pemensik pushed to dnsmasq (f27). "Security fix, CVE-2017-14493,
DHCPv6 - Stack buffer overflow. (..more)"
by notifications@fedoraproject.org
From e84d4fc50ead3a545aa77edfbefaecd80ecc94df Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 02 2017 15:08:22 +0000
Subject: Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow.
Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
Signed-off-by: Petr Menšík <pemensik(a)redhat.com>
---
diff --git a/dnsmasq-2.77-CVE-2017-14493.patch b/dnsmasq-2.77-CVE-2017-14493.patch
new file mode 100644
index 0000000..d80553c
--- /dev/null
+++ b/dnsmasq-2.77-CVE-2017-14493.patch
@@ -0,0 +1,30 @@
+From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:52:50 +0100
+Subject: [PATCH 4/9] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
+ overflow.
+
+Fix stack overflow in DHCPv6 code. An attacker who can send
+a DHCPv6 request to dnsmasq can overflow the stack frame and
+crash or control dnsmasq.
+---
+ src/rfc3315.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 1687931..920907c 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+ /* RFC-6939 */
+ if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
+ {
++ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
++ return 0;
++ }
+ state->mac_type = opt6_uint(opt, 0, 2);
+ state->mac_len = opt6_len(opt) - 2;
+ memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
+--
+2.9.5
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 150234e..9583493 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -25,6 +25,7 @@ Source1: %{name}.service
Patch1: dnsmasq-2.77-CVE-2017-13704.patch
Patch2: dnsmasq-2.77-CVE-2017-14491.patch
Patch3: dnsmasq-2.77-CVE-2017-14492.patch
+Patch4: dnsmasq-2.77-CVE-2017-14493.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -62,6 +63,7 @@ query/remove a DHCP server's leases.
%patch1 -p1 -b .CVE-2017-13704
%patch2 -p1 -b .CVE-2017-14491
%patch3 -p1 -b .CVE-2017-14492
+%patch4 -p1 -b .CVE-2017-14493
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -149,8 +151,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Mon Oct 02 2017 Petr Menšík <pemensik(a)redhat.com> - 2.77-8
-- Security fix, CVE-2017-14491 DNS heap buffer overflow
-- Security fix, CVE-2017-14492 DHCPv6 RA heap overflow
+- Security fix, CVE-2017-14491, DNS heap buffer overflow
+- Security fix, CVE-2017-14492, DHCPv6 RA heap overflow
+- Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
* Thu Sep 14 2017 Petr Menšík <pemensik(a)redhat.com> - 2.77-7
- Fix CVE-2017-13704
https://src.fedoraproject.org/rpms/dnsmasq/c/e84d4fc50ead3a545aa77edfbefa...
6 years, 8 months
pemensik pushed to dnsmasq (f26). "Security fix, CVE-2017-14493,
DHCPv6 - Stack buffer overflow. (..more)"
by notifications@fedoraproject.org
From 1bca83a5d36c969c4e8c2c2343d592e57094903d Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 02 2017 15:37:39 +0000
Subject: Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow.
Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
Signed-off-by: Petr Menšík <pemensik(a)redhat.com>
---
diff --git a/dnsmasq-2.77-CVE-2017-14493.patch b/dnsmasq-2.77-CVE-2017-14493.patch
new file mode 100644
index 0000000..d80553c
--- /dev/null
+++ b/dnsmasq-2.77-CVE-2017-14493.patch
@@ -0,0 +1,30 @@
+From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:52:50 +0100
+Subject: [PATCH 4/9] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
+ overflow.
+
+Fix stack overflow in DHCPv6 code. An attacker who can send
+a DHCPv6 request to dnsmasq can overflow the stack frame and
+crash or control dnsmasq.
