Hello community, here is the log from the commit of package avahi for openSUSE:Factory checked in at 2019-01-08 12:15:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/avahi (Old) and /work/SRC/openSUSE:Factory/.avahi.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "avahi" Tue Jan 8 12:15:56 2019 rev:124 rq:663088 version:0.7 Changes: -------- avahi-mono.changes: same change avahi-qt4.changes: same change --- /work/SRC/openSUSE:Factory/avahi/avahi.changes 2018-05-10 15:45:35.773628240 +0200 +++ /work/SRC/openSUSE:Factory/.avahi.new.28833/avahi.changes 2019-01-08 12:15:58.485066697 +0100 @@ -1,0 +2,13 @@ +Fri Jan 4 00:40:38 UTC 2019 - mgorse@suse.com + +- Replace avahi-0.7-python3.patch with avahi-0.7-dbm.patch: use + what is upstream (boo#1110668). +- Add avahi-0.7-encode-strings-as-utf8.patch: encode strings as + UTF-8 (boo#1110668). +- Add avahi-0.7-python3-bookmarks.patch: make bookmarks python 3 + compatible (boo#1110668). +- Add CVE-2018-1000845.patch: drop legacy unicast queries from + address not on local link (boo#1120281 CVE-2018-1000845). +- Drop avahi-0.6.31-invalid-packet.patch: fixed upstream. + +------------------------------------------------------------------- Old: ---- avahi-0.6.31-invalid-packet.patch avahi-0.7-python3.patch New: ---- CVE-2018-1000845.patch avahi-0.7-dbm.patch avahi-0.7-encode-strings-as-utf8.patch avahi-0.7-python3-bookmarks.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ avahi-glib2.spec ++++++ --- /var/tmp/diff_new_pack.zP2e2P/_old 2019-01-08 12:15:59.329065903 +0100 +++ /var/tmp/diff_new_pack.zP2e2P/_new 2019-01-08 12:15:59.337065896 +0100 @@ -1,7 +1,7 @@ # # spec file for package avahi-glib2 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -67,12 +67,16 @@ Patch1: avahi-desktop.patch # PATCH-FEATURE-OPENSUSE avahi-daemon-check-dns-suse.patch bnc431704 sbrabec@suse.cz -- Port Debian avahi-daemon-check-dns.sh to SUSE, see also http://avahi.org/wiki/AvahiAndUnicastDotLocal Patch4: avahi-daemon-check-dns-suse.patch -# PATCH-FIX-UPSTREAM avahi-0.6.31-invalid-packet.patch boo#947140 mgorse@suse.com -- don't spam logs for Windows 10 multicast packets -Patch18: avahi-0.6.31-invalid-packet.patch # PATCH-FIX-UPSTREAM avahi-0.6.32-suppress-resolv-conf-warning.patch bsc#982317 mgorse@suse.com -- only warn on missing resolv.conf if it is being used. Patch19: avahi-0.6.32-suppress-resolv-conf-warning.patch - # PATCH-FIX-UPSTREAM avahi-0.7-python3.patch bsc#1076402 mgorse@suse.com -- port to Python 3. -Patch20: avahi-0.7-python3.patch + # PATCH-FIX-UPSTREAM avahi-0.7-dbm.patch bsc#1076402 mgorse@suse.com -- use the agnostic dbm interface, needed for python 3. +Patch20: avahi-0.7-dbm.patch +# PATCH-FIX-UPSTREAM avahi-0.7-encode-strings-as-utf8.patch boo#1110668 mgorse@suse.com -- encode strings as UTF-8. +Patch21: avahi-0.7-encode-strings-as-utf8.patch +# PATCh-FIX-UPSTREAM avahi-0.7-python3-bookmarks.patch boo#1110668 mgorse@suse.com -- make bookmarks python 3 compatible. +Patch22: avahi-0.7-python3-bookmarks.patch +# PATCH-FIX-UPSTREAM CVE-2018-1000845.patch boo#1110281 mgorse@suse.com -- drop legacy unicast queries from address not on local link (CVE-2018-1000845). +Patch23: CVE-2018-1000845.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gdbm-devel @@ -684,9 +688,11 @@ %patch0 %patch1 -p1 %patch4 -%patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 %if !