openwrt/package/network/services/dnsmasq/patches/0112-Add-CVE-numbers-to-security-update-descriptions-in-C.patch

From e01e09c7125b40646aff4a582672e711a18a69a4 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 8 Jan 2021 22:50:03 +0000
Subject: Add CVE numbers to security update descriptions in CHANGELOG

---
 CHANGELOG | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,16 +1,17 @@
 	Fix a remote buffer overflow problem in the DNSSEC code. Any
 	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
-	referenced by CERT VU#434904.
+	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
+	CVE-2020-25687.
 
 	Be sure to only accept UDP DNS query replies at the address
 	from which the query was originated. This keeps as much entropy
 	in the {query-ID, random-port} tuple as possible, to help defeat
-	cache poisoning attacks. Refer: CERT VU#434904.
+	cache poisoning attacks. Refer: CVE-2020-25684.
 
 	Use the SHA-256 hash function to verify that DNS answers
 	received are for the questions originally asked. This replaces
 	the slightly insecure SHA-1 (when compiled with DNSSEC) or
-	the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
+	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
 
 	Handle multiple identical near simultaneous DNS queries better.
 	Previously, such queries would all be forwarded
@@ -24,7 +25,7 @@
 	of the query. The new behaviour detects repeated queries and
 	merely stores the clients sending repeats so that when the
 	first query completes, the answer can be sent to all the
-	clients who asked. Refer: CERT VU#434904.
+	clients who asked. Refer: CVE-2020-25686.
 	
 
 version 2.81
dnsmasq: Backport some security updates This fixes the following security problems in dnsmasq: * CVE-2020-25681: Dnsmasq versions before 2.83 is susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device's memory that can lead to memory corruption and other unexpected behaviors on the target device. * CVE-2020-25682: Dnsmasq versions before 2.83 is susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. * CVE-2020-25683: Dnsmasq version before 2.83 is susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap- allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in Dnsmasq, resulting in a Denial of Service. * CVE-2020-25684: A lack of proper address/port check implemented in Dnsmasq version < 2.83 reply_query function makes forging replies easier to an off-path attacker. * CVE-2020-25685: A lack of query resource name (RRNAME) checks implemented in Dnsmasq's versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. * CVE-2020-25686: Multiple DNS query requests for the same resource name (RRNAME) by Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. * CVE-2020-25687: Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2021-01-11 01:03:03 +01:00			`From e01e09c7125b40646aff4a582672e711a18a69a4 Mon Sep 17 00:00:00 2001`
			`From: Simon Kelley <simon@thekelleys.org.uk>`
			`Date: Fri, 8 Jan 2021 22:50:03 +0000`
			`Subject: Add CVE numbers to security update descriptions in CHANGELOG`

			`---`
			`CHANGELOG \| 9 +++++----`
			`1 file changed, 5 insertions(+), 4 deletions(-)`

			`--- a/CHANGELOG`
			`+++ b/CHANGELOG`
			`@@ -1,16 +1,17 @@`
			`Fix a remote buffer overflow problem in the DNSSEC code. Any`
			`dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,`
			`- referenced by CERT VU#434904.`
			`+ referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683`
			`+ CVE-2020-25687.`

			`Be sure to only accept UDP DNS query replies at the address`
			`from which the query was originated. This keeps as much entropy`
			`in the {query-ID, random-port} tuple as possible, to help defeat`
			`- cache poisoning attacks. Refer: CERT VU#434904.`
			`+ cache poisoning attacks. Refer: CVE-2020-25684.`

			`Use the SHA-256 hash function to verify that DNS answers`
			`received are for the questions originally asked. This replaces`
			`the slightly insecure SHA-1 (when compiled with DNSSEC) or`
			`- the very insecure CRC32 (otherwise). Refer: CERT VU#434904.`
			`+ the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.`

			`Handle multiple identical near simultaneous DNS queries better.`
			`Previously, such queries would all be forwarded`
			`@@ -24,7 +25,7 @@`
			`of the query. The new behaviour detects repeated queries and`
			`merely stores the clients sending repeats so that when the`
			`first query completes, the answer can be sent to all the`
			`- clients who asked. Refer: CERT VU#434904.`
			`+ clients who asked. Refer: CVE-2020-25686.`


			`version 2.81`