[libvirt/f17] Fix conflict with NM launched dnsmasq (bz #886663)
Cole Robinson
crobinso at fedoraproject.org
Sun Dec 16 19:45:56 UTC 2012
commit d4e5211296a00a0cff32e1a1daaa025002add736
Author: Cole Robinson <crobinso at redhat.com>
Date: Sun Dec 16 14:45:50 2012 -0500
Fix conflict with NM launched dnsmasq (bz #886663)
...event-dnsmasq-from-listening-on-localhost.patch | 182 ++++++++++++++++++++
libvirt.spec | 8 +-
2 files changed, 189 insertions(+), 1 deletions(-)
---
diff --git a/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch b/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch
new file mode 100644
index 0000000..ffc9d63
--- /dev/null
+++ b/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch
@@ -0,0 +1,182 @@
+From 9eb2b573253626c8c9329140d4ce2043863e417b Mon Sep 17 00:00:00 2001
+Message-Id: <9eb2b573253626c8c9329140d4ce2043863e417b.1355686333.git.crobinso at redhat.com>
+From: Laine Stump <laine at laine.org>
+Date: Thu, 13 Dec 2012 01:46:40 -0500
+Subject: [PATCH] network: prevent dnsmasq from listening on localhost
+
+This patch resolves the problem reported in:
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=886663
+
+The source of the problem was the fix for CVE 2011-3411:
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=833033
+
+which was originally committed upstream in commit
+753ff83a50263d6975f88d6605d4b5ddfcc97560. That commit improperly
+removed the "--except-interface lo" from dnsmasq commandlines when
+--bind-dynamic was used (based on comments in the latter bug).
+
+It turns out that the problem reported in the CVE could be eliminated
+without removing "--except-interface lo", and removing it actually
+caused each instance of dnsmasq to listen on localhost on port 53,
+which created a new problem:
+
+If another instance of dnsmasq using "bind-interfaces" (instead of
+"bind-dynamic") had already been started (or if another instance
+started later used "bind-dynamic"), this wouldn't have any immediately
+visible ill effects, but if you tried to start another dnsmasq
+instance using "bind-interfaces" *after* starting any libvirt
+networks, the new dnsmasq would fail to start, because there was
+already another process listening on port 53.
+
+This patch changes the network driver to *always* add
+"except-interface=lo" to dnsmasq conf files, regardless of whether we use
+bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
+are listening on localhost (and the CVE is still fixed).
+
+The actual code change is miniscule, but must be propogated through all
+of the test files as well.
+
+(This is *not* a cherry-pick of the upstream commit that fixes the bug
+(commit d66eb7866757dd371560c288dc6201fb9348792a), because subsequent
+to the CVE fix, another patch changed the network driver to put
+dnsmasq options in a conf file rather than directly on the dnsmasq
+commandline preserving the same options), so a cherry-pick is just one
+very large conflict.)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index 8010797..6053770 100644
+--- a/src/network/bridge_driver.c
++++ b/src/network/bridge_driver.c
+@@ -510,6 +510,9 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
+ /* *no* conf file */
+ virCommandAddArg(cmd, "--conf-file=");
+
++ /* dnsmasq will *always* listen on localhost unless told otherwise */
++ virCommandAddArgList(cmd, "--except-interface", "lo", NULL);
++
+ if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) {
+ /* using --bind-dynamic with only --interface (no
+ * --listen-address) prevents dnsmasq from responding to dns
+@@ -523,10 +526,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
+ "--interface", network->def->bridge,
+ NULL);
+ } else {
+- virCommandAddArgList(cmd,
+- "--bind-interfaces",
+- "--except-interface", "lo",
+- NULL);
++ virCommandAddArg(cmd, "--bind-interfaces");
+ /*
+ * --interface does not actually work with dnsmasq < 2.47,
+ * due to DAD for ipv6 addresses on the interface.
+diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv
+index d629192..d91c730 100644
+--- a/tests/networkxml2argvdata/isolated-network.argv
++++ b/tests/networkxml2argvdata/isolated-network.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-interfaces --except-interface lo \
++--except-interface lo --bind-interfaces \
+ --listen-address 192.168.152.1 \
+ --dhcp-option=3 --no-resolv \
+ --dhcp-range 192.168.152.2,192.168.152.254 \
+diff --git a/tests/networkxml2argvdata/nat-network-dns-hosts.argv b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
+index e5143ac..431e987 100644
+--- a/tests/networkxml2argvdata/nat-network-dns-hosts.argv
++++ b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
+@@ -1,5 +1,5 @@
+ @DNSMASQ@ --strict-order --domain=example.com \
+ --local=/example.com/ --domain-needed \
+ --conf-file= \
+---bind-dynamic --interface virbr0 \
++--except-interface lo --bind-dynamic --interface virbr0 \
+ --expand-hosts --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\
+diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
+index c38b954..9c26f32 100644
+--- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
++++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
+@@ -1,7 +1,7 @@
+ @DNSMASQ@ \
+ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-interfaces --except-interface lo \
++--except-interface lo --bind-interfaces \
+ --listen-address 192.168.122.1 \
+ --listen-address 192.168.123.1 \
+ --listen-address fc00:db8:ac10:fe01::1 \
+diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
+index 311b0d7..ff9c223 100644
+--- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
++++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
+@@ -1,7 +1,7 @@
+ @DNSMASQ@ \
+ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-dynamic --interface virbr0 \
++--except-interface lo --bind-dynamic --interface virbr0 \
+ --srv-host=name.tcp.test-domain-name,.,1024,10,10 \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
+diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
+index cbdf50d..2b133ff 100644
+--- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
++++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-dynamic --interface virbr0 \
++--except-interface lo --bind-dynamic --interface virbr0 \
+ --txt-record=example,example value \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
+diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv
+index 967ca94..1a771d0 100644
+--- a/tests/networkxml2argvdata/nat-network.argv
++++ b/tests/networkxml2argvdata/nat-network.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-dynamic --interface virbr0 \
++--except-interface lo --bind-dynamic --interface virbr0 \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
+ --dhcp-lease-max=253 --dhcp-no-override \
+diff --git a/tests/networkxml2argvdata/netboot-network.argv b/tests/networkxml2argvdata/netboot-network.argv
+index bcd6fad..9f8d114 100644
+--- a/tests/networkxml2argvdata/netboot-network.argv
++++ b/tests/networkxml2argvdata/netboot-network.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order --domain=example.com \
+ --local=/example.com/ --domain-needed --conf-file= \
+---bind-interfaces --except-interface lo --listen-address 192.168.122.1 \
++--except-interface lo --bind-interfaces --listen-address 192.168.122.1 \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
+ --dhcp-lease-max=253 --dhcp-no-override --expand-hosts --enable-tftp \
+diff --git a/tests/networkxml2argvdata/netboot-proxy-network.argv b/tests/networkxml2argvdata/netboot-proxy-network.argv
+index 8c5ef9b..90a31e2 100644
+--- a/tests/networkxml2argvdata/netboot-proxy-network.argv
++++ b/tests/networkxml2argvdata/netboot-proxy-network.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order --domain=example.com \
+ --local=/example.com/ --domain-needed --conf-file= \
+---bind-interfaces --except-interface lo \
++--except-interface lo --bind-interfaces \
+ --listen-address 192.168.122.1 \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
+diff --git a/tests/networkxml2argvdata/routed-network.argv b/tests/networkxml2argvdata/routed-network.argv
+index eacdf2d..862013e 100644
+--- a/tests/networkxml2argvdata/routed-network.argv
++++ b/tests/networkxml2argvdata/routed-network.argv
+@@ -1,3 +1,3 @@
+ @DNSMASQ@ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-dynamic --interface virbr1\
++--except-interface lo --bind-dynamic --interface virbr1\
+--
+1.8.0.2
+
diff --git a/libvirt.spec b/libvirt.spec
index 644c407..4d529fa 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -274,7 +274,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 0.9.11.8
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
@@ -297,6 +297,8 @@ Patch4: libvirt-sanlock-readonly-option.patch
# Fix LXC domain startup with selinux=disabled (bz 858104)
# keep: non upstream fix that doesn't apply to git head
Patch5: libvirt-lxc-selinux-context-error.patch
+# Fix conflict with NM launched dnsmasq (bz 886663)
+Patch6: 0001-network-prevent-dnsmasq-from-listening-on-localhost.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -769,6 +771,7 @@ of recent versions of Linux (and other OSes).
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%build
%if ! %{with_xen}
@@ -1500,6 +1503,9 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
%endif
%changelog
+* Sun Dec 16 2012 Cole Robinson <crobinso at redhat.com> - 0.9.11.8-2
+- Fix conflict with NM launched dnsmasq (bz #886663)
+
* Sun Dec 09 2012 Cole Robinson <crobinso at redhat.com> - 0.9.11.8-1
- Rebased to version 0.9.11.8
- CVE-2012-3411: avoid open DNS proxy with dnsmasq (bz #874702, bz #882309)
More information about the scm-commits
mailing list