%{build_core} # Replace all .la references from local .la files to installed versions avahi-mono.spec: same change avahi-qt4.spec: same change ++++++ avahi.spec ++++++ --- /var/tmp/diff_new_pack.zP2e2P/_old 2019-01-08 12:15:59.413065824 +0100 +++ /var/tmp/diff_new_pack.zP2e2P/_new 2019-01-08 12:15:59.413065824 +0100 @@ -1,7 +1,7 @@ # # spec file for package avahi # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -69,12 +69,16 @@ Patch1: avahi-desktop.patch # PATCH-FEATURE-OPENSUSE avahi-daemon-check-dns-suse.patch bnc431704 sbrabec@suse.cz -- Port Debian avahi-daemon-check-dns.sh to SUSE, see also http://avahi.org/wiki/AvahiAndUnicastDotLocal Patch4: avahi-daemon-check-dns-suse.patch -# PATCH-FIX-UPSTREAM avahi-0.6.31-invalid-packet.patch boo#947140 mgorse@suse.com -- don't spam logs for Windows 10 multicast packets -Patch18: avahi-0.6.31-invalid-packet.patch # PATCH-FIX-UPSTREAM avahi-0.6.32-suppress-resolv-conf-warning.patch bsc#982317 mgorse@suse.com -- only warn on missing resolv.conf if it is being used. Patch19: avahi-0.6.32-suppress-resolv-conf-warning.patch - # PATCH-FIX-UPSTREAM avahi-0.7-python3.patch bsc#1076402 mgorse@suse.com -- port to Python 3. -Patch20: avahi-0.7-python3.patch + # PATCH-FIX-UPSTREAM avahi-0.7-dbm.patch bsc#1076402 mgorse@suse.com -- use the agnostic dbm interface, needed for python 3. +Patch20: avahi-0.7-dbm.patch +# PATCH-FIX-UPSTREAM avahi-0.7-encode-strings-as-utf8.patch boo#1110668 mgorse@suse.com -- encode strings as UTF-8. +Patch21: avahi-0.7-encode-strings-as-utf8.patch +# PATCh-FIX-UPSTREAM avahi-0.7-python3-bookmarks.patch boo#1110668 mgorse@suse.com -- make bookmarks python 3 compatible. +Patch22: avahi-0.7-python3-bookmarks.patch +# PATCH-FIX-UPSTREAM CVE-2018-1000845.patch boo#1110281 mgorse@suse.com -- drop legacy unicast queries from address not on local link (CVE-2018-1000845). +Patch23: CVE-2018-1000845.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gdbm-devel @@ -686,9 +690,11 @@ %patch0 %patch1 -p1 %patch4 -%patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 %if !%{build_core} # Replace all .la references from local .la files to installed versions ++++++ CVE-2018-1000845.patch ++++++
From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001 From: Trent Lloyd
Date: Sat, 22 Dec 2018 09:06:07 +0800 Subject: [PATCH] Drop legacy unicast queries from address not on local link
When handling legacy unicast queries, ensure that the source IP is inside a subnet on the local link, otherwise drop the packet. Fixes #145 Fixes #203 CVE-2017-6519 CVE-2018-100084 --- avahi-core/server.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/avahi-core/server.c b/avahi-core/server.c index a2cb19a..a2580e3 100644 --- a/avahi-core/server.c +++ b/avahi-core/server.c @@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres if (avahi_dns_packet_is_query(p)) { int legacy_unicast = 0; + char t[AVAHI_ADDRESS_STR_MAX]; /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the * AR section completely here, so far. Until the day we add @@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres legacy_unicast = 1; } + if (!is_mdns_mcast_address(dst_address) && + !avahi_interface_address_on_link(i, src_address)) { + + avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol); + return; + } + if (legacy_unicast) reflect_legacy_unicast_query_packet(s, p, i, src_address, port); -- 2.18.0 ++++++ avahi-0.7-dbm.patch ++++++
From 63750f1be96ad08c407193b08bf3b9ee74310e2d Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)"
Date: Tue, 11 Jul 2017 21:52:37 +0200 Subject: [PATCH] avahi-python: Use the agnostic DBM interface
