From 33d1dd7eaca612999bace002d7cab3a9ed2f59995203d2bf6a29f4b1cb46c145 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Mon, 7 Nov 2022 10:18:14 +0000 Subject: [PATCH] Accepting request 1031298 from home:dirkmueller:Factory - update to 2.87 (bsc#1197872, CVE-2022-0934): * Allow arbitrary prefix lengths in --rev-server and --domain=....,local * Replace --address=/#/..... functionality which got missed in the 2.86 domain search rewrite. * Add --nftset option, like --ipset but for the newer nftables. * Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6 addresses from DNS answers. * Fix crash doing netbooting when --port is set to zero to disable the DNS server. Thanks to Drexl Johannes for the bug report. * Generalise --dhcp-relay. Sending via broadcast/multicast is now supported for both IPv4 and IPv6 and the configuration syntax made easier (but backwards compatible). * Add snooping of IPv6 prefix-delegations to the DHCP-relay system. * Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated as hex, the pattern must consist of only hex digits AND contain at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped over a pattern consisting of a decimal number which was interpreted surprisingly. * Include client address in TFTP file-not-found error reports. Thanks to Stefan Rink for the initial patch, which has been re-worked by me (srk). All bugs mine. * Note in manpage the change in behaviour of -address. This behaviour actually changed in v2.86, but was undocumented there. From 2.86 on, (eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other types of query will be sent upstream. Pre 2.86, that would catch the whole example.com domain and queries for other types would get a local NODATA answer. The pre-2.86 behaviour is still available, by configuring --address=/example.com/1.2.3.4 --local=/example.com/ OBS-URL: https://build.opensuse.org/request/show/1031298 OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=151 --- dnsmasq-2.86.tar.xz | 3 - dnsmasq-2.86.tar.xz.asc | 16 ---- dnsmasq-2.87.tar.xz | 3 + dnsmasq-2.87.tar.xz.asc | 16 ++++ dnsmasq-CVE-2022-0934.patch | 179 ------------------------------------ dnsmasq-resolv-conf.patch | 31 ------- dnsmasq.changes | 62 +++++++++++++ dnsmasq.spec | 6 +- 8 files changed, 82 insertions(+), 234 deletions(-) delete mode 100644 dnsmasq-2.86.tar.xz delete mode 100644 dnsmasq-2.86.tar.xz.asc create mode 100644 dnsmasq-2.87.tar.xz create mode 100644 dnsmasq-2.87.tar.xz.asc delete mode 100644 dnsmasq-CVE-2022-0934.patch delete mode 100644 dnsmasq-resolv-conf.patch diff --git a/dnsmasq-2.86.tar.xz b/dnsmasq-2.86.tar.xz deleted file mode 100644 index 97c5807..0000000 --- a/dnsmasq-2.86.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:28d52cfc9e2004ac4f85274f52b32e1647b4dbc9761b82e7de1e41c49907eb08 -size 531404 diff --git a/dnsmasq-2.86.tar.xz.asc b/dnsmasq-2.86.tar.xz.asc deleted file mode 100644 index ba08f03..0000000 --- a/dnsmasq-2.86.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmE5MDYACgkQFc3aauGR -NaKtqA//W2QQv/K6l009r6LBQdUxrYwygJ/TXKsZLb6JlpVSCgLJ0FvK95wJnt9S -YxeTbMogr/Pd2jbZJAnPz2mTxfqZAv1Xob+qaXfn/K772tMyjzgUCIfdsBSRKmUS -RYxln8NiMwahI8uYLBWLtSPBpaYLiHEp5W+wV6OHu4OGfCG1qyhlem4Hs1UJy2KN -I6UjLXYJYJBp1UBqsakEuNe4dzUp0v0OI4VYYRUriyTsmptcLFZMUAtdq6EJ9eUX -0p8zhxWotJCzkZrF/t6Myb8ydudwLkUqICA6a9PTw5o34KxZ2VKWtu6NQoWaT8WK -5c7gbk/UprlPhKEDMOuGNC5JHSpm+2Fhq8c8PkIn6zPYv0Wvb/M+2DYLjptfbodl -VHhuzngnneFOdNK+XzPCG37cG1qpzey1mLWtsl5Ji0d1hBLnlk9vl8Hqb5ozLAJC -rMlhIB85hyt6VAj29Ye3DnObNLRSmfDiN4frptmQssqMqO1+eI2b/8zvrxIByYG+ -HboOt5/gotVavAmZwPfesbpje50PaPVTgFjQjc8BAwXEhFsn98MVRdz7Iwc5xQmG -upOd+44HC3at+So9+X9ocVofvItuDn7wYVnoZU7LcF5Isnoz3FhRMAusm8EsfJkI -lQr7vsg5/oUBU2Dr/NCBjbe/cYX4/+BEdnnQkLvG33pF8xTiyAQ= -=XpGA ------END PGP SIGNATURE----- diff --git a/dnsmasq-2.87.tar.xz b/dnsmasq-2.87.tar.xz new file mode 100644 index 0000000..6fcd01e --- /dev/null +++ b/dnsmasq-2.87.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0228c0364a7f2356fd7e7f1549937cbf3099a78d3b2eb1ba5bb0c31e2b89de7a +size 540528 diff --git a/dnsmasq-2.87.tar.xz.asc b/dnsmasq-2.87.tar.xz.asc new file mode 100644 index 0000000..62d88f3 --- /dev/null +++ b/dnsmasq-2.87.