+---
+ src/rfc3315.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 1687931..920907c 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+ /* RFC-6939 */
+ if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
+ {
++ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
++ return 0;
++ }
+ state->mac_type = opt6_uint(opt, 0, 2);
+ state->mac_len = opt6_len(opt) - 2;
+ memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
+--
+2.9.5
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index c6b7699..0e7246e 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -27,6 +27,7 @@ Source1: %{name}.service
Patch0: dnsmasq-2.76-dns-sleep-resume.patch
Patch2: dnsmasq-2.77-CVE-2017-14491.patch
Patch3: dnsmasq-2.77-CVE-2017-14492.patch
+Patch4: dnsmasq-2.77-CVE-2017-14493.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -64,6 +65,7 @@ query/remove a DHCP server's leases.
%patch0 -p1
%patch2 -p1 -b .CVE-2017-14491
%patch3 -p1 -b .CVE-2017-14492
+%patch4 -p1 -b .CVE-2017-14493
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -152,8 +154,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Mon Oct 02 2017 Petr Menšík <pemensik(a)redhat.com> - 2.76-4
-- Security fix, CVE-2017-14491 DNS heap buffer overflow
-- Security fix, CVE-2017-14492 DHCPv6 RA heap overflow
+- Security fix, CVE-2017-14491, DNS heap buffer overflow
+- Security fix, CVE-2017-14492, DHCPv6 RA heap overflow
+- Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
* Fri Feb 10 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.76-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
https://src.fedoraproject.org/rpms/dnsmasq/c/1bca83a5d36c969c4e8c2c2343d5...
6 years, 8 months
pemensik pushed to dnsmasq (f25). "Security fix, CVE-2017-14493,
DHCPv6 - Stack buffer overflow. (..more)"
by notifications@fedoraproject.org
From a6aab10a4b21dc090aba3a238b2c0b17a4ce3eff Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 02 2017 15:41:08 +0000
Subject: Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow.
Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
Signed-off-by: Petr Menšík <pemensik(a)redhat.com>
---
diff --git a/dnsmasq-2.77-CVE-2017-14493.patch b/dnsmasq-2.77-CVE-2017-14493.patch
new file mode 100644
index 0000000..d80553c
--- /dev/null
+++ b/dnsmasq-2.77-CVE-2017-14493.patch
@@ -0,0 +1,30 @@
+From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:52:50 +0100
+Subject: [PATCH 4/9] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
+ overflow.
+
+Fix stack overflow in DHCPv6 code. An attacker who can send
+a DHCPv6 request to dnsmasq can overflow the stack frame and
+crash or control dnsmasq.
+---
+ src/rfc3315.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 1687931..920907c 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+ /* RFC-6939 */
+ if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
+ {
++ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
++ return 0;
++ }
+ state->mac_type = opt6_uint(opt, 0, 2);
+ state->mac_len = opt6_len(opt) - 2;
+ memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
+--
+2.9.5
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 9a25b7f..5b3f53c 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -27,6 +27,7 @@ Source1: %{name}.service
Patch0: dnsmasq-2.76-dns-sleep-resume.patch
Patch2: dnsmasq-2.77-CVE-2017-14491.patch
Patch3: dnsmasq-2.77-CVE-2017-14492.patch
+Patch4: dnsmasq-2.77-CVE-2017-14493.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -64,6 +65,7 @@ query/remove a DHCP server's leases.
%patch0 -p1
%patch2 -p1 -b .CVE-2017-14491
%patch3 -p1 -b .CVE-2017-14492
+%patch4 -p1 -b .CVE-2017-14493
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -152,8 +154,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Mon Oct 02 2017 Petr Menšík <pemensik(a)redhat.com> - 2.76-3
-- Security fix, CVE-2017-14491 DNS heap buffer overflow
-- Security fix, CVE-2017-14492 DHCPv6 RA heap overflow
+- Security fix, CVE-2017-14491, DNS heap buffer overflow
+- Security fix, CVE-2017-14492, DHCPv6 RA heap overflow
+- Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
* Wed Oct 19 2016 Pavel Šimerda <psimerda(a)redhat.com> - 2.76-2
- Resolves: #1373485 - dns not updated after sleep and resume laptop
https://src.fedoraproject.org/rpms/dnsmasq/c/a6aab10a4b21dc090aba3a238b2c...