Also fixes configure failing if Python 3 is the build python and GDBM is enabled, since Py3 only has anydbm under the name of 'dbm'. Not enough to make ServiceTypeDatabase.py compatible with Py3, but it's a start. --- avahi-python/avahi/Makefile.am | 15 +-------- avahi-python/avahi/ServiceTypeDatabase.py.in | 33 ++++++++++++++----- configure.ac | 9 +++-- service-type-database/.gitignore | 1 - service-type-database/Makefile.am | 18 +++------- .../{build-db.in => build-db} | 13 +++++--- 6 files changed, 42 insertions(+), 47 deletions(-) rename service-type-database/{build-db.in => build-db} (87%) diff --git a/avahi-python/avahi/Makefile.am b/avahi-python/avahi/Makefile.am index 3eb67d0..c906b9b 100644 --- a/avahi-python/avahi/Makefile.am +++ b/avahi-python/avahi/Makefile.am @@ -25,29 +25,16 @@ avahidir = $(pythondir)/avahi if HAVE_GDBM nodist_avahi_SCRIPTS = ServiceTypeDatabase.py - -ServiceTypeDatabase.py: ServiceTypeDatabase.py.in - $(AM_V_GEN)sed -e 's,@PYTHON\@,$(PYTHON),g' \ - -e 's,@DBM\@,gdbm,g' \ - -e 's,@FIRST_KEY\@,key = self.db.firstkey(),g' \ - -e 's,@CHECK_KEY\@,while key is not None:,g' \ - -e 's,@NEXT_KEY\@,key = self.db.nextkey(key),g' \ - -e 's,@pkglibdatadir\@,$(pkglibdatadir),g' $< > $@ && \ - chmod +x $@ endif if HAVE_DBM nodist_avahi_SCRIPTS = ServiceTypeDatabase.py +endif ServiceTypeDatabase.py: ServiceTypeDatabase.py.in $(AM_V_GEN)sed -e 's,@PYTHON\@,$(PYTHON),g' \ - -e 's,@DBM\@,dbm,g' \ - -e 's,@FIRST_KEY\@,keys = self.db.keys(),g' \ - -e 's,@CHECK_KEY\@,for key in keys:,g' \ - -e 's,@NEXT_KEY\@,,g' \ -e 's,@pkglibdatadir\@,$(pkglibdatadir),g' $< > $@ && \ chmod +x $@ -endif avahi_PYTHON = $(avahi_SCRIPTS) diff --git a/avahi-python/avahi/ServiceTypeDatabase.py.in b/avahi-python/avahi/ServiceTypeDatabase.py.in index 4ddd654..d7f9969 100644 --- a/avahi-python/avahi/ServiceTypeDatabase.py.in +++ b/avahi-python/avahi/ServiceTypeDatabase.py.in @@ -17,7 +17,11 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 # USA. -import @DBM@ +try: + import anydbm as dbm +except ImportError: + import dbm + import locale import re @@ -28,7 +32,7 @@ class ServiceTypeDatabase: def __init__(self, filename = "@pkglibdatadir@/service-types.db"): - self.db = @DBM@.open(filename, "r") + self.db = dbm.open(filename, "r") l = locale.getlocale(locale.LC_MESSAGES) @@ -90,13 +94,24 @@ class ServiceTypeDatabase: def __iter__(self): - @FIRST_KEY@ - @CHECK_KEY@ - - if re.search('_[a-zA-Z0-9-]+\._[a-zA-Z0-9-]+', key) and not re.search('_[a-zA-Z0-9-]+\._[a-zA-Z0-9-]+\[.*\]', key): - yield key - - @NEXT_KEY@ + def want_key(key): + if not re.search('_[a-zA-Z0-9-]+\._[a-zA-Z0-9-]+', key): + return False + if re.search('_[a-zA-Z0-9-]+\._[a-zA-Z0-9-]+\[.*\]', key): + return False + return True + + try: + key = self.db.firstkey() + except AttributeError: + for key in self.db.keys(): + if want_key(key): + yield key + else: + while key is not None: + if want_key(key): + yield key + key = self.db.nextkey(key) def __len__(self): diff --git a/configure.ac b/configure.ac index 6678971..fbbf7cf 100644 --- a/configure.ac +++ b/configure.ac @@ -824,11 +824,10 @@ if test "x$HAVE_PYTHON" = "xyes" ; then fi AM_CHECK_PYMOD(socket,,,[AC_MSG_ERROR(Could not find Python module socket)]) - if test "x$HAVE_GDBM" = "xyes"; then - AM_CHECK_PYMOD(gdbm,,,[AC_MSG_ERROR(Could not find Python module gdbm)]) - fi - if test "x$HAVE_DBM" = "xyes"; then - AM_CHECK_PYMOD(dbm,,,[AC_MSG_ERROR(Could not find Python module dbm)]) + if test "x$HAVE_GDBM" = "xyes" || test "x$HAVE_DBM" = "xyes"; then + AM_CHECK_PYMOD(anydbm,,,[ + AM_CHECK_PYMOD(dbm,,,[AC_MSG_ERROR(Could not find Python module dbm)]) + ]) fi fi fi diff --git a/service-type-database/Makefile.am b/service-type-database/Makefile.am index d184fde..f9fa082 100644 --- a/service-type-database/Makefile.am +++ b/service-type-database/Makefile.am @@ -15,7 +15,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 # USA. -EXTRA_DIST=build-db.in service-types +EXTRA_DIST=service-types pkglibdatadir=$(libdir)/avahi @@ -27,16 +27,11 @@ if HAVE_GDBM noinst_SCRIPTS=build-db pkglibdata_DATA+=service-types.db -build-db: build-db.in - $(AM_V_GEN)sed -e 's,@PYTHON\@,$(PYTHON),g' \ - -e 's,@DBM\@,gdbm,g' $< > $@ && \ - chmod +x $@ - -service-types.db: service-types build-db +service-types.db: service-types $(AM_V_GEN)$(PYTHON) build-db $< $@.coming && \ mv $@.coming $@ -CLEANFILES = service-types.db build-db +CLEANFILES = service-types.db endif if HAVE_DBM @@ -44,11 +39,6 @@ if HAVE_DBM noinst_SCRIPTS=build-db pkglibdata_DATA+=service-types.db.pag service-types.db.dir -build-db: build-db.in - $(AM_V_GEN)sed -e 's,@PYTHON\@,$(PYTHON),g' \ - -e 's,@DBM\@,dbm,g' $< > $@ && \ - chmod +x $@ - service-types.db.pag: service-types.db $(AM_V_GEN)mv service-types.db.coming.pag service-types.db.pag service-types.db.dir: service-types.db @@ -57,7 +47,7 @@ service-types.db: service-types build-db $(AM_V_GEN)$(PYTHON) build-db $< $@.coming && \ if test -f "$@.coming"; then mv $@.coming $@; fi -CLEANFILES = service-types.db* build-db +CLEANFILES = service-types.db* endif endif diff --git a/service-type-database/build-db.in b/service-type-database/build-db similarity index 87% rename from service-type-database/build-db.in rename to service-type-database/build-db index 4cda425..78ee892 100755 --- a/service-type-database/build-db.in +++ b/service-type-database/build-db @@ -1,4 +1,4 @@ -#!@PYTHON@ +#!/usr/bin/env python # -*-python-*- # This file is part of avahi. # @@ -17,7 +17,12 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 # USA. -import @DBM@, sys +try: + import anydbm as dbm +except ImportError: + import dbm + +import sys if len(sys.argv) > 1: infn = sys.argv[1] @@ -29,9 +34,9 @@ if len(sys.argv) > 2: else: outfn = infn + ".db" -db = @DBM@.open(outfn, "n") +db = dbm.open(outfn, "n") -for ln in file(infn, "r"): +for ln in open(infn, "r"): ln = ln.strip(" \r\n\t") if ln == "" or ln.startswith("#"): -- 2.18.0 ++++++ avahi-0.7-encode-strings-as-utf8.patch ++++++
From 169e85dbc13dcaae8a699618883e512614f540b7 Mon Sep 17 00:00:00 2001 From: Simon McVittie
Date: Fri, 27 Apr 2018 11:09:07 +0100 Subject: [PATCH] avahi-python: Encode unicode strings as UTF-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Previously, we would effectively encode anything representable in Latin-1 as Latin-1, and crash on anything not representable in Latin-1:
import avahi avahi.string_to_byte_array(u'©') [dbus.Byte(169)] avahi.string_to_byte_array(u'\ufeff') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/avahi/__init__.py", line 94, in string_to_byte_array r.append(dbus.Byte(ord(c))) ValueError: Integer outside range 0-255
This is particularly important for Python 3, where the str type
is a Unicode string.
The b'' syntax for bytestrings is supported since at least Python 2.7.
These functions now accept either Unicode strings (Python 2 unicode,
Python 3 str), which are encoded in UTF-8, or bytestrings
(Python 2 str, Python 3 bytes) which are taken as-is.