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmMwyhgACgkQFc3aauGR +NaILSQ/+Kp/68XUjc6i5fArQOT3vfsbHWxPfyIm44sij50iJMMmuKFArJE7IRRTw +XJFu8ILIVKwLwFgGbQqcNlcL8gtQweKQioe/WPacvX6TeIVGZ2+SBBO69A6gDtUy +FmP47IgskXNlfQIJxUDgtC6khWNad0jTcb/tSVePDDuuUkHIcVZ8esEo7ZFRGitI +Uf+Kwjn81lwiaRHyCo26GRfUIrMEcLmaawKaeGsb09PCyRDK74vXGhkqcd49qMeF +xU4zOn9jqUrCvFKa4Vq6m9SJbnp+U3c10ETTUWDDm7sh4YN1XvM0B8MkRDlB8jlZ +f9YrdydTVXK4U21/YbQNJvyHCED7kB1T8xLRwomxZ9dhAL6Sna9NCGWIwosdzzgo +8fsYNhWammcxkok+5cL4GlBDIBua8VEtJARxvyQFgD1w2lgxMC1xcX8vT+9O1hWS +hwcld7mGD0sbnBuRYOFiV6vEk4UtvRIM+/JBnRJhDSSFL3+3Bw8BSjDgs293JPYT +/lX9/JyMfdz6L9VsJm8YtwtGcmwqQKdLpJDS104PE1S6GciF5ubvqpz1Go6JLoNA +vQGLs8CG2wlH1PJwFpCDQfOeBknPcvpB9PjbEWudQ+S3MJ/rA0J021OwIyfZ1QYZ +mxjUWmvXSDEPhkAnNnXtnOTbrmAbWxEqvgC1KHAxZWkk3HPyY1Y= +=w6LM +-----END PGP SIGNATURE----- diff --git a/dnsmasq-CVE-2022-0934.patch b/dnsmasq-CVE-2022-0934.patch deleted file mode 100644 index 5a9e7fb..0000000 --- a/dnsmasq-CVE-2022-0934.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 03345ecefeb0d82e3c3a4c28f27c3554f0611b39 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Thu, 31 Mar 2022 21:35:20 +0100 -Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934 - refers. - ---- - CHANGELOG | 3 +++ - src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- - 2 files changed, 30 insertions(+), 21 deletions(-) - ---- CHANGELOG.orig -+++ CHANGELOG -@@ -1,3 +1,8 @@ -+ -+ Fix write-after-free error in DHCPv6 server code. -+ CVE-2022-0934 refers. -+ -+ - version 2.86 - Handle DHCPREBIND requests in the DHCPv6 server code. - Thanks to Aichun Li for spotting this omission, and the initial ---- src/rfc3315.c.orig -+++ src/rfc3315.c -@@ -33,9 +33,9 @@ struct state { - unsigned int mac_len, mac_type; - }; - --static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, -+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, - struct in6_addr *client_addr, int is_unicast, time_t now); --static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); -+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); - static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); - static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); - static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); -@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_c - } - - /* This cost me blood to write, it will probably cost you blood to understand - srk. */ --static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, -+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, - struct in6_addr *client_addr, int is_unicast, time_t now) - { - void *end = inbuff + sz; - void *opts = inbuff + 34; -- int msg_type = *((unsigned char *)inbuff); -+ int msg_type = *inbuff; - unsigned char *outmsgtypep; - void *opt; - struct dhcp_vendor *vendor; -@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct stat - return 1; - } - --static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) -+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) - { - void *opt; -- int i, o, o1, start_opts; -+ int i, o, o1, start_opts, start_msg; - struct dhcp_opt *opt_cfg; - struct dhcp_netid *tagif; - struct dhcp_config *config = NULL; - struct dhcp_netid known_id, iface_id, v6_id; -- unsigned char *outmsgtypep; -+ unsigned char outmsgtype; - struct dhcp_vendor *vendor; - struct dhcp_context *context_tmp; - struct dhcp_mac *mac_opt; -@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state * - v6_id.next = state->tags; - state->tags = &v6_id; - -- /* copy over transaction-id, and save pointer to message type */ -- if (!