6 years, 8 months
pemensik pushed to dnsmasq (master). "Security fix, CVE-2017-14495,
OOM in DNS response (..more)"
by notifications@fedoraproject.org
From ce9aecdce07054e92b72e106ec3075a8cb16144b Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 02 2017 15:08:22 +0000
Subject: Security fix, CVE-2017-14495, OOM in DNS response
creation.
Fix out-of-memory Dos vulnerability. An attacker which can
send malicious DNS queries to dnsmasq can trigger memory
allocations in the add_pseudoheader function
The allocated memory is never freed which leads to a DoS
through memory exhaustion. dnsmasq is vulnerable only
if one of the following option is specified:
--add-mac, --add-cpe-id or --add-subnet.
Signed-off-by: Petr Menšík <pemensik(a)redhat.com>
---
diff --git a/dnsmasq-2.77-CVE-2017-14495.patch b/dnsmasq-2.77-CVE-2017-14495.patch
new file mode 100644
index 0000000..0f793aa
--- /dev/null
+++ b/dnsmasq-2.77-CVE-2017-14495.patch
@@ -0,0 +1,41 @@
+From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:16:50 +0100
+Subject: [PATCH 7/9] Security fix, CVE-2017-14495, OOM in DNS response
+ creation.
+
+Fix out-of-memory Dos vulnerability. An attacker which can
+send malicious DNS queries to dnsmasq can trigger memory
+allocations in the add_pseudoheader function
+The allocated memory is never freed which leads to a DoS
+through memory exhaustion. dnsmasq is vulnerable only
+if one of the following option is specified:
+--add-mac, --add-cpe-id or --add-subnet.
+---
+ src/edns0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/edns0.c b/src/edns0.c
+index 95b74ee..89b2692 100644
+--- a/src/edns0.c
++++ b/src/edns0.c
+@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+ !(p = skip_section(p,
+ ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
+ header, plen)))
++ {
++ free(buff);
+ return plen;
++ }
+ if (p + 11 > limit)
+- return plen; /* Too big */
++ {
++ free(buff);
++ return plen; /* Too big */
++ }
+ *p++ = 0; /* empty name */
+ PUTSHORT(T_OPT, p);
+ PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+--
+2.9.5
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 0e99f7b..0a77cff 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -28,6 +28,7 @@ Patch3: dnsmasq-2.77-CVE-2017-14492.patch
Patch4: dnsmasq-2.77-CVE-2017-14493.patch
Patch5: dnsmasq-2.77-CVE-2017-14494.patch
Patch6: dnsmasq-2.77-CVE-2017-14496.patch
+Patch7: dnsmasq-2.77-CVE-2017-14495.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -68,6 +69,7 @@ query/remove a DHCP server's leases.
%patch4 -p1 -b .CVE-2017-14493
%patch5 -p1 -b .CVE-2017-14494
%patch6 -p1 -b .CVE-2017-14496
+%patch7 -p1 -b .CVE-2017-14495
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -160,6 +162,7 @@ rm -rf $RPM_BUILD_ROOT
- Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
- Security fix, CVE-2017-14494, Infoleak handling DHCPv6
- Security fix, CVE-2017-14496, Integer underflow in DNS response creation
+- Security fix, CVE-2017-14495, OOM in DNS response creation
* Thu Sep 14 2017 Petr Menšík <pemensik(a)redhat.com> - 2.77-7
- Fix CVE-2017-13704
https://src.fedoraproject.org/rpms/dnsmasq/c/ce9aecdce07054e92b72e106ec30...
6 years, 8 months
pemensik pushed to dnsmasq (f27). "Security fix, CVE-2017-14495,
OOM in DNS response (..more)"
by notifications@fedoraproject.org
From ce9aecdce07054e92b72e106ec3075a8cb16144b Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 02 2017 15:08:22 +0000
Subject: Security fix, CVE-2017-14495, OOM in DNS response
creation.
