ AvahiWideAreaLookupEngine *e = l->engine; + AvahiDnsPacket *p = NULL; + +- if (fd == e->fd_ipv4) +- p = avahi_recv_dns_packet_ipv4(e->fd_ipv4, NULL, NULL, NULL, NULL, NULL); ++ assert(l); ++ assert(e); ++ assert(l->fd == fd); ++ ++ if (l->proto == AVAHI_PROTO_INET) ++ p = avahi_recv_dns_packet_ipv4(l->fd, NULL, NULL, NULL, NULL, NULL); + else { +- assert(fd == e->fd_ipv6); +- p = avahi_recv_dns_packet_ipv6(e->fd_ipv6, NULL, NULL, NULL, NULL, NULL); ++ assert(l->proto == AVAHI_PROTO_INET6); ++ ++ p = avahi_recv_dns_packet_ipv6(l->fd, NULL, NULL, NULL, NULL, NULL); + } + + if (p) { +@@ -598,32 +646,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) { + e->server = s; + e->cleanup_dead = 0; + +- /* Create sockets */ +- e->fd_ipv4 = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1; +- e->fd_ipv6 = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1; +- +- if (e->fd_ipv4 < 0 && e->fd_ipv6 < 0) { +- avahi_log_error(__FILE__": Failed to create wide area sockets: %s", strerror(errno)); +- +- if (e->fd_ipv6 >= 0) +- close(e->fd_ipv6); +- +- if (e->fd_ipv4 >= 0) +- close(e->fd_ipv4); +- +- avahi_free(e); +- return NULL; +- } +- +- /* Create watches */ +- +- e->watch_ipv4 = e->watch_ipv6 = NULL; +- +- if (e->fd_ipv4 >= 0) +- e->watch_ipv4 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv4, AVAHI_WATCH_IN, socket_event, e); +- if (e->fd_ipv6 >= 0) +- e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e); +- + e->n_dns_servers = e->current_dns_server = 0; + + /* Initialize cache */ +@@ -651,18 +673,6 @@ void avahi_wide_area_engine_free(AvahiWideAreaLookupEngine *e) { + avahi_hashmap_free(e->lookups_by_id); + avahi_hashmap_free(e->lookups_by_key); + +- if (e->watch_ipv4) +- e->server->poll_api->watch_free(e->watch_ipv4); +- +- if (e->watch_ipv6) +- e->server->poll_api->watch_free(e->watch_ipv6); +- +- if (e->fd_ipv6 >= 0) +- close(e->fd_ipv6); +- +- if (e->fd_ipv4 >= 0) +- close(e->fd_ipv4); +- + avahi_free(e); + } + +@@ -680,7 +690,7 @@ void avahi_wide_area_set_servers(AvahiWideAreaLookupEngine *e, const AvahiAddres + + if (a) { + for (e->n_dns_servers = 0; n > 0 && e->n_dns_servers < AVAHI_WIDE_AREA_SERVERS_MAX; a++, n--) +- if ((a->proto == AVAHI_PROTO_INET && e->fd_ipv4 >= 0) || (a->proto == AVAHI_PROTO_INET6 && e->fd_ipv6 >= 0)) ++ if (a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6) + e->dns_servers[e->n_dns_servers++] = *a; + } else { + assert(n == 0);
