3 files changed, 333 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/avahi/CVE-2023-38469.patch b/nixpkgs/pkgs/development/libraries/avahi/CVE-2023-38469.patch
new file mode 100644
index 000000000000..ff6cd65de0f4
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/avahi/CVE-2023-38469.patch
@@ -0,0 +1,102 @@
+From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH 1/2] core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+CVE-2023-38469
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 2bb89244..9c04ebbd 100644
+--- a/avahi-core/rr.c
++++ b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+ 
++#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+         case AVAHI_DNS_TYPE_TXT: {
+ 
+             AvahiStringList *strlst;
++            size_t used = 0;
+ 
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
++            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+ 
++                used += 1+strlst->size;
++                if (used > AVAHI_DNS_RDATA_MAX)
++                    return 0;
++            }
++
+             return 1;
+         }
+     }
+
+From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 25 Oct 2023 18:15:42 +0000
+Subject: [PATCH 2/2] tests: pass overly long TXT resource records
+
+to make sure they don't crash avahi any more.
+
+It reproduces https://github.com/lathiat/avahi/issues/455
+---
+ avahi-client/client-test.c       | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
+index ba979988..da0e43ad 100644
+--- a/avahi-client/client-test.c
++++ b/avahi-client/client-test.c
+@@ -22,6 +22,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <string.h>
+ #include <assert.h>
+ 
+ #include <avahi-client/client.h>
+@@ -33,6 +34,8 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/timeval.h>
+ 
++#include <avahi-core/dns.h>
++
+ static const AvahiPoll *poll_api = NULL;
+ static AvahiSimplePoll *simple_poll = NULL;
+ 
+@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     uint32_t cookie;
+     struct timeval tv;
+     AvahiAddress a;
++    uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
++    AvahiStringList *txt = NULL;
++    int r;
+ 
+     simple_poll = avahi_simple_poll_new();
+     poll_api = avahi_simple_poll_get(simple_poll);
+@@ -261,6 +267,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+     assert(error != AVAHI_OK);
+ 
++    memset(rdata, 1, sizeof(rdata));
++    r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
++    assert(r >= 0);
++    assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
++    error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
++    assert(error == AVAHI_ERR_INVALID_RECORD);
++    avahi_string_list_free(txt);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/nixpkgs/pkgs/development/libraries/avahi/CVE-2023-38471-2.patch b/nixpkgs/pkgs/development/libraries/avahi/CVE-2023-38471-2.patch
new file mode 100644
index 000000000000..be0faddbfef5
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/avahi/CVE-2023-38471-2.patch
@@ -0,0 +1,47 @@
+From 04ac71fd56a16365360f14bd4691219913e22f21 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 24 Oct 2023 21:57:32 +0000
+Subject: [PATCH 1/2] smoke-test: call SetHostName with unusual names
+
+It's prompted by https://github.com/lathiat/avahi/issues/453
+---
+ avahi-core/server.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index f6a21bb7..84df6b5d 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
++    if (!hn)
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
++
+     h = hn;
+     if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+         avahi_free(h);
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+     }
+ 
+     avahi_free(h);
+@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     h = label_escaped;
+     len = sizeof(label_escaped);
+     if (!avahi_escape_label(label, strlen(label), &h, &len))
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+ 
+     if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     avahi_free(s->host_name);
+     s->host_name = avahi_strdup(label_escaped);
+     if (!s->host_name)
+-        return AVAHI_ERR_NO_MEMORY;
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+ 
+     update_fqdn(s);
+ 
diff --git a/nixpkgs/pkgs/development/libraries/avahi/default.nix b/nixpkgs/pkgs/development/libraries/avahi/default.nix
new file mode 100644
index 000000000000..df3d113dfd2c
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/avahi/default.nix
@@ -0,0 +1,184 @@
+{ fetchurl
+, fetchpatch
+, lib
+, stdenv
+, pkg-config
+, libdaemon
+, dbus
+, perlPackages
+, libpcap
+, expat
+, gettext
+, glib
+, libiconv
+, libevent
+, nixosTests
+, gtk3Support ? false
+, gtk3
+, qt5
+, qt5Support ? false
+, withLibdnssdCompat ? false
+, python ? null
+, withPython ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "avahi${lib.optionalString withLibdnssdCompat "-compat"}";
+  version = "0.8";
+
+  src = fetchurl {
+    url = "https://github.com/lathiat/avahi/releases/download/v${version}/avahi-${version}.tar.gz";