Fix out-of-memory Dos vulnerability. An attacker which can
send malicious DNS queries to dnsmasq can trigger memory
allocations in the add_pseudoheader function
The allocated memory is never freed which leads to a DoS
through memory exhaustion. dnsmasq is vulnerable only
if one of the following option is specified:
--add-mac, --add-cpe-id or --add-subnet.
Signed-off-by: Petr Menšík <pemensik(a)redhat.com>
---
diff --git a/dnsmasq-2.77-CVE-2017-14495.patch b/dnsmasq-2.77-CVE-2017-14495.patch
new file mode 100644
index 0000000..0f793aa
--- /dev/null
+++ b/dnsmasq-2.77-CVE-2017-14495.patch
@@ -0,0 +1,41 @@
+From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:16:50 +0100
+Subject: [PATCH 7/9] Security fix, CVE-2017-14495, OOM in DNS response
+ creation.
+
+Fix out-of-memory Dos vulnerability. An attacker which can
+send malicious DNS queries to dnsmasq can trigger memory
+allocations in the add_pseudoheader function
+The allocated memory is never freed which leads to a DoS
+through memory exhaustion. dnsmasq is vulnerable only
+if one of the following option is specified:
+--add-mac, --add-cpe-id or --add-subnet.
+---
+ src/edns0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/edns0.c b/src/edns0.c
+index 95b74ee..89b2692 100644
+--- a/src/edns0.c
++++ b/src/edns0.c
+@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+ !(p = skip_section(p,
+ ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
+ header, plen)))
++ {
++ free(buff);
+ return plen;
++ }
+ if (p + 11 > limit)
+- return plen; /* Too big */
++ {
++ free(buff);
++ return plen; /* Too big */
++ }
+ *p++ = 0; /* empty name */
+ PUTSHORT(T_OPT, p);
+ PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+--
+2.9.5
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 0e99f7b..0a77cff 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -28,6 +28,7 @@ Patch3: dnsmasq-2.77-CVE-2017-14492.patch
Patch4: dnsmasq-2.77-CVE-2017-14493.patch
Patch5: dnsmasq-2.77-CVE-2017-14494.patch
Patch6: dnsmasq-2.77-CVE-2017-14496.patch
+Patch7: dnsmasq-2.77-CVE-2017-14495.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -68,6 +69,7 @@ query/remove a DHCP server's leases.
%patch4 -p1 -b .CVE-2017-14493
%patch5 -p1 -b .CVE-2017-14494
%patch6 -p1 -b .CVE-2017-14496
+%patch7 -p1 -b .CVE-2017-14495
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -160,6 +162,7 @@ rm -rf $RPM_BUILD_ROOT
- Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
- Security fix, CVE-2017-14494, Infoleak handling DHCPv6
- Security fix, CVE-2017-14496, Integer underflow in DNS response creation
+- Security fix, CVE-2017-14495, OOM in DNS response creation
* Thu Sep 14 2017 Petr Menšík <pemensik(a)redhat.com> - 2.77-7
- Fix CVE-2017-13704
https://src.fedoraproject.org/rpms/dnsmasq/c/ce9aecdce07054e92b72e106ec30...
6 years, 8 months
pemensik pushed to dnsmasq (f26). "Security fix, CVE-2017-14495,
OOM in DNS response (..more)"
by notifications@fedoraproject.org
From b964c11672e89522f110180b06e588d16675dc97 Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 02 2017 15:37:39 +0000
Subject: Security fix, CVE-2017-14495, OOM in DNS response
creation.
Fix out-of-memory Dos vulnerability. An attacker which can
send malicious DNS queries to dnsmasq can trigger memory
allocations in the add_pseudoheader function
The allocated memory is never freed which leads to a DoS
through memory exhaustion. dnsmasq is vulnerable only
if one of the following option is specified:
--add-mac, --add-cpe-id or --add-subnet.
