CVE-2021-3502: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2021-3502) was discovered in Avahi 0.8-5, affecting the avahishostnameresolver_start function. The flaw allows a local attacker to crash the Avahi service by requesting hostname resolutions through the Avahi socket or DBus methods using invalid hostnames (NVD, Debian Tracker).

The vulnerability exists in the avahishostnameresolverstart function within resolve-host-name.c. The issue stems from a reachable assertion (assert(r)) that can be triggered when users pass invalid hostnames through the RESOLVE-HOSTNAME functionality in /run/avahi-daemon/socket or via the DBus method org.freedesktop.Avahi.Server.ResolveHostName. If assertions are compiled out, this results in a NULL pointer dereference. The vulnerability was introduced in version 0.8 ([Red Hat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=1946914)). The CVSS v3.1 base score is 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is on service availability. When exploited, it causes the Avahi daemon to crash, disrupting network-based Zeroconf service discovery functionality. This affects the system's ability to perform DNS Service Discovery and Multicast DNS operations (Red Hat Bugzilla).

The vulnerability has been fixed in various distributions through security updates. Debian has addressed this in versions 0.8-5+deb11u2 and later for bullseye, 0.8-10+deb12u1 for bookworm, and 0.8-16 for sid/trixie. Red Hat has released fixes through RHSA-2023:6707 (Debian Tracker, Red Hat Bugzilla).