Signed-off-by: Simon McVittie
From e6325a8e9f359de3ffed159757886b2535cc49a9 Mon Sep 17 00:00:00 2001 From: Thomas Jollans
Date: Thu, 4 Oct 2018 01:25:31 +0200 Subject: [PATCH] Make avahi-bookmarks Python3 compatible
Should work with Python 2, but this has not been tested. Not that anybody uses python 2 anymore anyway. --- avahi-python/avahi-bookmarks.in | 48 +++++++++++++++++---------------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/avahi-python/avahi-bookmarks.in b/avahi-python/avahi-bookmarks.in index dea7bef..7a562e3 100755 --- a/avahi-python/avahi-bookmarks.in +++ b/avahi-python/avahi-bookmarks.in @@ -20,9 +20,10 @@ import sys, getopt, os try: - import avahi, gobject, dbus + from gi.repository import GObject + import avahi, dbus except ImportError: - print "Sorry, to use this tool you need to install Avahi and python-dbus." + print("Sorry, to use this tool you need to install Avahi and python-dbus.") sys.exit(1) try: @@ -95,7 +96,7 @@ class AvahiBookmarks: else: t += '<ul style="padding: 0px; margin: 20px; list-style-type: none">' - for k, v in self.services.iteritems(): + for k, v in self.services.items(): if v[3] == 80: port = '' @@ -109,7 +110,7 @@ class AvahiBookmarks: t += '<hr noshade/><p style="font-size: 8; font-family: sans-serif">Served by %s</p></body></html>' % self.version_string - return str(t) + return str(t).encode('utf-8') def new_service(self, interface, protocol, name, type, domain, flags): @@ -138,16 +139,16 @@ class AvahiBookmarks: def usage(retval = 0): - print "%s [options]\n" % sys.argv[0] - print " -h --help Show this help" - print " -c --cgi Run as a CGI instead of as a server (default to server" - print " unless environment variable GATEWAY_INTERFACE is set)" - print " -t --timeout MS Specify the max time for CGI browsing (default %u)" % timeout - print " -p --port PORT Specify the port to use (default %u)" % port - print " -a --address ADDRESS Specify the address to bind to (default %s)" % address - print " -H --host-names Show links with real hostnames" - print " -A --addresses Show links with numeric IP addresses" - print " -d --domain DOMAIN Specify the domain to browse" + print("%s [options]\n" % sys.argv[0]) + print(" -h --help Show this help") + print(" -c --cgi Run as a CGI instead of as a server (default to server") + print(" unless environment variable GATEWAY_INTERFACE is set)") + print(" -t --timeout MS Specify the max time for CGI browsing (default %u)" % timeout) + print(" -p --port PORT Specify the port to use (default %u)" % port) + print(" -a --address ADDRESS Specify the address to bind to (default %s)" % address) + print(" -H --host-names Show links with real hostnames") + print(" -A --addresses Show links with numeric IP addresses") + print(" -d --domain DOMAIN Specify the domain to browse" ) sys.exit(retval) try: @@ -181,30 +182,31 @@ for o, a in opts: domain = a if use_CGI is None: - use_CGI = os.environ.has_key("GATEWAY_INTERFACE") + use_CGI = "GATEWAY_INTERFACE" in os.environ if use_CGI: cgi = AvahiBookmarks(use_host_names) - mainloop = gobject.MainLoop() - gobject.timeout_add(timeout, mainloop.quit) + mainloop = GObject.MainLoop() + GObject.timeout_add(timeout, mainloop.quit) try: mainloop.run() except KeyboardInterrupt: pass - print 'Content-type: text/html\n\n' + cgi.render_html() + print('Content-type: text/html\n\n' + cgi.render_html()) else: try: - from twisted.internet import glib2reactor - glib2reactor.install() + from twisted.internet import gireactor + gireactor.install() from twisted.internet import reactor from twisted.web import server, resource except ImportError: - print "Sorry, to use this tool as a server you need to install twisted and twisted.web.\n" - sys.exit(1) + raise + print("Sorry, to use this tool as a server you need to install twisted and twisted.web.\n") + sys.exit(1) class AvahiBookmarksServer(AvahiBookmarks, resource.Resource): isLeaf = True @@ -219,7 +221,7 @@ else: site = server.Site(AvahiBookmarksServer(use_host_names)) reactor.listenTCP(port, site, interface=address) - print "Now point your web browser to http://%s:%u/!" % (address, port) + print("Now point your web browser to http://%s:%u/!" % (address, port)) try: reactor.run() -- 2.18.0