Signed-off-by: Petr Menšík <pemensik(a)redhat.com>
---
diff --git a/dnsmasq-2.77-CVE-2017-14495.patch b/dnsmasq-2.77-CVE-2017-14495.patch
new file mode 100644
index 0000000..0f793aa
--- /dev/null
+++ b/dnsmasq-2.77-CVE-2017-14495.patch
@@ -0,0 +1,41 @@
+From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:16:50 +0100
+Subject: [PATCH 7/9] Security fix, CVE-2017-14495, OOM in DNS response
+ creation.
+
+Fix out-of-memory Dos vulnerability. An attacker which can
+send malicious DNS queries to dnsmasq can trigger memory
+allocations in the add_pseudoheader function
+The allocated memory is never freed which leads to a DoS
+through memory exhaustion. dnsmasq is vulnerable only
+if one of the following option is specified:
+--add-mac, --add-cpe-id or --add-subnet.
+---
+ src/edns0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/edns0.c b/src/edns0.c
+index 95b74ee..89b2692 100644
+--- a/src/edns0.c
++++ b/src/edns0.c
+@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+ !(p = skip_section(p,
+ ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
+ header, plen)))
++ {
++ free(buff);
+ return plen;
++ }
+ if (p + 11 > limit)
+- return plen; /* Too big */
++ {
++ free(buff);
++ return plen; /* Too big */
++ }
+ *p++ = 0; /* empty name */
+ PUTSHORT(T_OPT, p);
+ PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+--
+2.9.5
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 5c46a91..4377bd8 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -30,6 +30,7 @@ Patch3: dnsmasq-2.77-CVE-2017-14492.patch
Patch4: dnsmasq-2.77-CVE-2017-14493.patch
Patch5: dnsmasq-2.77-CVE-2017-14494.patch
Patch6: dnsmasq-2.77-CVE-2017-14496.patch
+Patch7: dnsmasq-2.77-CVE-2017-14495.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -70,6 +71,7 @@ query/remove a DHCP server's leases.
%patch4 -p1 -b .CVE-2017-14493
%patch5 -p1 -b .CVE-2017-14494
%patch6 -p1 -b .CVE-2017-14496
+%patch7 -p1 -b .CVE-2017-14495
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -163,6 +165,7 @@ rm -rf $RPM_BUILD_ROOT
- Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
- Security fix, CVE-2017-14494, Infoleak handling DHCPv6
- Security fix, CVE-2017-14496, Integer underflow in DNS response creation
+- Security fix, CVE-2017-14495, OOM in DNS response creation
* Fri Feb 10 2017 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.76-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
https://src.fedoraproject.org/rpms/dnsmasq/c/b964c11672e89522f110180b06e5...
6 years, 8 months
pemensik pushed to dnsmasq (f25). "Security fix, CVE-2017-14495,
OOM in DNS response (..more)"
by notifications@fedoraproject.org
From c08ca60a60b64bb214288a46ad7822276b38ba4f Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 02 2017 15:41:10 +0000
Subject: Security fix, CVE-2017-14495, OOM in DNS response
creation.
Fix out-of-memory Dos vulnerability. An attacker which can
send malicious DNS queries to dnsmasq can trigger memory
allocations in the add_pseudoheader function
The allocated memory is never freed which leads to a DoS
through memory exhaustion. dnsmasq is vulnerable only
if one of the following option is specified:
--add-mac, --add-cpe-id or --add-subnet.
Signed-off-by: Petr Menšík <pemensik(a)redhat.com>
---
diff --git a/dnsmasq-2.77-CVE-2017-14495.patch b/dnsmasq-2.77-CVE-2017-14495.patch
new file mode 100644
index 0000000..0f793aa
--- /dev/null
+++ b/dnsmasq-2.77-CVE-2017-14495.patch
@@ -0,0 +1,41 @@
+From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:16:50 +0100
+Subject: [PATCH 7/9] Security fix, CVE-2017-14495, OOM in DNS response
+ creation.
