dnsmasq: bump to v2.78

Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This commit is contained in:
Kevin Darbyshire-Bryant 2017-10-02 15:28:32 +01:00 committed by Hans Dedecker
parent b8357e87d7
commit 4b4a4af814
7 changed files with 4 additions and 226 deletions

View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_VERSION:=2.77
PKG_RELEASE:=6
PKG_VERSION:=2.78
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
PKG_HASH:=6eac3b1c50ae25170e3ff8c96ddb55236cf45007633fdb8a35b1f3e02f5f8b8a
PKG_HASH:=89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING

View File

@ -1,25 +0,0 @@
From 4bb68866a8aeb31db8100492bceae051e33be5d0 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 15 Jun 2017 23:18:44 +0100
Subject: [PATCH] Tweak ICMP ping check logic for DHCPv4.
---
src/rfc2131.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rfc2131.c b/src/rfc2131.c
index 1c850e5..75792da 100644
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -1040,7 +1040,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
else if (have_config(config, CONFIG_DECLINED) &&
difftime(now, config->decline_time) < (float)DECLINE_BACKOFF)
my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it was previously declined"), addrs);
- else if (!do_icmp_ping(now, config->addr, 0, loopback))
+ else if ((!lease || lease->addr.s_addr != config->addr.s_addr) && !do_icmp_ping(now, config->addr, 0, loopback))
my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it is in use by another host"), addrs);
else
conf = config->addr;
--
1.9.1

View File

@ -1,28 +0,0 @@
From 1d224949cced9e82440d00b3dbaf32c262bac2ff Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 8 Jul 2017 20:52:55 +0100
Subject: [PATCH 1/2] Remove ping-check of configured DHCP address.
This was added in 5ce3e76fbf89e942e8c54ef3e3389facf0d9067a but
it trips over too many buggy clients that leave an interface configured
even in DHCPDISCOVER case.
---
src/rfc2131.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/rfc2131.c b/src/rfc2131.c
index 86230b4..785e15c 100644
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -1040,8 +1040,6 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
else if (have_config(config, CONFIG_DECLINED) &&
difftime(now, config->decline_time) < (float)DECLINE_BACKOFF)
my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it was previously declined"), addrs);
- else if ((!lease || lease->addr.s_addr != config->addr.s_addr) && !do_icmp_ping(now, config->addr, 0, loopback))
- my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it is in use by another host"), addrs);
else
conf = config->addr;
}
--
2.13.2

View File

@ -1,31 +0,0 @@
From 9396752c115b3ab733fa476b30da73237e12e7ba Mon Sep 17 00:00:00 2001
From: Hans Dedecker <dedeckeh@gmail.com>
Date: Tue, 27 Jun 2017 22:08:47 +0100
Subject: [PATCH] Try other servers if first returns REFUSED when
--strict-order active.
If a DNS server replies REFUSED for a given DNS query in strict order mode
no failover to the next DNS server is triggered as the failover logic only
covers non strict mode.
As a result the client will be returned the REFUSED reply without first
falling back to the secondary DNS server(s).
Make failover support work as well for strict mode config in case REFUSED is
replied by deleting the strict order check and rely only on forwardall being
equal to 0 which is the case in non strict mode when a single server has been
contacted or when strict order mode has been configured.
---
CHANGELOG | 4 ++++
src/forward.c | 1 -
2 files changed, 4 insertions(+), 1 deletion(-)
--- a/src/forward.c
+++ b/src/forward.c
@@ -790,7 +790,6 @@ void reply_query(int fd, int family, tim
/* Note: if we send extra options in the EDNS0 header, we can't recreate
the query from the reply. */
if (RCODE(header) == REFUSED &&
- !option_bool(OPT_ORDER) &&
forward->forwardall == 0 &&
!(forward->flags & FREC_HAS_EXTRADATA))
/* for broken servers, attempt to send to another one. */