+    sha256 = "1npdixwxxn3s9q1f365x9n9rc5xgfz39hxf23faqvlrklgbhj0q6";
+  };
+
+  outputs = [ "out" "dev" "man" ];
+
+  patches = [
+    # CVE-2021-36217 / CVE-2021-3502
+    (fetchpatch {
+      name = "CVE-2021-3502.patch";
+      url = "https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c.patch";
+      sha256 = "sha256-BXWmrLWUvDxKPoIPRFBpMS3T4gijRw0J+rndp6iDybU=";
+    })
+    # CVE-2021-3468
+    (fetchpatch {
+      name = "CVE-2021-3468.patch";
+      url = "https://github.com/lathiat/avahi/commit/447affe29991ee99c6b9732fc5f2c1048a611d3b.patch";
+      sha256 = "sha256-qWaCU1ZkCg2PmijNto7t8E3pYRN/36/9FrG8okd6Gu8=";
+    })
+    (fetchpatch {
+      name = "CVE-2023-1981.patch";
+      url = "https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f.patch";
+      sha256 = "sha256-BEYFGCnQngp+OpiKIY/oaKygX7isAnxJpUPCUvg+efc=";
+    })
+    # CVE-2023-38470
+    # https://github.com/lathiat/avahi/pull/457 merged Sep 19
+    (fetchpatch {
+      name = "CVE-2023-38470.patch";
+      url = "https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c.patch";
+      sha256 = "sha256-Fanh9bvz+uknr5pAmltqijuUAZIG39JR2Lyq5zGKJ58=";
+    })
+    # CVE-2023-38473
+    # https://github.com/lathiat/avahi/pull/486 merged Oct 18
+    (fetchpatch {
+      name = "CVE-2023-38473.patch";
+      url = "https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797.patch";
+      sha256 = "sha256-/ZVhsBkf70vjDWWG5KXxvGXIpLOZUXdRkn3413iSlnI=";
+    })
+    # CVE-2023-38472
+    # https://github.com/lathiat/avahi/pull/490 merged Oct 19
+    (fetchpatch {
+      name = "CVE-2023-38472.patch";
+      url = "https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40.patch";
+      sha256 = "sha256-FjR8fmhevgdxR9JQ5iBLFXK0ILp2OZQ8Oo9IKjefCqk=";
+    })
+    # CVE-2023-38471
+    # https://github.com/lathiat/avahi/pull/494 merged Oct 24
+    (fetchpatch {
+      name = "CVE-2023-38471.patch";
+      url = "https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09.patch";
+      sha256 = "sha256-4dG+5ZHDa+A4/CszYS8uXWlpmA89m7/jhbZ7rheMs7U=";
+    })
+    # https://github.com/lathiat/avahi/pull/499 merged Oct 25
+    # (but with the changes to '.github/workflows/smoke-tests.sh removed)
+    ./CVE-2023-38471-2.patch
+    # CVE-2023-38469
+    # https://github.com/lathiat/avahi/pull/500 merged Oct 25
+    # (but with the changes to '.github/workflows/smoke-tests.sh removed)
+    ./CVE-2023-38469.patch
+  ];
+
+  depsBuildBuild = [
+    pkg-config
+  ];
+
+  nativeBuildInputs = [
+    pkg-config
+    gettext
+    glib
+  ];
+
+  buildInputs = [
+    libdaemon
+    dbus
+    glib
+    expat
+    libiconv
+    libevent
+  ] ++ (with perlPackages; [
+    perl
+    XMLParser
+  ]) ++ lib.optionals stdenv.isFreeBSD [
+    libpcap
+  ] ++ lib.optionals gtk3Support [
+    gtk3
+  ] ++ lib.optionals qt5Support [
+    qt5
+  ];
+
+  propagatedBuildInputs = lib.optionals withPython (with python.pkgs; [
+    python
+    pygobject3
+    dbus-python
+  ]);
+
+  configureFlags = [
+    "--disable-gdbm"
+    "--disable-mono"
+    # Use non-deprecated path https://github.com/lathiat/avahi/pull/376
+    "--with-dbus-sys=${placeholder "out"}/share/dbus-1/system.d"
+    (lib.enableFeature gtk3Support "gtk3")
+    (lib.enableFeature qt5Support "qt5")
+    (lib.enableFeature withPython "python")
+    "--localstatedir=/var"
+    "--runstatedir=/run"
+    "--sysconfdir=/etc"
+    "--with-distro=${with stdenv.hostPlatform; if isBSD then parsed.kernel.name else "none"}"
+    # A systemd unit is provided by the avahi-daemon NixOS module
+    "--with-systemdsystemunitdir=no"
+  ] ++ lib.optionals withLibdnssdCompat [
+    "--enable-compat-libdns_sd"
+  ] ++ lib.optionals stdenv.isDarwin [
+    # autoipd won't build on darwin
+    "--disable-autoipd"
+  ];
+
+  installFlags = [
+    # Override directories to install into the package.
+    # Replace with runstatedir once is merged https://github.com/lathiat/avahi/pull/377
+    "avahi_runtime_dir=${placeholder "out"}/run"
+    "sysconfdir=${placeholder "out"}/etc"
+  ];
+
+  preBuild = lib.optionalString stdenv.isDarwin ''
+    sed -i '20 i\
+    #define __APPLE_USE_RFC_2292' \
+    avahi-core/socket.c
+  '';
+
+  postInstall =
+    # Maintain compat for mdnsresponder
+    lib.optionalString withLibdnssdCompat ''
+      ln -s avahi-compat-libdns_sd/dns_sd.h "$dev/include/dns_sd.h"
+    '';
+
+  passthru.tests = {
+    smoke-test = nixosTests.avahi;
+    smoke-test-resolved = nixosTests.avahi-with-resolved;
+  };
+
+  meta = with lib; {
+    description = "mDNS/DNS-SD implementation";
+    homepage = "http://avahi.org";
+    license = licenses.lgpl2Plus;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ lovek323 globin ];
+
+    longDescription = ''
+      Avahi is a system which facilitates service discovery on a local
+      network.  It is an implementation of the mDNS (for "Multicast
+      DNS") and DNS-SD (for "DNS-Based Service Discovery")
+      protocols.
+    '';
+  };
+}