[avahi] [ANNOUNCE] nss-mdns 0.9 (IMPORTANT)

Lennart Poettering lennart at poettering.net
Mon Jan 1 16:29:38 PST 2007 

Hi!

A few minutes ago I released nss-mdns 0.9:

   http://0pointer.de/lennart/projects/nss-mdns/

This release contains some potentially security sensitive fixes. Due to
the way nss-mdns is compiled in Ubuntu, Debian, Fedora this is
definitely not a security hole on those distros, but it might be on
others. Specifically distros which compile nss-mdns with the
--disable-legacy flag are on the safe side. This compile flag disables
the mini mDNS stack in nss-mdns, and makes it rely exclusively on
Avahi's services for resolution. This is now the recommended way to
compile nss-mdns. To underline this the "configure" defaults are now
changed to --disable-legacy. I kindly ask the distributors to compile
nss-mdns with this flag from now on. Remember however, that this makes
Avahi a hard runtime (but not build time) dependency of nss-mdns!

(Some of the more "flexible" distributions like Debian or Gentoo might
choose to ship two versions of the package, one with --disable-legacy,
and another one with --enable-legacy, because the latter might be
useful in some embedded or other special applications where Avahi is not
running, but mDNS name resolutions is required)

The potential security hole results from the fact that
libnss-mdns*.so.2 exported a few symbols which sould not have been
exported. Some apps exported symbols with the same name, and thus
nss-mdns sometimes called the wrong implementation with bad
parameters, causing a segfault. Most notably Samba segfaulted when
used with nss-mdns with the mini stack enabled. 

nss-mdns 0.9 now ships with a linker script which hides those
symbols. I strongly recommend updating to this new nss-mdns version,
because conflicts with other symbols defined in nss-mdns might
eventually occur in other applications and thus resulting in segfaults
where noone would normally expect any.

This fixes Debian bug #404266 and Avahi bug #78.

Also, nss-mdns will no longer honour /etc/resolv.conf's domain search
list by default, unless it is configured at compile-time to do
that. This caused a lot of problems and was never recommended
anyway. Unless you really know what you do this option should not be
enabled again.

Because the mini stack and the parsing of resolv.conf is no longer
compiled in by default anymore, the shared objects are now down to 9k
again (from 23k) on i386 -- nss-mdns is really tiny again. In
addition, if there's less code in nss-mdns the more unlikely it is
that nss-mdns has security vulnerability.

One final note:

In the past there have been some problem reports with nss-mdns/Avahi
in a unicast domain .local. Besides others debian bug reports 392813,
404534 are about this (those to should be merged, btw). To say this
clearly: Avahi/nss-mdns is inherently incompatible with networks with
".local" as unicast domain. If you have such a network, don't use
Avahi - disable or uninstall it. ".local" is the Zeroconf domain, and
other uses of this DNS zone should please go away.

Since this issue came up so often I wrote a long text into our wiki
explaining the problems, and possible workarounds:

http://avahi.org/wiki/AvahiAndUnicastDotLocal

This text also includes some hints for the distributors how to deal
best with this problem. So please, distributors, read it! Ubuntu
already implements most of my recommendations, and so should every
other distribution which ships nss-mdns and Avahi!
 
BTW, This is not a new issue, Apple already documents this problem on

http://docs.info.apple.com/article.html?artnum=107800

Thanks,

        Lennart (who interrupted his thesis work for the first time in
        quite a while to give Avahi/nss-mdns some more love again)

-- 
Lennart Poettering; lennart [at] poettering [dot] net
ICQ# 11060553; GPG 0x1A015CC4; http://0pointer.net/lennart/

More information about the avahi mailing list