View File

@ -1,94 +0,0 @@
From 63437ffbb58837b214b4b92cb1c54bc5f3279928 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 6 Sep 2017 22:34:21 +0100
Subject: [PATCH] Fix CVE-2017-13704, which resulted in a crash on a large DNS
query.
A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size,
if different.) is enough to cause SIGSEGV.
---
CHANGELOG | 7 +++++++
src/auth.c | 5 -----
src/forward.c | 8 ++++++++
src/rfc1035.c | 5 -----
4 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 3a640f3..7e65912 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -17,6 +17,13 @@ version 2.78
--strict-order active. Thanks to Hans Dedecker
for the patch
+ Fix regression in 2.77, ironically added as a security
+ improvement, which resulted in a crash when a DNS
+ query exceeded 512 bytes (or the EDNS0 packet size,
+ if different.) Thanks to Christian Kujau, Arne Woerner
+ Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
+ chasing this one down. CVE-2017-13704 applies.
+
version 2.77
Generate an error when configured with a CNAME loop,
diff --git a/src/auth.c b/src/auth.c
index 2c24e16..7f95f98 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
struct cname *a, *candidate;
unsigned int wclen;
- /* Clear buffer beyond request to avoid risk of
- information disclosure. */
- memset(((char *)header) + qlen, 0,
- (limit - ((char *)header)) - qlen);
-
if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
return 0;
diff --git a/src/forward.c b/src/forward.c
index f22556a..e3fa94b 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1188,6 +1188,10 @@ void receive_query(struct listener *listen, time_t now)
(msg.msg_flags & MSG_TRUNC) ||
(header->hb3 & HB3_QR))
return;
+
+ /* Clear buffer beyond request to avoid risk of
+ information disclosure. */
+ memset(daemon->packet + n, 0, daemon->edns_pktsz - n);
source_addr.sa.sa_family = listen->family;
@@ -1688,6 +1692,10 @@ unsigned char *tcp_request(int confd, time_t now,
if (size < (int)sizeof(struct dns_header))
continue;
+
+ /* Clear buffer beyond request to avoid risk of
+ information disclosure. */
+ memset(payload + size, 0, 65536 - size);
query_count++;
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 26f5301..af2fe46 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
struct mx_srv_record *rec;
size_t len;
- /* Clear buffer beyond request to avoid risk of
- information disclosure. */
- memset(((char *)header) + qlen, 0,
- (limit - ((char *)header)) - qlen);
-
if (ntohs(header->ancount) != 0 ||
ntohs(header->nscount) != 0 ||
ntohs(header->qdcount) == 0 ||
--
1.7.10.4

View File

@ -1,44 +0,0 @@
From a3303e196e5d304ec955c4d63afb923ade66c6e8 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 7 Sep 2017 20:45:00 +0100
Subject: [PATCH] Don't return arcount=1 if EDNS0 RR won't fit in the packet.
Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in recieved EDNS0.
---
src/edns0.c | 5 ++++-
src/forward.c | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/edns0.c b/src/edns0.c
index 3fde17f..f5b798c 100644
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -208,7 +208,10 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
free(buff);
p += rdlen;
}
- header->arcount = htons(ntohs(header->arcount) + 1);
+
+ /* Only bump arcount if RR is going to fit */
+ if (((ssize_t)optlen) <= (limit - (p + 4)))
+ header->arcount = htons(ntohs(header->arcount) + 1);
}
if (((ssize_t)optlen) > (limit - (p + 4)))
diff --git a/src/forward.c b/src/forward.c
index e3fa94b..942b02d 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1412,6 +1412,8 @@ void receive_query(struct listener *listen, time_t now)
defaults to 512 */
if (udp_size > daemon->edns_pktsz)
udp_size = daemon->edns_pktsz;
+ else if (udp_size < PACKETSZ)
+ udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
}
#ifdef HAVE_AUTH
--
1.7.10.4

View File

@ -7,7 +7,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -82,7 +82,7 @@ typedef unsigned long long u64;
@@ -88,7 +88,7 @@ typedef unsigned long long u64;
#if defined(HAVE_SOLARIS_NETWORK)
# include <sys/sockio.h>
#endif