- Security update to version 2.78:
* bsc#1060354, CVE-2017-14491: 2 byte heap based overflow. * bsc#1060355, CVE-2017-14492: heap based overflow. * bsc#1060360, CVE-2017-14493: stack based overflow. * bsc#1060361, CVE-2017-14494: DHCP - info leak. * bsc#1060362, CVE-2017-14495: DNS - OOM DoS. * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow. * Fix DHCP relaying, broken in 2.76 and 2.77. * For other changes, see http://www.thekelleys.org.uk/dnsmasq/CHANGELOG - Obsoleted patches: * Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch * Handle-binding-upstream-servers-to-an-interface.patch OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=90
This commit is contained in:
parent
1c4b4aee27
commit
09eac739de
@ -1,29 +0,0 @@
|
||||
From 16800ea072dd0cdf14d951c4bb8d2808b3dfe53d Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Tue, 30 Aug 2016 23:07:06 +0100
|
||||
Subject: [PATCH 4/4] Fix crash introduced in
|
||||
2675f2061525bc954be14988d64384b74aa7bf8b
|
||||
|
||||
---
|
||||
src/network.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/network.c b/src/network.c
|
||||
index ddf8d31..d87d08f 100644
|
||||
--- a/src/network.c
|
||||
+++ b/src/network.c
|
||||
@@ -1516,8 +1516,9 @@ void check_servers(void)
|
||||
serv->flags |= SERV_MARK;
|
||||
continue;
|
||||
}
|
||||
-
|
||||
- serv->sfd->used = 1;
|
||||
+
|
||||
+ if (serv->sfd)
|
||||
+ serv->sfd->used = 1;
|
||||
}
|
||||
|
||||
if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
|
||||
--
|
||||
2.11.0
|
||||
|
@ -1,119 +0,0 @@
|
||||
From 2675f2061525bc954be14988d64384b74aa7bf8b Mon Sep 17 00:00:00 2001
|
||||
From: Beniamino Galvani <bgalvani@redhat.com>
|
||||
Date: Sun, 28 Aug 2016 20:44:05 +0100
|
||||
Subject: [PATCH 1/4] Handle binding upstream servers to an interface
|
||||
(--server=1.2.3.4@eth0) when the named interface is destroyed and recreated
|
||||
in the kernel.
|
||||
|
||||
---
|
||||
CHANGELOG | 5 +++++
|
||||
src/dnsmasq.h | 1 +
|
||||
src/network.c | 31 +++++++++++++++++++++++++++++--
|
||||
3 files changed, 35 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
||||
index 27385a9..f239ce5 100644
|
||||
--- a/src/dnsmasq.h
|
||||
+++ b/src/dnsmasq.h
|
||||
@@ -488,6 +488,7 @@ struct serverfd {
|
||||
int fd;
|
||||
union mysockaddr source_addr;
|
||||
char interface[IF_NAMESIZE+1];
|
||||
+ unsigned int ifindex, used;
|
||||
struct serverfd *next;
|
||||
};
|
||||
|
||||
diff --git a/src/network.c b/src/network.c
|
||||
index e7722fd..ddf8d31 100644
|
||||
--- a/src/network.c
|
||||
+++ b/src/network.c
|
||||
@@ -1204,6 +1204,7 @@ int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp)
|
||||
static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
|
||||
{
|
||||
struct serverfd *sfd;
|
||||
+ unsigned int ifindex = 0;
|
||||
int errsave;
|
||||
|
||||
/* when using random ports, servers which would otherwise use
|
||||
@@ -1224,11 +1225,15 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+ if (intname && strlen(intname) != 0)
|
||||
+ ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */
|
||||
|
||||
/* may have a suitable one already */
|
||||
for (sfd = daemon->sfds; sfd; sfd = sfd->next )
|
||||
if (sockaddr_isequal(&sfd->source_addr, addr) &&
|
||||
- strcmp(intname, sfd->interface) == 0)
|
||||
+ strcmp(intname, sfd->interface) == 0 &&
|
||||
+ ifindex == sfd->ifindex)
|
||||
return sfd;
|
||||
|
||||
/* need to make a new one. */
|
||||
@@ -1250,11 +1255,13 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
|
||||
errno = errsave;
|
||||
return NULL;
|
||||
}
|
||||
-
|
||||
+
|
||||
strcpy(sfd->interface, intname);
|
||||
sfd->source_addr = *addr;
|
||||
sfd->next = daemon->sfds;
|
||||
+ sfd->ifindex = ifindex;
|
||||
daemon->sfds = sfd;
|
||||
+
|
||||
return sfd;
|
||||
}
|
||||
|
||||
@@ -1429,12 +1436,16 @@ void check_servers(void)
|
||||
{
|
||||
struct irec *iface;
|
||||
struct server *serv;
|
||||
+ struct serverfd *sfd, *tmp, **up;
|
||||
int port = 0, count;
|
||||
|
||||
/* interface may be new since startup */
|
||||
if (!option_bool(OPT_NOWILD))
|
||||
enumerate_interfaces(0);
|
||||
|
||||
+ for (sfd = daemon->sfds; sfd; sfd = sfd->next)
|
||||
+ sfd->used = 0;
|
||||
+
|
||||
#ifdef HAVE_DNSSEC
|
||||
/* Disable DNSSEC validation when using server=/domain/.... servers
|
||||
unless there's a configured trust anchor. */
|
||||
@@ -1505,6 +1516,8 @@ void check_servers(void)
|
||||
serv->flags |= SERV_MARK;
|
||||
continue;
|
||||
}
|
||||
+
|
||||
+ serv->sfd->used = 1;
|
||||
}
|
||||
|
||||
if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
|
||||
@@ -1547,6 +1560,20 @@ void check_servers(void)
|
||||
if (count - 1 > SERVERS_LOGGED)
|
||||
my_syslog(LOG_INFO, _("using %d more nameservers"), count - SERVERS_LOGGED - 1);
|
||||
|
||||
+ /* Remove unused sfds */
|
||||
+ for (sfd = daemon->sfds, up = &daemon->sfds; sfd; sfd = tmp)
|
||||
+ {
|
||||
+ tmp = sfd->next;
|
||||
+ if (!sfd->used)
|
||||
+ {
|
||||
+ *up = sfd->next;
|
||||
+ close(sfd->fd);
|
||||
+ free(sfd);
|
||||
+ }
|
||||
+ else
|
||||
+ up = &sfd->next;
|
||||
+ }
|
||||
+
|
||||
cleanup_servers();
|
||||
}
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4b92698dee19ca0cb2a8f2e48f1d2dffd01a21eb15d1fbed4cf085630c8c9f96
|
||||
size 480796
|
@ -1,7 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iEYEABECAAYFAlc8gxEACgkQKPyGmiibgrcEZQCghIcBK2ici5/4klzL7gMQmrar
|
||||
ZtkAn0evIF/mFDAJsQlWnGTbew3lsxAs
|
||||
=SVPw
|
||||
-----END PGP SIGNATURE-----
|
3
dnsmasq-2.78.tar.xz
Normal file
3
dnsmasq-2.78.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b
|
||||
size 489172
|
17
dnsmasq-2.78.tar.xz.asc
Normal file
17
dnsmasq-2.78.tar.xz.asc
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCAAGBQJZ0kGzAAoJEBXN2mrhkTWiYaYQAIadoc1Cr6Qg0cDxhUNMDL0G
|
||||
Qp4VWhD/KkxUerTCWdWiSlWBt94hnDNlOBJ8QnqHHzYH/dopvOdLU3/HpVUMYfZf
|
||||
XA2wCz38xQREj961jZ8r3kK1LR42NqqlV/E4qn4lsZedxgq62lP2xiZiVWaRqe9g
|
||||
klXlzUORfu/JxyOKTtyy4rR0YNOWx2GYex5T3av+sieKgcR7ZryQgZF+SGoonqil
|
||||
srbKriSXLSpVjyDp+3fLECAguL/dzw53pWdoAm9ZizWu8miNqGj/PbQJx44tpwOO