+
+Fix out-of-memory Dos vulnerability. An attacker which can
+send malicious DNS queries to dnsmasq can trigger memory
+allocations in the add_pseudoheader function
+The allocated memory is never freed which leads to a DoS
+through memory exhaustion. dnsmasq is vulnerable only
+if one of the following option is specified:
+--add-mac, --add-cpe-id or --add-subnet.
+---
+ src/edns0.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/edns0.c b/src/edns0.c
+index 95b74ee..89b2692 100644
+--- a/src/edns0.c
++++ b/src/edns0.c
+@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+ !(p = skip_section(p,
+ ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
+ header, plen)))
++ {
++ free(buff);
+ return plen;
++ }
+ if (p + 11 > limit)
+- return plen; /* Too big */
++ {
++ free(buff);
++ return plen; /* Too big */
++ }
+ *p++ = 0; /* empty name */
+ PUTSHORT(T_OPT, p);
+ PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+--
+2.9.5
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 3151c8e..41c3607 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -30,6 +30,7 @@ Patch3: dnsmasq-2.77-CVE-2017-14492.patch
Patch4: dnsmasq-2.77-CVE-2017-14493.patch
Patch5: dnsmasq-2.77-CVE-2017-14494.patch
Patch6: dnsmasq-2.77-CVE-2017-14496.patch
+Patch7: dnsmasq-2.77-CVE-2017-14495.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -70,6 +71,7 @@ query/remove a DHCP server's leases.
%patch4 -p1 -b .CVE-2017-14493
%patch5 -p1 -b .CVE-2017-14494
%patch6 -p1 -b .CVE-2017-14496
+%patch7 -p1 -b .CVE-2017-14495
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -163,6 +165,7 @@ rm -rf $RPM_BUILD_ROOT
- Security fix, CVE-2017-14493, DHCPv6 - Stack buffer overflow
- Security fix, CVE-2017-14494, Infoleak handling DHCPv6
- Security fix, CVE-2017-14496, Integer underflow in DNS response creation
+- Security fix, CVE-2017-14495, OOM in DNS response creation
* Wed Oct 19 2016 Pavel Šimerda <psimerda(a)redhat.com> - 2.76-2
- Resolves: #1373485 - dns not updated after sleep and resume laptop
https://src.fedoraproject.org/rpms/dnsmasq/c/c08ca60a60b64bb214288a46ad78...
6 years, 8 months
pemensik pushed to dnsmasq (master). "Listen only on lo device
(#1852373) (..more)"
by notifications@fedoraproject.org
Notification time stamped 2020-09-30 23:19:03 UTC
From 549005c7874cdc5f0ad66cb3a72f1fb8c910963a Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Sep 30 2020 22:51:03 +0000
Subject: Listen only on lo device (#1852373)
Dnsmasq now accepts in default configuration queries only from
localhost. It received queries from any interface on the computer
before. It just dropped queries coming from wrong interfaces.
This change makes it listen only on specified interfaces. Queries coming
from different interfaces would receive ICMP error right away. Makes it
easier to understand why dnsmasq is not answering to those queries.
---
diff --git a/dnsmasq-2.81-configuration.patch b/dnsmasq-2.81-configuration.patch
index 0cf66c7..3b3cadd 100644
--- a/dnsmasq-2.81-configuration.patch
+++ b/dnsmasq-2.81-configuration.patch
@@ -1,4 +1,4 @@
-From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001
+From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Tue, 30 Jun 2020 18:06:29 +0200
Subject: [PATCH] Modify upstream configuration to safe defaults
@@ -7,11 +7,11 @@ Most important change would be to listen only on localhost. Default
configuration should not listen to request from remote hosts. Match also
user and paths to directories shipped in Fedora.
