head 1.4; access; symbols pkgsrc-2026Q1:1.4.0.10 pkgsrc-2026Q1-base:1.4 pkgsrc-2025Q4:1.4.0.8 pkgsrc-2025Q4-base:1.4 pkgsrc-2025Q3:1.4.0.6 pkgsrc-2025Q3-base:1.4 pkgsrc-2025Q2:1.4.0.4 pkgsrc-2025Q2-base:1.4 pkgsrc-2025Q1:1.4.0.2 pkgsrc-2025Q1-base:1.4 pkgsrc-2024Q4:1.3.0.94 pkgsrc-2024Q4-base:1.3 pkgsrc-2024Q3:1.3.0.92 pkgsrc-2024Q3-base:1.3 pkgsrc-2024Q2:1.3.0.90 pkgsrc-2024Q2-base:1.3 pkgsrc-2024Q1:1.3.0.88 pkgsrc-2024Q1-base:1.3 pkgsrc-2023Q4:1.3.0.86 pkgsrc-2023Q4-base:1.3 pkgsrc-2023Q3:1.3.0.84 pkgsrc-2023Q3-base:1.3 pkgsrc-2023Q2:1.3.0.82 pkgsrc-2023Q2-base:1.3 pkgsrc-2023Q1:1.3.0.80 pkgsrc-2023Q1-base:1.3 pkgsrc-2022Q4:1.3.0.78 pkgsrc-2022Q4-base:1.3 pkgsrc-2022Q3:1.3.0.76 pkgsrc-2022Q3-base:1.3 pkgsrc-2022Q2:1.3.0.74 pkgsrc-2022Q2-base:1.3 pkgsrc-2022Q1:1.3.0.72 pkgsrc-2022Q1-base:1.3 pkgsrc-2021Q4:1.3.0.70 pkgsrc-2021Q4-base:1.3 pkgsrc-2021Q3:1.3.0.68 pkgsrc-2021Q3-base:1.3 pkgsrc-2021Q2:1.3.0.66 pkgsrc-2021Q2-base:1.3 pkgsrc-2021Q1:1.3.0.64 pkgsrc-2021Q1-base:1.3 pkgsrc-2020Q4:1.3.0.62 pkgsrc-2020Q4-base:1.3 pkgsrc-2020Q3:1.3.0.60 pkgsrc-2020Q3-base:1.3 pkgsrc-2020Q2:1.3.0.56 pkgsrc-2020Q2-base:1.3 pkgsrc-2020Q1:1.3.0.36 pkgsrc-2020Q1-base:1.3 pkgsrc-2019Q4:1.3.0.58 pkgsrc-2019Q4-base:1.3 pkgsrc-2019Q3:1.3.0.54 pkgsrc-2019Q3-base:1.3 pkgsrc-2019Q2:1.3.0.52 pkgsrc-2019Q2-base:1.3 pkgsrc-2019Q1:1.3.0.50 pkgsrc-2019Q1-base:1.3 pkgsrc-2018Q4:1.3.0.48 pkgsrc-2018Q4-base:1.3 pkgsrc-2018Q3:1.3.0.46 pkgsrc-2018Q3-base:1.3 pkgsrc-2018Q2:1.3.0.44 pkgsrc-2018Q2-base:1.3 pkgsrc-2018Q1:1.3.0.42 pkgsrc-2018Q1-base:1.3 pkgsrc-2017Q4:1.3.0.40 pkgsrc-2017Q4-base:1.3 pkgsrc-2017Q3:1.3.0.38 pkgsrc-2017Q3-base:1.3 pkgsrc-2017Q2:1.3.0.34 pkgsrc-2017Q2-base:1.3 pkgsrc-2017Q1:1.3.0.32 pkgsrc-2017Q1-base:1.3 pkgsrc-2016Q4:1.3.0.30 pkgsrc-2016Q4-base:1.3 pkgsrc-2016Q3:1.3.0.28 pkgsrc-2016Q3-base:1.3 pkgsrc-2016Q2:1.3.0.26 pkgsrc-2016Q2-base:1.3 pkgsrc-2016Q1:1.3.0.24 pkgsrc-2016Q1-base:1.3 pkgsrc-2015Q4:1.3.0.22 pkgsrc-2015Q4-base:1.3 pkgsrc-2015Q3:1.3.0.20 pkgsrc-2015Q3-base:1.3 pkgsrc-2015Q2:1.3.0.18 pkgsrc-2015Q2-base:1.3 pkgsrc-2015Q1:1.3.0.16 pkgsrc-2015Q1-base:1.3 pkgsrc-2014Q4:1.3.0.14 pkgsrc-2014Q4-base:1.3 pkgsrc-2014Q3:1.3.0.12 pkgsrc-2014Q3-base:1.3 pkgsrc-2014Q2:1.3.0.10 pkgsrc-2014Q2-base:1.3 pkgsrc-2014Q1:1.3.0.8 pkgsrc-2014Q1-base:1.3 pkgsrc-2013Q4:1.3.0.6 pkgsrc-2013Q4-base:1.3 pkgsrc-2013Q3:1.3.0.4 pkgsrc-2013Q3-base:1.3 pkgsrc-2013Q2:1.3.0.2 pkgsrc-2013Q2-base:1.3 pkgsrc-2013Q1:1.2.0.22 pkgsrc-2013Q1-base:1.2 pkgsrc-2012Q4:1.2.0.20 pkgsrc-2012Q4-base:1.2 pkgsrc-2012Q3:1.2.0.18 pkgsrc-2012Q3-base:1.2 pkgsrc-2012Q2:1.2.0.16 pkgsrc-2012Q2-base:1.2 pkgsrc-2012Q1:1.2.0.14 pkgsrc-2012Q1-base:1.2 pkgsrc-2011Q4:1.2.0.12 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q3:1.2.0.10 pkgsrc-2011Q3-base:1.2 pkgsrc-2011Q2:1.2.0.8 pkgsrc-2011Q2-base:1.2 pkgsrc-2011Q1:1.2.0.6 pkgsrc-2011Q1-base:1.2 pkgsrc-2010Q4:1.2.0.4 pkgsrc-2010Q4-base:1.2 pkgsrc-2010Q3:1.2.0.2 pkgsrc-2010Q3-base:1.2 pkgsrc-2010Q2:1.1.0.14 pkgsrc-2010Q2-base:1.1 pkgsrc-2010Q1:1.1.0.12 pkgsrc-2010Q1-base:1.1 pkgsrc-2009Q4:1.1.0.10 pkgsrc-2009Q4-base:1.1 pkgsrc-2009Q3:1.1.0.8 pkgsrc-2009Q3-base:1.1 pkgsrc-2009Q2:1.1.0.6 pkgsrc-2009Q2-base:1.1 pkgsrc-2009Q1:1.1.0.4 pkgsrc-2009Q1-base:1.1 pkgsrc-2008Q4:1.1.0.2 