(outmsgtypep = put_opt6(inbuff, 4))) -+ start_msg = save_counter(-1); -+ /* copy over transaction-id */ -+ if (!put_opt6(inbuff, 4)) - return 0; - start_opts = save_counter(-1); -- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; -- -+ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; -+ - /* We're going to be linking tags from all context we use. - mark them as unused so we don't link one twice and break the list */ - for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) -@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state * - (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) - - { -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - o1 = new_opt6(OPTION6_STATUS_CODE); - put_opt6_short(DHCP6USEMULTI); - put_opt6_string("Use multicast"); -@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state * - struct dhcp_netid *solicit_tags; - struct dhcp_context *c; - -- *outmsgtypep = DHCP6ADVERTISE; -+ outmsgtype = DHCP6ADVERTISE; - - if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) - { -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - state->lease_allocate = 1; - o = new_opt6(OPTION6_RAPID_COMMIT); - end_opt6(o); -@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state * - int start = save_counter(-1); - - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - state->lease_allocate = 1; - - log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); -@@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state * - int address_assigned = 0; - - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - - log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); - -@@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state * - int good_addr = 0; - - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - - log6_quiet(state, "DHCPCONFIRM", NULL, NULL); - -@@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state * - log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); - if (ignore) - return 0; -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - tagif = add_options(state, 1); - break; - } -@@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state * - case DHCP6RELEASE: - { - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - - log6_quiet(state, "DHCPRELEASE", NULL, NULL); - -@@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state * - case DHCP6DECLINE: - { - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - - log6_quiet(state, "DHCPDECLINE", NULL, NULL); - -@@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state * - } - - } -- -+ -+ /* Fill in the message type. Note that we store the offset, -+ not a direct pointer, since the packet memory may have been -+ reallocated. */ -+ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; -+ - log_tags(tagif, state->xid); - log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); - diff --git a/dnsmasq-resolv-conf.patch b/dnsmasq-resolv-conf.patch deleted file mode 100644 index 2bbd667..0000000 --- a/dnsmasq-resolv-conf.patch +++ /dev/null @@ -1,31 +0,0 @@ -From d290630d31f4517ab26392d00753d1397f9a4114 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Wed, 6 Oct 2021 22:31:06 +0100 -Subject: [PATCH] Fix crash after re-reading an empty resolv.conf file. - -If dnsmasq re-reads a resolv file, and it's empty, it will -retry after a delay. In the meantime, the old servers from the -resolv file have been deleted, but the servers_array doesn't -get updated, leading to dangling pointers and crashes. - -Thanks to Brad Jorsch for finding and analysing this bug. - -This problem was introduced in 2.86. ---- - src/dnsmasq.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- src/dnsmasq.c.orig -+++ src/dnsmasq.c -@@ -1668,6 +1668,11 @@ static void poll_resolv(int force, int d - } - else - { -+ /* If we're delaying things, we don't call check_servers(), but -+ reload_servers() may have deleted some servers, rendering the server_array -+ invalid, so just rebuild that here. Once reload_servers() succeeds, -+ we call check_servers() above, which calls build_server_array itself. */ -+ build_server_array(); - latest->mtime = 0; - if (!warned) - { diff --git a/dnsmasq.changes b/dnsmasq.changes index 75864f0..c2ce186 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,3 +1,65 @@ +------------------------------------------------------------------- +Wed Oct 26 09:21:37 UTC 2022 - Dirk Müller + +- update to 2.87 (bsc#1197872, CVE-2022-0934): + * Allow arbitrary prefix lengths in --rev-server