|
||||
N2+4y07yD0e6eNlQOb3JStmyrTSO+qwqQG4kFKFPDM0/ZBGTUcmA2WZjDXrGySfD
|
||||
015T9JW+6CkJ3ikCW0ik9PiO5ryKJgIhejyT2POL0/APaKTj4wmDbK6ekYivanpD
|
||||
2hCkyCcvNrxx5oADGPhlHC5okYXdJ9Hrr+AcdMMdhFZCo5U2JP0TMqZaotQQdy54
|
||||
GoOEKJ+ij116Tw8hqA0k34zcwklaXluZX4ghm7ZxoOiJwwO6fUeKKBnxXvwzpgm6
|
||||
3jCq8OJkCpXym3S5nD0y/QWGLJtaNFYVRYO4J4YnfjICGd88NtQnCXzND1R+dvdi
|
||||
Z06MgDOuUFu2ZSode13u1uU6w3h415m6M45jAeBRwZhGX26+NM9a9P+tO6gmR0Hy
|
||||
zyOEsbgfqBof6BBlPdlw
|
||||
=ecMB
|
||||
-----END PGP SIGNATURE-----
|
@ -1,13 +1,13 @@
|
||||
--- src/dnsmasq.c.orig
|
||||
+++ src/dnsmasq.c
|
||||
@@ -557,11 +557,10 @@ int main (int argc, char **argv)
|
||||
@@ -581,11 +581,10 @@ int main (int argc, char **argv)
|
||||
if (!option_bool(OPT_DEBUG) && getuid() == 0)
|
||||
{
|
||||
int bad_capabilities = 0;
|
||||
- gid_t dummy;
|
||||
|
||||
- /* remove all supplimentary groups */
|
||||
+ /* set the supplimentary groups of the daemon user */
|
||||
- /* remove all supplementary groups */
|
||||
+ /* set the supplementary groups of the daemon user */
|
||||
if (gp &&
|
||||
- (setgroups(0, &dummy) == -1 ||
|
||||
+ (initgroups(daemon->username, gp->gr_gid) == -1 ||
|
||||
|
@ -1,3 +1,20 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 2 14:09:59 UTC 2017 - max@suse.com
|
||||
|
||||
- Security update to version 2.78:
|
||||
* bsc#1060354, CVE-2017-14491: 2 byte heap based overflow.
|
||||
* bsc#1060355, CVE-2017-14492: heap based overflow.
|
||||
* bsc#1060360, CVE-2017-14493: stack based overflow.
|
||||
* bsc#1060361, CVE-2017-14494: DHCP - info leak.
|
||||
* bsc#1060362, CVE-2017-14495: DNS - OOM DoS.
|
||||
* bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow.
|
||||
* Fix DHCP relaying, broken in 2.76 and 2.77.
|
||||
* For other changes, see
|
||||
http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
|
||||
- Obsoleted patches:
|
||||
* Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
|
||||
* Handle-binding-upstream-servers-to-an-interface.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 12 08:29:59 UTC 2017 - tchvatal@suse.com
|
||||
|
||||
|
@ -20,7 +20,7 @@ Name: dnsmasq
|
||||
Summary: Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
|
||||
License: GPL-2.0 or GPL-3.0
|
||||
Group: Productivity/Networking/DNS/Servers
|
||||
Version: 2.76
|
||||
Version: 2.78
|
||||
Release: 0
|
||||
Provides: dns_daemon
|
||||
PreReq: /usr/sbin/useradd /bin/mkdir
|
||||
@ -35,8 +35,6 @@ Source6: SuSEFirewall.dnsmasq-dhcp
|
||||
Source7: SuSEFirewall.dnsmasq-dns
|
||||
Source8: %{name}-rpmlintrc
|
||||
Patch0: dnsmasq-groups.patch
|
||||
Patch10: Handle-binding-upstream-servers-to-an-interface.patch
|
||||
Patch11: Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: dbus-1-devel
|
||||
BuildRequires: dos2unix
|
||||
@ -70,8 +68,6 @@ server's leases.
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
|
||||
# Some docs have the DOS line ends
|
||||
dos2unix contrib/systemd/dbus_activation
|
||||
|
Loading…
Reference in New Issue
Block a user