pkgsrc-2008Q4-base:1.1; locks; strict; comment @# @; 1.4 date 2025.02.26.11.43.05; author nia; state Exp; branches; next 1.3; commitid h2aw36yul0ScmYKF; 1.3 date 2013.04.21.00.58.47; author rodent; state Exp; branches; next 1.2; 1.2 date 2010.07.24.13.42.12; author obache; state Exp; branches; next 1.1; 1.1 date 2008.12.23.12.08.17; author adrianp; state Exp; branches 1.1.14.1; next ; 1.1.14.1 date 2010.07.28.14.39.11; author spz; state Exp; branches; next ; desc @@ 1.4 log @avahi: Patch various security issues. CVE-2023-38469 CVE-2023-38470 CVE-2023-38472 CVE-2023-38473 CVE-2021-3468 CVE-2021-3502 Verified to build on macos, linux, netbsd, freebsd, openbsd by drecklypkg ci. @ text @$NetBSD: patch-ai,v 1.3 2013/04/21 00:58:47 rodent Exp $ Part 1: Check lower bounds on port. Part 2: Fix CVE-2023-38471 (https://github.com/avahi/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09.patch) --- avahi-core/server.c.orig 2020-02-17 03:41:24.939967558 +0000 +++ avahi-core/server.c @@@@ -952,6 +952,11 @@@@ static void dispatch_packet(AvahiServer return; } + if (port <= 0) { + avahi_log_warn("Received packet from invalid source port."); + return; + } + if (avahi_address_is_ipv4_in_ipv6(src_address)) /* This is an IPv4 address encapsulated in IPv6, so let's ignore it. */ return; @@@@ -1295,7 +1300,11 @@@@ static void update_fqdn(AvahiServer *s) } int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { - char *hn = NULL; + char label_escaped[AVAHI_LABEL_MAX*4+1]; + char label[AVAHI_LABEL_MAX]; + char *hn = NULL, *h; + size_t len; + assert(s); AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); @@@@ -1305,17 +1314,28 @@@@ int avahi_server_set_host_name(AvahiServ else hn = avahi_normalize_name_strdup(host_name); - hn[strcspn(hn, ".")] = 0; + h = hn; + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { + avahi_free(h); + return AVAHI_ERR_INVALID_HOST_NAME; + } + + avahi_free(h); - if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { - avahi_free(hn); + h = label_escaped; + len = sizeof(label_escaped); + if (!avahi_escape_label(label, strlen(label), &h, &len)) + return AVAHI_ERR_INVALID_HOST_NAME; + + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); - } withdraw_host_rrs(s); avahi_free(s->host_name); - s->host_name = hn; + s->host_name = avahi_strdup(label_escaped); + if (!s->host_name) + return AVAHI_ERR_NO_MEMORY; update_fqdn(s); @ 1.3 log @Support more PKG_OPTIONS for the net/avahi package. This enables the user to build the avahi UI with GTK3, which is required for some packages like libepc. Commented patches. Removed dependency on desktop.mk, as the file doesn't have a MimeType key. Only PKG_OPTION enabled by default is gtk2. Thus, you will notice no difference in this version and the last (unless you start enabling options). Bump PKGREVISION. Resolves PR pkg/47483 @ text @d1 1 a1 1 $NetBSD: patch-ai,v 1.2 2010/07/24 13:42:12 obache Exp $ d3 1 a3 1 Check lower bounds on port. d5 3 a7 1 --- avahi-core/server.c.orig 2010-06-29 18:51:53.000000000 +0000 d9 1 a9 1 @@@@ -903,6 +903,11 @@@@ static void dispatch_packet(AvahiServer d21 47 @ 1.2 log @Update avahi to 0.6.27. 