Notification time stamped 2020-06-30 17:18:24 UTC
From 744ba31be775c11b1f52104d6285509b06b81035 Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Jun 30 2020 17:13:15 +0000
Subject: Listen only localhost in default configuration
Require manual configuration to enable either local-service for any
connected networks or interface to listen all hosts on interface.
---
diff --git a/dnsmasq-2.81-configuration.patch b/dnsmasq-2.81-configuration.patch
new file mode 100644
index 0000000..0cf66c7
--- /dev/null
+++ b/dnsmasq-2.81-configuration.patch
@@ -0,0 +1,79 @@
+From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Tue, 30 Jun 2020 18:06:29 +0200
+Subject: [PATCH] Modify upstream configuration to safe defaults
+
+Most important change would be to listen only on localhost. Default
+configuration should not listen to request from remote hosts. Match also
+user and paths to directories shipped in Fedora.
+---
+ dnsmasq.conf.example | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
+index bf19424..a130118 100644
+--- a/dnsmasq.conf.example
++++ b/dnsmasq.conf.example
+@@ -22,7 +22,7 @@
+
+ # Uncomment these to enable DNSSEC validation and caching:
+ # (Requires dnsmasq to be built with DNSSEC option.)
+-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
++#conf-file=/usr/share/dnsmasq/trust-anchors.conf
+ #dnssec
+
+ # Replies which are not DNSSEC signed may be legitimate, because the domain
+@@ -96,14 +96,16 @@
+
+ # If you want dnsmasq to change uid and gid to something other
+ # than the default, edit the following lines.
+-#user=
+-#group=
++user=dnsmasq
++group=dnsmasq
+
+ # If you want dnsmasq to listen for DHCP and DNS requests only on
+ # specified interfaces (and the loopback) give the name of the
+ # interface (eg eth0) here.
+ # Repeat the line for more than one interface.
+ #interface=
++# Listen only on localhost by default
++interface=lo
+ # Or you can specify which interface _not_ to listen on
+ #except-interface=
+ # Or which to listen on by address (remember to include 127.0.0.1 if
+@@ -114,6 +116,10 @@
+ # disable DHCP and TFTP on it.
+ #no-dhcp-interface=
+
++# Serve DNS and DHCP only to networks directly connected to this machine.
++# Any interface= line will override it.
++#local-service
++
+ # On systems which support it, dnsmasq binds the wildcard address,
+ # even when it is listening on only some interfaces. It then discards
+ # requests that it shouldn't reply to. This has the advantage of
+@@ -535,7 +541,7 @@
+ # The DHCP server needs somewhere on disk to keep its lease database.
+ # This defaults to a sane location, but if you want to change it, use
+ # the line below.
+-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
++#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
+
+ # Set the DHCP server to authoritative mode. In this mode it will barge in
+ # and take over the lease for any client which broadcasts on the network,
+@@ -673,7 +679,11 @@
+ # Include all files in a directory which end in .conf
+ #conf-dir=/etc/dnsmasq.d/,*.conf
+
++# Include all files in /etc/dnsmasq.d except RPM backup files
++conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
++
+ # If a DHCP client claims that its name is "wpad", ignore that.
+ # This fixes a security hole. see CERT Vulnerability VU#598349
+ #dhcp-name-match=set:wpad-ignore,wpad
+ #dhcp-ignore-names=tag:wpad-ignore
++
+--
+2.26.2
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 2db0d37..7bc3eb2 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -20,7 +20,7 @@
Name: dnsmasq
Version: 2.81
-Release: 3%{?extraversion:.%{extraversion}}%{?dist}
+Release: 4%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@@ -38,6 +38,8 @@ Source4:
http://www.thekelleys.org.uk/srkgpg.txt
#
https://bugzilla.redhat.com/show_bug.cgi?id=1495409
Patch1: dnsmasq-2.77-underflow.patch
+#
https://bugzilla.redhat.com/show_bug.cgi?id=1852373
+Patch2: dnsmasq-2.81-configuration.patch
Patch3: dnsmasq-2.78-fips.patch
#
https://bugzilla.redhat.com/show_bug.cgi?id=1728701
Patch7: dnsmasq-2.80-rh1728701.patch
@@ -106,12 +108,6 @@ for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8
src/config.h; do
sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g'
"$file"
done
-# fix the path to the trust anchor
-sed -i 's|%%%%PREFIX%%%%|%{_prefix}|' dnsmasq.conf.example
-
-#set dnsmasq user / group
-sed -i 's|#user=|user=dnsmasq|' dnsmasq.conf.example
-sed -i 's|#group=|group=dnsmasq|' dnsmasq.conf.example
#set default user /group in src/config.h
sed -i 's|#define CHUSER "nobody"|#define CHUSER "dnsmasq"|'
src/config.h
sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|'
src/config.h
@@ -119,14 +115,6 @@ sed -i 's|#define CHGRP "dip"|#define CHGRP
"dnsmasq"|' src/config.h
# optional parts
sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|'
Makefile
-#enable /etc/dnsmasq.d fix bz 526703, ignore RPM backup files
-cat << EOF >> dnsmasq.conf.example
-
-# Include all files in /etc/dnsmasq.d except RPM backup files
-conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
-EOF
-
-
%build
%make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
%make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS"
LDFLAGS="$RPM_LD_FLAGS"
@@ -198,6 +186,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%{_mandir}/man1/dhcp_*
%changelog
+* Tue Jun 30 2020 Petr Menšík <pemensik(a)redhat.com> - 2.81-4
+- Accept queries only from localhost (CVE-2020-14312)
+
* Mon May 11 2020 Petr Menšík <pemensik(a)redhat.com> - 2.81-3
- Correct multiple entries with the same mac address (#1834454)
https://src.fedoraproject.org/rpms/dnsmasq/c/744ba31be775c11b1f52104d6285...