---
- dnsmasq.conf.example | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
+ dnsmasq.conf.example | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
-index bf19424..a130118 100644
+index bf19424..36fba33 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -22,7 +22,7 @@
@@ -53,7 +53,20 @@ index bf19424..a130118 100644
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
-@@ -535,7 +541,7 @@
+@@ -121,7 +127,11 @@
+ # want dnsmasq to really bind only the interfaces it is listening on,
+ # uncomment this option. About the only time you may need this is when
+ # running another nameserver on the same machine.
+-#bind-interfaces
++#
++# To listen only on localhost and do not receive packets on other
++# interfaces, bind only to lo device. Comment out to bind on single
++# wildcard socket.
++bind-interfaces
+
+ # If you don't want dnsmasq to read /etc/hosts, uncomment the
+ # following line.
+@@ -535,7 +545,7 @@
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
@@ -62,7 +75,7 @@ index bf19424..a130118 100644
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
-@@ -673,7 +679,11 @@
+@@ -673,7 +683,11 @@
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 6403de1..a04abaf 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -20,7 +20,7 @@
Name: dnsmasq
Version: 2.82
-Release: 2%{?extraversion:.%{extraversion}}%{?dist}
+Release: 3%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@@ -184,6 +184,10 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%{_mandir}/man1/dhcp_*
%changelog
+* Wed Sep 30 2020 Petr Menšík <pemensik(a)redhat.com> - 2.82-3
+- Listen only on localhost interface, return port unreachable on all others
+ (#1852373)
+
* Mon Jul 27 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.82-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
https://src.fedoraproject.org/rpms/dnsmasq/c/549005c7874cdc5f0ad66cb3a72f...
3 years, 8 months
pemensik pushed to dnsmasq (f33). "Listen only on lo device
(#1852373) (..more)"
by notifications@fedoraproject.org
Notification time stamped 2020-09-30 23:19:41 UTC
From 549005c7874cdc5f0ad66cb3a72f1fb8c910963a Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Sep 30 2020 22:51:03 +0000
Subject: Listen only on lo device (#1852373)
Dnsmasq now accepts in default configuration queries only from
localhost. It received queries from any interface on the computer
before. It just dropped queries coming from wrong interfaces.
This change makes it listen only on specified interfaces. Queries coming
from different interfaces would receive ICMP error right away. Makes it
easier to understand why dnsmasq is not answering to those queries.
---
diff --git a/dnsmasq-2.81-configuration.patch b/dnsmasq-2.81-configuration.patch
index 0cf66c7..3b3cadd 100644
--- a/dnsmasq-2.81-configuration.patch
+++ b/dnsmasq-2.81-configuration.patch
@@ -1,4 +1,4 @@
-From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001
+From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Tue, 30 Jun 2020 18:06:29 +0200
Subject: [PATCH] Modify upstream configuration to safe defaults
@@ -7,11 +7,11 @@ Most important change would be to listen only on localhost. Default
configuration should not listen to request from remote hosts. Match also
user and paths to directories shipped in Fedora.
---
- dnsmasq.conf.example | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
+ dnsmasq.conf.example | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
-index bf19424..a130118 100644
+index bf19424..36fba33 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -22,7 +22,7 @@
@@ -53,7 +53,20 @@ index bf19424..a130118 100644
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
-@@ -535,7 +541,7 @@
+@@ -121,7 +127,11 @@
+ # want dnsmasq to really bind only the interfaces it is listening on,
+ # uncomment this option. About the only time you may need this is when
+ # running another nameserver on the same machine.
+-#bind-interfaces
++#
++# To listen only on localhost and do not receive packets on other
++# interfaces, bind only to lo device. Comment out to bind on single
++# wildcard socket.
++bind-interfaces
+
+ # If you don't want dnsmasq to read /etc/hosts, uncomment the
+ # following line.
