From 09eac739de1975ec9015e1dfb74cbf058f5b9d92010f13859ba48662a5694ed0 Mon Sep 17 00:00:00 2001
From: Reinhard Max <max@suse.com>
Date: Mon, 2 Oct 2017 14:34:17 +0000
Subject: [PATCH] - Security update to version 2.78:   * bsc#1060354,
 CVE-2017-14491: 2 byte heap based overflow.   * bsc#1060355, CVE-2017-14492:
 heap based overflow.   * bsc#1060360, CVE-2017-14493: stack based overflow.  
 * bsc#1060361, CVE-2017-14494: DHCP - info leak.   * bsc#1060362,
 CVE-2017-14495: DNS - OOM DoS.   * bsc#1060364, CVE-2017-14496: DNS - DoS
 Integer underflow.   * Fix DHCP relaying, broken in 2.76 and 2.77.   * For
 other changes, see     http://www.thekelleys.org.uk/dnsmasq/CHANGELOG -
 Obsoleted patches:   *
 Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch   *
 Handle-binding-upstream-servers-to-an-interface.patch

OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=90
---
 ...uced-in-2675f2061525bc954be14988d643.patch |  29 -----
 ...ing-upstream-servers-to-an-interface.patch | 119 ------------------
 dnsmasq-2.76.tar.xz                           |   3 -
 dnsmasq-2.76.tar.xz.asc                       |   7 --
 dnsmasq-2.78.tar.xz                           |   3 +
 dnsmasq-2.78.tar.xz.asc                       |  17 +++
 dnsmasq-groups.patch                          |   6 +-
 dnsmasq.changes                               |  17 +++
 dnsmasq.spec                                  |   6 +-
 9 files changed, 41 insertions(+), 166 deletions(-)
 delete mode 100644 Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
 delete mode 100644 Handle-binding-upstream-servers-to-an-interface.patch
 delete mode 100644 dnsmasq-2.76.tar.xz
 delete mode 100644 dnsmasq-2.76.tar.xz.asc
 create mode 100644 dnsmasq-2.78.tar.xz
 create mode 100644 dnsmasq-2.78.tar.xz.asc