and + --domain=....,local + * Replace --address=/#/..... functionality which got + missed in the 2.86 domain search rewrite. + * Add --nftset option, like --ipset but for the newer nftables. + * Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6 + addresses from DNS answers. + * Fix crash doing netbooting when --port is set to zero + to disable the DNS server. Thanks to Drexl Johannes + for the bug report. + * Generalise --dhcp-relay. Sending via broadcast/multicast is + now supported for both IPv4 and IPv6 and the configuration + syntax made easier (but backwards compatible). + * Add snooping of IPv6 prefix-delegations to the DHCP-relay system. + * Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated + as hex, the pattern must consist of only hex digits AND contain + at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped + over a pattern consisting of a decimal number which was interpreted + surprisingly. + * Include client address in TFTP file-not-found error reports. + Thanks to Stefan Rink for the initial patch, which has been + re-worked by me (srk). All bugs mine. + * Note in manpage the change in behaviour of -address. This behaviour + actually changed in v2.86, but was undocumented there. From 2.86 on, + (eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other + types of query will be sent upstream. Pre 2.86, that would catch the + whole example.com domain and queries for other types would get + a local NODATA answer. The pre-2.86 behaviour is still available, + by configuring --address=/example.com/1.2.3.4 --local=/example.com/ + * Fix problem with binding DHCP sockets to an individual interface. + Despite the fact that the system call tales the interface _name_ as + a parameter, it actually, binds the socket to interface _index_. + Deleting the interface and creating a new one with the same name + leaves the socket bound to the old index. (Creating new sockets + always allocates a fresh index, they are not reused). We now + take this behaviour into account and keep up with changing indexes. + * Add --conf-script configuration option. + * Enhance --domain to accept, for instance, + --domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain + which relects the interface they are attached to in a way which + doesn't require hard-coding addresses. Thanks to Sten Spans for + the idea. + * Fix write-after-free error in DHCPv6 server code. + CVE-2022-0934 refers. + * Add the ability to specify destination port in + DHCP-relay mode. This change also removes a previous bug + where --dhcp-alternate-port would affect the port used + to relay _to_ as well as the port being listened on. + The new feature allows configuration to provide bug-for-bug + compatibility, if required. Thanks to Damian Kaczkowski + for the feature suggestion. + * Bound the value of UDP packet size in the EDNS0 header of + forwarded queries to the configured or default value of + edns-packet-max. There's no point letting a client set a larger + value if we're unable to return the answer. Thanks to Bertie + Taylor for pointing out the problem and supplying the patch. +- drop dnsmasq-CVE-2022-0934.patch, dnsmasq-resolv-conf.patch (upstream) + ------------------------------------------------------------------- Fri Sep 9 11:00:25 UTC 2022 - Callum Farmer diff --git a/dnsmasq.spec b/dnsmasq.spec index 7764995..3251914 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -22,7 +22,7 @@ %bcond_with tftp_user_package %endif Name: dnsmasq -Version: 2.86 +Version: 2.87 Release: 0 Summary: DNS Forwarder and DHCP Server License: GPL-2.0-only OR GPL-3.0-only @@ -37,8 +37,6 @@ Source5: rc.dnsmasq-suse Source6: system-user-dnsmasq.conf Source8: %{name}-rpmlintrc Patch0: dnsmasq-groups.patch -Patch1: dnsmasq-resolv-conf.patch -Patch2: dnsmasq-CVE-2022-0934.patch BuildRequires: dbus-1-devel BuildRequires: dos2unix BuildRequires: libidn2-devel @@ -76,8 +74,6 @@ server's leases. %prep %setup -q %patch0 -%patch1 -%patch2 # Remove the executable bit from python example files to # avoid unwanted automatic dependencies