+@@ -535,7 +545,7 @@
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
@@ -62,7 +75,7 @@ index bf19424..a130118 100644
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
-@@ -673,7 +679,11 @@
+@@ -673,7 +683,11 @@
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 6403de1..a04abaf 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -20,7 +20,7 @@
Name: dnsmasq
Version: 2.82
-Release: 2%{?extraversion:.%{extraversion}}%{?dist}
+Release: 3%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@@ -184,6 +184,10 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%{_mandir}/man1/dhcp_*
%changelog
+* Wed Sep 30 2020 Petr Menšík <pemensik(a)redhat.com> - 2.82-3
+- Listen only on localhost interface, return port unreachable on all others
+ (#1852373)
+
* Mon Jul 27 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.82-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
https://src.fedoraproject.org/rpms/dnsmasq/c/549005c7874cdc5f0ad66cb3a72f...
3 years, 8 months
pemensik pushed to dnsmasq (f32). "Listen only on lo device
(#1852373) (..more)"
by notifications@fedoraproject.org
Notification time stamped 2020-09-30 23:23:45 UTC
From c3259eefe44d1fb3788bf6aef5cd4d083ec0c7f5 Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Sep 30 2020 23:22:18 +0000
Subject: Listen only on lo device (#1852373)
Dnsmasq now accepts in default configuration queries only from
localhost. It received queries from any interface on the computer
before. It just dropped queries coming from wrong interfaces.
This change makes it listen only on specified interfaces. Queries coming
from different interfaces would receive ICMP error right away. Makes it
easier to understand why dnsmasq is not answering to those queries.
(cherry picked from commit 549005c7874cdc5f0ad66cb3a72f1fb8c910963a)
---
diff --git a/dnsmasq-2.81-configuration.patch b/dnsmasq-2.81-configuration.patch
index 0cf66c7..3b3cadd 100644
--- a/dnsmasq-2.81-configuration.patch
+++ b/dnsmasq-2.81-configuration.patch
@@ -1,4 +1,4 @@
-From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001
+From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Tue, 30 Jun 2020 18:06:29 +0200
Subject: [PATCH] Modify upstream configuration to safe defaults
@@ -7,11 +7,11 @@ Most important change would be to listen only on localhost. Default
configuration should not listen to request from remote hosts. Match also
user and paths to directories shipped in Fedora.
---
- dnsmasq.conf.example | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
+ dnsmasq.conf.example | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
-index bf19424..a130118 100644
+index bf19424..36fba33 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -22,7 +22,7 @@
@@ -53,7 +53,20 @@ index bf19424..a130118 100644
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
-@@ -535,7 +541,7 @@
+@@ -121,7 +127,11 @@
+ # want dnsmasq to really bind only the interfaces it is listening on,
+ # uncomment this option. About the only time you may need this is when
+ # running another nameserver on the same machine.
+-#bind-interfaces
++#
++# To listen only on localhost and do not receive packets on other
++# interfaces, bind only to lo device. Comment out to bind on single
++# wildcard socket.
++bind-interfaces
+
+ # If you don't want dnsmasq to read /etc/hosts, uncomment the
+ # following line.
+@@ -535,7 +545,7 @@
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
@@ -62,7 +75,7 @@ index bf19424..a130118 100644
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
-@@ -673,7 +679,11 @@
+@@ -673,7 +683,11 @@
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 7bc3eb2..4fbecbc 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -20,7 +20,7 @@
Name: dnsmasq
Version: 2.81
-Release: 4%{?extraversion:.%{extraversion}}%{?dist}
+Release: 5%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@@ -186,6 +186,10 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%{_mandir}/man1/dhcp_*
%changelog
+* Wed Sep 30 2020 Petr Menšík <pemensik(a)redhat.com> - 2.81-5
+- Listen only on localhost interface, return port unreachable on all others
+ (#1852373)
+
* Tue Jun 30 2020 Petr Menšík <pemensik(a)redhat.com> - 2.81-4
- Accept queries only from localhost (CVE-2020-14312)
https://src.fedoraproject.org/rpms/dnsmasq/c/c3259eefe44d1fb3788bf6aef5cd...
3 years, 8 months