diff --git a/Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch b/Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
deleted file mode 100644
index 0c46baf..0000000
--- a/Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 16800ea072dd0cdf14d951c4bb8d2808b3dfe53d Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Tue, 30 Aug 2016 23:07:06 +0100
-Subject: [PATCH 4/4] Fix crash introduced in
- 2675f2061525bc954be14988d64384b74aa7bf8b
-
----
- src/network.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/network.c b/src/network.c
-index ddf8d31..d87d08f 100644
---- a/src/network.c
-+++ b/src/network.c
-@@ -1516,8 +1516,9 @@ void check_servers(void)
- 	      serv->flags |= SERV_MARK;
- 	      continue;
- 	    }
--
--	  serv->sfd->used = 1;
-+	  
-+	  if (serv->sfd)
-+	    serv->sfd->used = 1;
- 	}
-       
-       if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
--- 
-2.11.0
-
diff --git a/Handle-binding-upstream-servers-to-an-interface.patch b/Handle-binding-upstream-servers-to-an-interface.patch
deleted file mode 100644
index 211fe9c..0000000
--- a/Handle-binding-upstream-servers-to-an-interface.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 2675f2061525bc954be14988d64384b74aa7bf8b Mon Sep 17 00:00:00 2001
-From: Beniamino Galvani <bgalvani@redhat.com>
-Date: Sun, 28 Aug 2016 20:44:05 +0100
-Subject: [PATCH 1/4] Handle binding upstream servers to an interface
- (--server=1.2.3.4@eth0) when the named interface is destroyed and recreated
- in the kernel.
-
----
- CHANGELOG     |  5 +++++
- src/dnsmasq.h |  1 +
- src/network.c | 31 +++++++++++++++++++++++++++++--
- 3 files changed, 35 insertions(+), 2 deletions(-)
-
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 27385a9..f239ce5 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -488,6 +488,7 @@ struct serverfd {
-   int fd;
-   union mysockaddr source_addr;
-   char interface[IF_NAMESIZE+1];
-+  unsigned int ifindex, used;
-   struct serverfd *next;
- };
- 
-diff --git a/src/network.c b/src/network.c
-index e7722fd..ddf8d31 100644
---- a/src/network.c
-+++ b/src/network.c
-@@ -1204,6 +1204,7 @@ int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp)
- static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
- {
-   struct serverfd *sfd;
-+  unsigned int ifindex = 0;
-   int errsave;
- 
-   /* when using random ports, servers which would otherwise use
-@@ -1224,11 +1225,15 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
- 	return NULL;
- #endif
-     }
-+
-+  if (intname && strlen(intname) != 0)
-+    ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */
-       
-   /* may have a suitable one already */
-   for (sfd = daemon->sfds; sfd; sfd = sfd->next )
-     if (sockaddr_isequal(&sfd->source_addr, addr) &&
--	strcmp(intname, sfd->interface) == 0)
-+	strcmp(intname, sfd->interface) == 0 &&
-+	ifindex == sfd->ifindex) 
-       return sfd;
-   
-   /* need to make a new one. */
-@@ -1250,11 +1255,13 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
-       errno = errsave;
-       return NULL;
-     }
--    
-+
-   strcpy(sfd->interface, intname); 
-   sfd->source_addr = *addr;
-   sfd->next = daemon->sfds;
-+  sfd->ifindex = ifindex;
-   daemon->sfds = sfd;
-+
-   return sfd; 
- }
- 
-@@ -1429,12 +1436,16 @@ void check_servers(void)
- {
-   struct irec *iface;
-   struct server *serv;
-+  struct serverfd *sfd, *tmp, **up;
-   int port = 0, count;
- 
-   /* interface may be new since startup */
-   if (!option_bool(OPT_NOWILD))
-     enumerate_interfaces(0);
-   
-+  for (sfd = daemon->sfds; sfd; sfd = sfd->next)
-+    sfd->used = 0;
-+
- #ifdef HAVE_DNSSEC
-  /* Disable DNSSEC validation when using server=/domain/.... servers
-     unless there's a configured trust anchor. */
-@@ -1505,6 +1516,8 @@ void check_servers(void)
- 	      serv->flags |= SERV_MARK;
- 	      continue;
- 	    }
-+
-+	  serv->sfd->used = 1;
- 	}
-       
-       if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
-@@ -1547,6 +1560,20 @@ void check_servers(void)
-   if (count - 1 > SERVERS_LOGGED)
-     my_syslog(LOG_INFO, _("using %d more nameservers"), count - SERVERS_LOGGED - 1);
- 
-+  /* Remove unused sfds */
-+  for (sfd = daemon->sfds, up = &daemon->sfds; sfd; sfd = tmp)
-+    {
-+       tmp = sfd->next;
-+       if (!sfd->used) 
-+	{
-+	  *up = sfd->next;
-+	  close(sfd->fd);
-+	  free(sfd);
-+	} 
-+      else
-+	up = &sfd->next;
-+    }
-+  
-   cleanup_servers();
- }
- 
--- 
-2.11.0
-
diff --git a/dnsmasq-2.76.tar.xz b/dnsmasq-2.76.tar.xz
deleted file mode 100644
index 689001e..0000000
--- a/dnsmasq-2.76.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4b92698dee19ca0cb2a8f2e48f1d2dffd01a21eb15d1fbed4cf085630c8c9f96
-size 480796
diff --git a/dnsmasq-2.76.tar.xz.asc b/dnsmasq-2.76.tar.xz.asc
deleted file mode 100644
index 00151b5..0000000
--- a/dnsmasq-2.76.tar.xz.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlc8gxEACgkQKPyGmiibgrcEZQCghIcBK2ici5/4klzL7gMQmrar
-ZtkAn0evIF/mFDAJsQlWnGTbew3lsxAs
-=SVPw
------END PGP SIGNATURE-----
diff --git a/dnsmasq-2.78.tar.xz b/dnsmasq-2.78.tar.xz
new file mode 100644
index 0000000..cbcc202
--- /dev/null
+++ b/dnsmasq-2.78.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b
+size 489172
diff --git a/dnsmasq-2.78.tar.xz.asc b/dnsmasq-2.78.tar.xz.asc
new file mode 100644
index 0000000..f986d0f
--- /dev/null
+++ b/dnsmasq-2.78.tar.xz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCAAGBQJZ0kGzAAoJEBXN2mrhkTWiYaYQAIadoc1Cr6Qg0cDxhUNMDL0G
+Qp4VWhD/KkxUerTCWdWiSlWBt94hnDNlOBJ8QnqHHzYH/dopvOdLU3/HpVUMYfZf
+XA2wCz38xQREj961jZ8r3kK1LR42NqqlV/E4qn4lsZedxgq62lP2xiZiVWaRqe9g
+klXlzUORfu/JxyOKTtyy4rR0YNOWx2GYex5T3av+sieKgcR7ZryQgZF+SGoonqil
+srbKriSXLSpVjyDp+3fLECAguL/dzw53pWdoAm9ZizWu8miNqGj/PbQJx44tpwOO
+N2+4y07yD0e6eNlQOb3JStmyrTSO+qwqQG4kFKFPDM0/ZBGTUcmA2WZjDXrGySfD
+015T9JW+6CkJ3ikCW0ik9PiO5ryKJgIhejyT2POL0/APaKTj4wmDbK6ekYivanpD
+2hCkyCcvNrxx5oADGPhlHC5okYXdJ9Hrr+AcdMMdhFZCo5U2JP0TMqZaotQQdy54
+GoOEKJ+ij116Tw8hqA0k34zcwklaXluZX4ghm7ZxoOiJwwO6fUeKKBnxXvwzpgm6
+3jCq8OJkCpXym3S5nD0y/QWGLJtaNFYVRYO4J4YnfjICGd88NtQnCXzND1R+dvdi
+Z06MgDOuUFu2ZSode13u1uU6w3h415m6M45jAeBRwZhGX26+NM9a9P+tO6gmR0Hy
+zyOEsbgfqBof6BBlPdlw
+=ecMB
+-----END PGP SIGNATURE-----
diff --git a/dnsmasq-groups.patch b/dnsmasq-groups.patch
index 141c982..953c323 100644
--- a/dnsmasq-groups.patch
+++ b/dnsmasq-groups.patch
@@ -1,13 +1,13 @@
 --- src/dnsmasq.c.orig
 +++ src/dnsmasq.c
-@@ -557,11 +557,10 @@ int main (int argc, char **argv)
+@@ -581,11 +581,10 @@ int main (int argc, char **argv)
    if (!option_bool(OPT_DEBUG) && getuid() == 0)   
      {
        int bad_capabilities = 0;
 -      gid_t dummy;
        
