Skip to content

[AutoPR- Security] Patch avahi for CVE-2026-34933 [MEDIUM] #16539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kgodara912 merged 2 commits into from
Apr 13, 2026
+216 −1
Merged

[AutoPR- Security] Patch avahi for CVE-2026-34933 [MEDIUM] #16539

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3f030b4
Patch avahi for CVE-2026-34933
azurelinux-security Apr 9, 2026
9717321
Update CVE-2026-34933.patch with upstream reference
Kanishk-Bansal Apr 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
211 changes: 211 additions & 0 deletions SPECS/avahi/CVE-2026-34933.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
From 3e454de4577863d88b1da97e37dba22e37d138b5 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Wed, 1 Apr 2026 05:31:58 +0000
Subject: [PATCH 1/3] core: refuse to accept publish flags where both wide_area
and multicast are set

It fixes a bug where it was possible for unprivileged local users to
crash avahi-daemon via D-Bus by calling EntryGroup methods accepting
flags and passing both AVAHI_PUBLISH_USE_WIDE_AREA and
AVAHI_PUBLISH_USE_MULTICAST there. For example when AddRecord was
invoked like that avahi-daemon crashed with
```
dbus-entry-group.c: interface=org.freedesktop.Avahi.EntryGroup, path=/Client0/EntryGroup1, member=AddRecord
avahi-daemon: entry.c:57: transport_flags_from_domain: Assertion `!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags & AVAHI_PUBLISH_USE_WIDE_AREA))' failed.
==84944==
==84944== Process terminating with default action of signal 6 (SIGABRT)
==84944== at 0x4B353BC: __pthread_kill_implementation (pthread_kill.c:44)
==84944== by 0x4ADE941: raise (raise.c:26)
==84944== by 0x4AC64AB: abort (abort.c:77)
==84944== by 0x4AC641F: __assert_fail_base.cold (assert.c:118)
==84944== by 0x48A9404: transport_flags_from_domain (entry.c:57)
==84944== by 0x48A9F8F: server_add_internal (entry.c:224)
==84944== by 0x48AA49F: avahi_server_add (entry.c:324)
==84944== by 0x401A670: avahi_dbus_msg_entry_group_impl (dbus-entry-group.c:348)
==84944== by 0x4A70741: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3)
==84944== by 0x4A5FB22: dbus_connection_dispatch (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3)
==84944== by 0x401D01D: dispatch_timeout_callback (dbus-watch-glue.c:105)
==84944== by 0x488E3AE: timeout_callback (simple-watch.c:447)
==84944==
```
It's a follow-up to fbce111b069aa1e4c701ed37ee1d9f6d6cefaac5 where
those flags were introduced and consistent with the other places
where wide_area/multicast flags are used.

It was discovered by
Guillaume Meunier - Head of Vulnerability Operations Center France - Orange Cyberdefense

https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc

CVE-2026-34933
Upstream-reference: https://patch-diff.githubusercontent.com/raw/avahi/avahi/pull/891.patch
---
avahi-core/entry.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/avahi-core/entry.c b/avahi-core/entry.c
index 0d86213..06eb120 100644
--- a/avahi-core/entry.c
+++ b/avahi-core/entry.c
@@ -207,6 +207,7 @@ static AvahiEntry * server_add_internal(
AVAHI_PUBLISH_UPDATE|
AVAHI_PUBLISH_USE_WIDE_AREA|
AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_domain_name(r->key->name), AVAHI_ERR_INVALID_HOST_NAME);
AVAHI_CHECK_VALIDITY_RETURN_NULL(s, r->ttl != 0, AVAHI_ERR_INVALID_TTL);
AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !avahi_key_is_pattern(r->key), AVAHI_ERR_IS_PATTERN);
@@ -454,6 +455,7 @@ int avahi_server_add_address(
AVAHI_PUBLISH_UPDATE|
AVAHI_PUBLISH_USE_WIDE_AREA|
AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY(s, !name || avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME);

/* Prepare the host naem */
@@ -595,6 +597,7 @@ static int server_add_service_strlst_nocopy(
AVAHI_PUBLISH_UPDATE|
AVAHI_PUBLISH_USE_WIDE_AREA|
AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
@@ -754,6 +757,7 @@ static int server_update_service_txt_strlst_nocopy(
AVAHI_PUBLISH_NO_COOKIE|
AVAHI_PUBLISH_USE_WIDE_AREA|
AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
@@ -843,6 +847,7 @@ int avahi_server_add_service_subtype(
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
@@ -910,6 +915,7 @@ static AvahiEntry *server_add_dns_server_name(
assert(name);

AVAHI_CHECK_VALIDITY_RETURN_NULL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY_RETURN_NULL(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY_RETURN_NULL(s, port != 0, AVAHI_ERR_INVALID_PORT);
AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME);
@@ -967,6 +973,7 @@ int avahi_server_add_dns_server_address(
AVAHI_CHECK_VALIDITY(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE);
AVAHI_CHECK_VALIDITY(s, AVAHI_PROTO_VALID(protocol) && AVAHI_PROTO_VALID(address->proto), AVAHI_ERR_INVALID_PROTOCOL);
AVAHI_CHECK_VALIDITY(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS);
AVAHI_CHECK_VALIDITY(s, port != 0, AVAHI_ERR_INVALID_PORT);
AVAHI_CHECK_VALIDITY(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
--
2.45.4


