Notification time stamped 2018-10-25 13:32:54 UTC
From d63c7d423ae5eb8c3b12741e8a3afef4f7d889df Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 24 2018 17:36:17 +0000
Subject: Update to dnsmasq 2.80
Fix underflow patch
---
diff --git a/.gitignore b/.gitignore
index 1e0c820..041189e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@ dnsmasq-2.52.tar.lzma
/dnsmasq-2.77.tar.xz
/dnsmasq-2.78.tar.xz
/dnsmasq-2.79.tar.xz
+/dnsmasq-2.80.tar.xz
diff --git a/dnsmasq-2.77-underflow.patch b/dnsmasq-2.77-underflow.patch
index 2e900bf..f42212e 100644
--- a/dnsmasq-2.77-underflow.patch
+++ b/dnsmasq-2.77-underflow.patch
@@ -1,4 +1,4 @@
-From c82a594d95431e8615126621397ea595eb037a6b Mon Sep 17 00:00:00 2001
+From 0ef799244732871e043d848f2f845c797f5a0745 Mon Sep 17 00:00:00 2001
From: Doran Moppert <dmoppert(a)redhat.com>
Date: Tue, 26 Sep 2017 14:48:20 +0930
Subject: [PATCH] google patch hand-applied
@@ -31,10 +31,10 @@ index af33877..ba6ff0c 100644
free(buff);
p += rdlen;
diff --git a/src/forward.c b/src/forward.c
-index cdd11d3..3078f64 100644
+index 3dd8633..64af66f 100644
--- a/src/forward.c
+++ b/src/forward.c
-@@ -1438,6 +1438,10 @@ void receive_query(struct listener *listen, time_t now)
+@@ -1577,6 +1577,10 @@ void receive_query(struct listener *listen, time_t now)
udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3
*/
}
@@ -46,18 +46,18 @@ index cdd11d3..3078f64 100644
if (auth_dns)
{
diff --git a/src/rfc1035.c b/src/rfc1035.c
-index b078b59..777911b 100644
+index 6290f22..a943ecb 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
-@@ -1281,6 +1281,8 @@ size_t answer_request(struct dns_header *header, char *limit,
size_t qlen,
+@@ -1292,6 +1292,8 @@ size_t answer_request(struct dns_header *header, char *limit,
size_t qlen,
int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
struct mx_srv_record *rec;
size_t len;
+ // Make sure we do not underflow here too.
+ if (qlen > (limit - ((char *)header))) return 0;
- if (ntohs(header->ancount) != 0 ||
- ntohs(header->nscount) != 0 ||
+ /* never answer queries with RD unset, to avoid cache snooping. */
+ if (!(header->hb3 & HB3_RD) ||
--
-2.14.3
+2.14.4
diff --git a/dnsmasq-2.78-fips.patch b/dnsmasq-2.78-fips.patch
index 011433c..1b77981 100644
--- a/dnsmasq-2.78-fips.patch
+++ b/dnsmasq-2.78-fips.patch
@@ -1,4 +1,4 @@
-From 89f57e39b69f92beacb6bad9c68d61f9c4fb0e77 Mon Sep 17 00:00:00 2001
+From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Fri, 2 Mar 2018 13:17:04 +0100
Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq
@@ -9,7 +9,7 @@ Subject: [PATCH] Print warning on FIPS machine with dnssec enabled.
Dnsmasq
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index ce44809..9f6c020 100644
+index 480c5f9..5fd229e 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -187,6 +187,7 @@ int main (int argc, char **argv)
@@ -20,10 +20,10 @@ index ce44809..9f6c020 100644
#else
die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL,
EC_BADCONF);
#endif
-@@ -769,7 +770,10 @@ int main (int argc, char **argv)
- }
-
- my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
+@@ -786,7 +787,10 @@ int main (int argc, char **argv)
+ my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are
trusted"));
+ else
+ my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
-
+
+ if (access("/etc/system-fips", F_OK) == 0)
diff --git a/dnsmasq-2.79-randomize-ports.patch b/dnsmasq-2.79-randomize-ports.patch
index e37931b..0f6a815 100644
--- a/dnsmasq-2.79-randomize-ports.patch
+++ b/dnsmasq-2.79-randomize-ports.patch
@@ -1,4 +1,4 @@
-From 6899c5c5b9a32aa2ce0513b5e69356844988c64e Mon Sep 17 00:00:00 2001
+From 8455bcbe5311ee0d15bcebe494580fec8868a93a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Thu, 9 Aug 2018 18:17:26 +0200
Subject: [PATCH] Use OS random ports by default
@@ -13,20 +13,20 @@ separately. Would use port according to system policy.