0.6.27 some build fixes 0.6.26 This is mostly a bugfix release but also fixes a low risk security issue and adds a couple of minor new features. * Fix CVE-2010-2244 (Ludwig Nussel) * Support for Gtk+ 3 and Gtk+ Introspection * Native systemd socket activation support * Add systemd service files * Add various resource control options, for traffic rate limiting as well as cache size and D-Bus client object limits. * i18n updates * Minor other updates @ text @d1 3 a3 1 $NetBSD: patch-ai,v 1.1 2008/12/23 12:08:17 adrianp Exp $ @ 1.1 log @Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5081 @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- avahi-core/server.c.orig 2008-06-18 00:13:44.000000000 +0100 d5 1 a5 1 @@@@ -898,6 +898,11 @@@@ static void dispatch_packet(AvahiServer @ 1.1.14.1 log @Pullup ticket 3192 - requested by obache security update Revisions pulled up: - pkgsrc/net/avahi/Makefile 1.17 - pkgsrc/net/avahi/PLIST 1.5 - pkgsrc/net/avahi/PLIST.pygdbm 1.3 - pkgsrc/net/avahi/PLIST.python 1.4 - pkgsrc/net/avahi/distinfo 1.8 - pkgsrc/net/avahi/options.mk 1.2 - pkgsrc/net/avahi/patches/patch-aa 1.2 - pkgsrc/net/avahi/patches/patch-ab 1.2 - pkgsrc/net/avahi/patches/patch-ac 1.2 - pkgsrc/net/avahi/patches/patch-ad 1.2 - pkgsrc/net/avahi/patches/patch-ae 1.4 - pkgsrc/net/avahi/patches/patch-ag 1.4 - pkgsrc/net/avahi/patches/patch-aj 1.4 - pkgsrc/net/avahi/patches/patch-ah 1.2 - pkgsrc/net/avahi/patches/patch-ai 1.2 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: obache Date: Sat Jul 24 13:42:12 UTC 2010 Modified Files: pkgsrc/net/avahi: Makefile PLIST PLIST.pygdbm PLIST.python distinfo options.mk pkgsrc/net/avahi/patches: patch-aa patch-ab patch-ac patch-ad patch-ae patch-ag patch-ah patch-ai patch-aj Log Message: Update avahi to 0.6.27. 0.6.27 some build fixes 0.6.26 This is mostly a bugfix release but also fixes a low risk security issue and adds a couple of minor new features. * Fix CVE-2010-2244 (Ludwig Nussel) * Support for Gtk+ 3 and Gtk+ Introspection * Native systemd socket activation support * Add systemd service files * Add various resource control options, for traffic rate limiting as well as cache size and D-Bus client object limits. * i18n updates * Minor other updates To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 pkgsrc/net/avahi/Makefile cvs rdiff -u -r1.4 -r1.5 pkgsrc/net/avahi/PLIST cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/avahi/PLIST.pygdbm cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/avahi/PLIST.python cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/avahi/distinfo cvs rdiff -u -r1.1.1.1 -r1.2 pkgsrc/net/avahi/options.mk cvs rdiff -u -r1.1.1.1 -r1.2 pkgsrc/net/avahi/patches/patch-aa \ pkgsrc/net/avahi/patches/patch-ab pkgsrc/net/avahi/patches/patch-ac \ pkgsrc/net/avahi/patches/patch-ad cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/avahi/patches/patch-ae \ pkgsrc/net/avahi/patches/patch-ag pkgsrc/net/avahi/patches/patch-aj cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/avahi/patches/patch-ah \ pkgsrc/net/avahi/patches/patch-ai @ text @d1 1 a1 1 $NetBSD: patch-ai,v 1.2 2010/07/24 13:42:12 obache Exp $ d3 1 a3 1 --- avahi-core/server.c.orig 2010-06-29 18:51:53.000000000 +0000 d5 1 a5 1 @@@@ -903,6 +903,11 @@@@ static void dispatch_packet(AvahiServer @