--      /* remove all supplimentary groups */
-+      /* set the supplimentary groups of the daemon user */
+-      /* remove all supplementary groups */
++      /* set the supplementary groups of the daemon user */
        if (gp && 
 -	  (setgroups(0, &dummy) == -1 ||
 +	  (initgroups(daemon->username, gp->gr_gid) == -1 ||
diff --git a/dnsmasq.changes b/dnsmasq.changes
index 56fa2ac..437bf74 100644
--- a/dnsmasq.changes
+++ b/dnsmasq.changes
@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon Oct  2 14:09:59 UTC 2017 - max@suse.com
+
+- Security update to version 2.78:
+  * bsc#1060354, CVE-2017-14491: 2 byte heap based overflow.
+  * bsc#1060355, CVE-2017-14492: heap based overflow.
+  * bsc#1060360, CVE-2017-14493: stack based overflow.
+  * bsc#1060361, CVE-2017-14494: DHCP - info leak.
+  * bsc#1060362, CVE-2017-14495: DNS - OOM DoS.
+  * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow.
+  * Fix DHCP relaying, broken in 2.76 and 2.77.
+  * For other changes, see
+    http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
+- Obsoleted patches:
+  * Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
+  * Handle-binding-upstream-servers-to-an-interface.patch
+
 -------------------------------------------------------------------
 Tue Sep 12 08:29:59 UTC 2017 - tchvatal@suse.com
 
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 2089169..bc0a7a1 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -20,7 +20,7 @@ Name:           dnsmasq
 Summary:        Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
 License:        GPL-2.0 or GPL-3.0
 Group:          Productivity/Networking/DNS/Servers
-Version:        2.76
+Version:        2.78
 Release:        0
 Provides:       dns_daemon
 PreReq:         /usr/sbin/useradd /bin/mkdir
@@ -35,8 +35,6 @@ Source6:        SuSEFirewall.dnsmasq-dhcp
 Source7:        SuSEFirewall.dnsmasq-dns
 Source8:        %{name}-rpmlintrc
 Patch0:         dnsmasq-groups.patch
-Patch10:        Handle-binding-upstream-servers-to-an-interface.patch
-Patch11:        Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  dbus-1-devel
 BuildRequires:  dos2unix
@@ -70,8 +68,6 @@ server's leases.
 %prep
 %setup -q
 %patch0
-%patch10 -p1
-%patch11 -p1
 
 # Some docs have the DOS line ends
 dos2unix contrib/systemd/dbus_activation