3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index 9f6c020..4cd478e 100644
+index ac5d8aa..6d51d3b 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
-@@ -226,7 +226,7 @@ int main (int argc, char **argv)
- die(_("loop detection not available: set HAVE_LOOP in src/config.h"),
NULL, EC_BADCONF);
+@@ -230,7 +230,7 @@ int main (int argc, char **argv)
+ die(_("Ubus not available: set HAVE_UBUS in src/config.h"), NULL,
EC_BADCONF);
#endif
-
+
- if (daemon->max_port < daemon->min_port)
+ if (daemon->max_port >= 0 && daemon->max_port <
daemon->min_port)
die(_("max_port cannot be smaller than min_port"), NULL, EC_BADCONF);
now = dnsmasq_time();
diff --git a/src/network.c b/src/network.c
-index 0381513..9747d26 100644
+index 8ae7a70..58a2819 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1138,18 +1138,27 @@ int random_sock(int family)
@@ -61,10 +61,10 @@ index 0381513..9747d26 100644
if (family == AF_INET)
{
diff --git a/src/option.c b/src/option.c
-index d358d99..b7eaff0 100644
+index 7ccbdea..477dd52 100644
--- a/src/option.c
+++ b/src/option.c
-@@ -2602,6 +2602,8 @@ static int one_opt(int option, char *arg, char *errstr, char
*gen_err, int comma
+@@ -2619,6 +2619,8 @@ static int one_opt(int option, char *arg, char *errstr, char
*gen_err, int comma
case LOPT_MINPORT: /* --min-port */
if (!atoi_check16(arg, &daemon->min_port))
ret_err(gen_err);
@@ -73,7 +73,7 @@ index d358d99..b7eaff0 100644
break;
case LOPT_MAXPORT: /* --max-port */
-@@ -4678,7 +4680,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
+@@ -4754,7 +4756,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
daemon->soa_refresh = SOA_REFRESH;
daemon->soa_retry = SOA_RETRY;
daemon->soa_expiry = SOA_EXPIRY;
diff --git a/dnsmasq-2.80-dnssec.patch b/dnsmasq-2.80-dnssec.patch
deleted file mode 100644
index a34f46e..0000000
--- a/dnsmasq-2.80-dnssec.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Fri, 29 Jun 2018 14:39:41 +0100
-Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not
- enabled.
-
-Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective
-of of having DNSSEC validation compiled in or enabled.
-
-The thing to understand here is that the cache does not store all the
-DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
-to determine the set of DNSSEC RRs required in an answer. Therefore if
-the client wants the DNSSEC RRs, the query can not be answered from
-the cache. When DNSSEC validation is enabled, any query with the
-do-bit set is never answered from the cache, unless the domain is
-known not to be signed: the query is always forwarded. This ensures
-that the DNSEC RRs are included.
-
-The same thing should be true when DNSSEC validation is not enabled,
-but there's a bug in the logic.
-
-line 1666 of src/rfc1035.c looks like this
-
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit ||
!(crecp->flags & F_DNSSECOK))
-
-{ ...answer from cache ... }
-
-So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
-then the query is answered, and if the domain is known not to be
-signed, the query is answered.
-
-Unfortunately, if DNSSEC validation is not turned on then the
-F_DNSSECOK bit is not valid, and it's always zero, so the question
-always gets answered from the cache, even when the do-bit is set.
-
-This code should look like that at line 1468, dealing with PTR queries
-
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
- !do_bit ||
- (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
-
-where the F_DNSSECOK bit is only used when validation is enabled.
----
- src/rfc1035.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index ebb1f36..580f5ef 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit,
size_t qlen,
- }
-
- /* If the client asked for DNSSEC don't use cached data. */
-- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit ||
!(crecp->flags & F_DNSSECOK))
-+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
-+ !do_bit ||
-+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
- do
- {
- /* don't answer wildcard queries with data not from /etc/hosts
-@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit,
size_t qlen,
- {
- if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR :
0))) &&
- (qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
-- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags &
F_DNSSECOK)))
-+ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID)
&& !(crecp->flags & F_DNSSECOK))))
- {
- if (!(crecp->flags & F_DNSSECOK))
- sec_data = 0;
---
-2.14.4
-
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 3319fd7..4d46827 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -12,8 +12,8 @@
%define _hardened_build 1
Name: dnsmasq
-Version: 2.79
-Release: 8%{?extraversion:.%{extraversion}}%{?dist}
+Version: 2.80
+Release: 1%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@@ -25,8 +25,7 @@ Source2: dnsmasq-systemd-sysusers.conf
#
https://bugzilla.redhat.com/show_bug.cgi?id=1495409
Patch1: dnsmasq-2.77-underflow.patch
Patch3: dnsmasq-2.78-fips.patch
-Patch4: dnsmasq-2.80-dnssec.patch
-Patch5: dnsmasq-2.79-randomize-ports.patch
+Patch5: dnsmasq-2.79-randomize-ports.patch
# This is workaround to nettle bug #1549190
#
https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@@ -63,7 +62,6 @@ server's leases.
%setup -q -n %{name}-%{version}%{?extraversion}
%patch1 -p1 -b .underflow
%patch3 -p1 -b .fips
-%patch4 -p1 -b .dnssec
%patch5 -p1 -b .ports
# use /var/lib/dnsmasq instead of /var/lib/misc
@@ -165,6 +163,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
%{_mandir}/man1/dhcp_*
%changelog
+* Mon Aug 20 2018 Petr Menšík <pemensik(a)redhat.com> - 2.80-1
+- Update to 2.80
+
* Thu Aug 09 2018 Petr Menšík <pemensik(a)redhat.com> - 2.79-8
- Better randomize ports
diff --git a/sources b/sources
index c0990c5..fd1fa6d 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (dnsmasq-2.79.tar.xz) =
2c06212696ab55e1584f6133872f5b196013509e4b1822d0457787b456e14341afdde887749e370a2e512124cb4138f012f4601b08690707be4acc7cf2f2876f
+SHA512 (dnsmasq-2.80.tar.xz) =
58e56beb553fc41311e5dc16d8b0eb3b6801e2bdfbcd0e7a6659703f08960b6ad10d48b0b14a4d727636faf35483e01597cff2ae49e7fe9fa9e214f437b1c068
https://src.fedoraproject.org/rpms/dnsmasq/c/d63c7d423ae5eb8c3b12741e8a3a...