From 2f688b537b2af03a2005a7b8d7869b7fe84a9c17 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Wed, 1 Apr 2026 05:30:58 +0000
Subject: [PATCH 2/3] tests: make sure AVAHI_PUBLISH_USE_WIDE_AREA is refused

---
avahi-client/client-test.c | 25 +++++++++++++++++++++++++
avahi-core/avahi-test.c | 12 +++++++++++-
2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
index 57750a4..42f5b70 100644
--- a/avahi-client/client-test.c
+++ b/avahi-client/client-test.c
@@ -209,6 +209,28 @@ static void terminate(AVAHI_GCC_UNUSED AvahiTimeout *timeout, AVAHI_GCC_UNUSED v
avahi_simple_poll_quit(simple_poll);
}

+static void test_refuse_publish_flags(AvahiEntryGroup *g, AvahiPublishFlags flags, int expected) {
+ AvahiAddress a;
+ AvahiStringList *l = NULL;
+ int r;
+
+ r = avahi_entry_group_add_record(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test.local", AVAHI_DNS_CLASS_IN, AVAHI_DNS_TYPE_CNAME, 120, "\0", 1);
+ assert(r == expected);
+
+ avahi_address_parse("224.0.0.251", AVAHI_PROTO_UNSPEC, &a);
+ r = avahi_entry_group_add_address(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test.local", &a);
+ assert(r == expected);
+
+ r = avahi_entry_group_add_service_strlst(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, NULL, 80, l);
+ assert(r == expected);
+
+ r = avahi_entry_group_update_service_txt_strlst(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, l);
+ assert(r == expected);
+
+ r = avahi_entry_group_add_service_subtype(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, "_magic._sub._http._tcp");
+ assert(r == expected);
+}
+
int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
AvahiClient *avahi;
AvahiEntryGroup *group, *group2;
@@ -261,6 +283,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
assert(error != AVAHI_OK);

+ test_refuse_publish_flags(group, AVAHI_PUBLISH_USE_WIDE_AREA, AVAHI_ERR_NOT_SUPPORTED);
+ test_refuse_publish_flags(group, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST, AVAHI_ERR_INVALID_FLAGS);
+
avahi_entry_group_commit (group);

domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/avahi-core/avahi-test.c b/avahi-core/avahi-test.c
index 2a7872b..2bae82b 100644
--- a/avahi-core/avahi-test.c
+++ b/avahi-core/avahi-test.c
@@ -30,6 +30,7 @@
#include <netinet/in.h>
#include <arpa/inet.h>

+#include <avahi-common/error.h>
#include <avahi-common/malloc.h>
#include <avahi-common/simple-watch.h>
#include <avahi-common/alternative.h>
@@ -150,6 +151,7 @@ static void remove_entries(void) {
static void create_entries(int new_name) {
AvahiAddress a;
AvahiRecord *r;
+ int error;

remove_entries();

@@ -181,7 +183,15 @@ static void create_entries(int new_name) {
goto fail;
}

- if (avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, NULL, AVAHI_DNS_SERVER_RESOLVE, avahi_address_parse("192.168.50.1", AVAHI_PROTO_UNSPEC, &a), 53) < 0) {
+ avahi_address_parse("192.168.50.1", AVAHI_PROTO_UNSPEC, &a);
+
+ error = avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, AVAHI_PUBLISH_USE_WIDE_AREA, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53);
+ assert(error == AVAHI_ERR_NOT_SUPPORTED);
+
+ error = avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53);
+ assert(error == AVAHI_ERR_INVALID_FLAGS);
+
+ if (avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53) < 0) {
avahi_log_error("Failed to add new DNS Server address");
goto fail;
}
--
2.45.4


From 57746739749f4b7706a0c833f7b62f2da51e6de3 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Wed, 1 Apr 2026 12:18:33 +0000
Subject: [PATCH 3/3] build: bump

--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/avahi/avahi.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Summary: Local network service discovery
Name: avahi
Version: 0.8
Release: 7%{?dist}
Release: 8%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -23,6 +23,7 @@ Patch10: CVE-2025-68276.patch
Patch11: CVE-2025-68468.patch
Patch12: CVE-2025-68471.patch
Patch13: CVE-2026-24401.patch
Patch14: CVE-2026-34933.patch
BuildRequires: automake
BuildRequires: dbus-devel >= 0.90
BuildRequires: dbus-glib-devel >= 0.70
Expand Down Expand Up @@ -430,6 +431,9 @@ exit 0
%endif

%changelog
* Thu Apr 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.8-8
- Patch for CVE-2026-34933

* Tue Jan 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.8-7
- Patch for CVE-2026-24401

Expand Down
Loading