mirror of
https://github.com/openwrt/openwrt.git
synced 2025-03-13 07:54:14 +00:00
8055e38794
This fixes the following security problems in dnsmasq: * CVE-2020-25681: Dnsmasq versions before 2.83 is susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device's memory that can lead to memory corruption and other unexpected behaviors on the target device. * CVE-2020-25682: Dnsmasq versions before 2.83 is susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. * CVE-2020-25683: Dnsmasq version before 2.83 is susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap- allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in Dnsmasq, resulting in a Denial of Service. * CVE-2020-25684: A lack of proper address/port check implemented in Dnsmasq version < 2.83 reply_query function makes forging replies easier to an off-path attacker. * CVE-2020-25685: A lack of query resource name (RRNAME) checks implemented in Dnsmasq's versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. * CVE-2020-25686: Multiple DNS query requests for the same resource name (RRNAME) by Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. * CVE-2020-25687: Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
From e01e09c7125b40646aff4a582672e711a18a69a4 Mon Sep 17 00:00:00 2001
|
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
Date: Fri, 8 Jan 2021 22:50:03 +0000
|
|
Subject: Add CVE numbers to security update descriptions in CHANGELOG
|
|
|
|
---
|
|
CHANGELOG | 9 +++++----
|
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
|
--- a/CHANGELOG
|
|
+++ b/CHANGELOG
|
|
@@ -1,16 +1,17 @@
|
|
Fix a remote buffer overflow problem in the DNSSEC code. Any
|
|
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
|
|
- referenced by CERT VU#434904.
|
|
+ referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
|
|
+ CVE-2020-25687.
|
|
|
|
Be sure to only accept UDP DNS query replies at the address
|
|
from which the query was originated. This keeps as much entropy
|
|
in the {query-ID, random-port} tuple as possible, to help defeat
|
|
- cache poisoning attacks. Refer: CERT VU#434904.
|
|
+ cache poisoning attacks. Refer: CVE-2020-25684.
|
|
|
|
Use the SHA-256 hash function to verify that DNS answers
|
|
received are for the questions originally asked. This replaces
|
|
the slightly insecure SHA-1 (when compiled with DNSSEC) or
|
|
- the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
|
|
+ the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
|
|
|
|
Handle multiple identical near simultaneous DNS queries better.
|
|
Previously, such queries would all be forwarded
|
|
@@ -24,7 +25,7 @@
|
|
of the query. The new behaviour detects repeated queries and
|
|
merely stores the clients sending repeats so that when the
|
|
first query completes, the answer can be sent to all the
|
|
- clients who asked. Refer: CERT VU#434904.
|
|
+ clients who asked. Refer: CVE-2020-25686.
|
|
|
|
|
|
version 2.81
|