ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-03-12 23:44:26 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
openwrt/package/network/services/dnsmasq/patches/050-crypto-use-nettle-ecc_curve-access-functions.patch
Hauke Mehrtens 8055e38794 dnsmasq: Backport some security updates 
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
  Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
  overflow in sort_rrset() when DNSSEC is used. This can allow a remote
  attacker to write arbitrary data into target device's memory that can
  lead to memory corruption and other unexpected behaviors on the target
  device.
* CVE-2020-25682:
  Dnsmasq versions before 2.83 is susceptible to buffer overflow in
  extract_name() function due to missing length check, when DNSSEC is
  enabled. This can allow a remote attacker to cause memory corruption
  on the target device.
* CVE-2020-25683:
  Dnsmasq version before 2.83 is susceptible to a heap-based buffer
  overflow when DNSSEC is enabled. A remote attacker, who can create
  valid DNS replies, could use this flaw to cause an overflow in a heap-
  allocated memory. This flaw is caused by the lack of length checks in
  rtc1035.c:extract_name(), which could be abused to make the code
  execute memcpy() with a negative size in get_rdata() and cause a crash
  in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
  A lack of proper address/port check implemented in Dnsmasq version <
  2.83 reply_query function makes forging replies easier to an off-path
  attacker.
* CVE-2020-25685:
  A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
  versions before 2.83 reply_query function allows remote attackers to
  spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
  Multiple DNS query requests for the same resource name (RRNAME) by
  Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
  traffic, using a birthday attack (RFC 5452), that can lead to DNS
  cache poisoning.
* CVE-2020-25687:
  Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
  overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
  remote attacker, who can create valid DNS replies, could use this flaw
  to cause an overflow in a heap-allocated memory. This flaw is caused
  by the lack of length checks in rtc1035.c:extract_name(), which could
  be abused to make the code execute memcpy() with a negative size in
  sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
  Service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-19 14:10:02 +01:00

36 lines
1.2 KiB
Diff
Raw Blame History

From 1f55b09dd88bc65b3ee6e3a665bc844a5a9a9e8d Mon Sep 17 00:00:00 2001
From: Hans Dedecker <dedeckeh@gmail.com>
Date: Fri, 9 Aug 2019 21:08:17 +0200
Subject: [PATCH] crypto: use nettle ecc_curve access functions
Nettle 3.5.1 has made ecc_curve definitions (nettle_secp_192r1,
nettle_secp_224r1, nettle_secp_256r1, ...) private and forces
users to make use of the accessor functions (nettle_get_secp_192r1,
...) to retrieve the specific ecc_curve structs.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
---
src/crypto.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -301,7 +301,7 @@ static int dnsmasq_ecdsa_verify(struct b
if (!(key_256 = whine_malloc(sizeof(struct ecc_point))))
return 0;
- nettle_ecc_point_init(key_256, &nettle_secp_256r1);
+ nettle_ecc_point_init(key_256, nettle_get_secp_256r1());
}
key = key_256;
@@ -314,7 +314,7 @@ static int dnsmasq_ecdsa_verify(struct b
if (!(key_384 = whine_malloc(sizeof(struct ecc_point))))
return 0;
- nettle_ecc_point_init(key_384, &nettle_secp_384r1);
+ nettle_ecc_point_init(key_384, nettle_get_secp_384r1());
}
key = key_384;
Reference in New Issue View Git Blame Copy Permalink