| Summary: | dnsmasq new security issues found by mozilla security audit | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, julien.moragny, lewyssmith, richard, sysadmin-bugs, wilcal.int |
| Version: | 5 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | mga5-32-ok mga5-64-ok | ||
| Source RPM: | dnsmasq-2.71-4.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 21793 | ||
| Bug Blocks: | |||
|
Description
David Walser
2016-10-04 15:22:10 CEST
Hello,
I didn't manage to rediff properly the patches so I decided to update the package to MGA6 version (2.77) and add the fix to CVE-2017-13704. The package build (of course), install, update, uninstall. The service start, stop and seems to works as expected on MGA5 64 bits.
So here is a tentative advisory:
=======================
Updated dnsmasq packages fix security vulnerability:
An audit by mozilla security found several vulnerability and potential vulnerability in dnsmasq:
- Uninitialized buffer leads to memory leakage
- Allocated memory is not cleared
- Unchecked return value can lead to NULL pointer dereference
- Hardcoded values in fscanf() format strings with aliased buffers
Dnsmasq could be made to crash on a large DNS query: A DNS query received by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV. (CVE-2017-13704; bug 21793)
References:
https://bugs.mageia.org/show_bug.cgi?id=19528
https://bugs.mageia.org/show_bug.cgi?id=21793
https://wiki.mozilla.org/images/f/f7/Dnsmasq-report.pdf
https://docs.google.com/document/d/14y2kiXgB69fLBY0xuMeqc-YiZg4UDCw2xd4-mZspoP8
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011692.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/
Updated packages in core/updates_testing:
========================
dnsmasq-2.77-1.mga5
dnsmasq-base-2.77-1.mga5
dnsmasq-utils-2.77-1.mga5
from dnsmasq-2.77-1.mga5.src.rpm
regards
JulienAssignee:
julien.moragny =>
qa-bugs
David Walser
2017-10-02 19:51:38 CEST
Depends on:
(none) =>
21793 Hello,
Please disregard previous advisory.
I just pushed 2.77-1.1 do 5/core/updates_testing.
Here is a tentative advisory:
=======================
Updated dnsmasq packages fix security vulnerability:
An audit by mozilla security found several vulnerability and potential vulnerability in dnsmasq:
- Uninitialized buffer leads to memory leakage
- Allocated memory is not cleared
- Unchecked return value can lead to NULL pointer dereference
- Hardcoded values in fscanf() format strings with aliased buffers
CVE-2017-13704: Dnsmasq could be made to crash on a large DNS query: A DNS query received by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV. (bug 21793)
CVE-2017-14491: A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, execute arbitrary code.
CVE-2017-14492: A heap buffer overflow was discovered in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless.
CVE-2017-14493: A stack buffer overflow was found in dnsmasq in the DHCPv6 code. An attacker on the local network could send a crafted DHCPv6 request to dnsmasq which would cause it to a crash or, potentially, execute arbitrary code.
CVE-2017-14494: An information leak was found in dnsmasq in the DHCPv6 relay code. An attacker on the local network could send crafted DHCPv6 packets to dnsmasq causing it to forward the contents of process memory, potentially leaking sensitive data.
CVE-2017-14495: A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet.
CVE-2017-14496: An integer underflow flaw leading to a buffer over-read was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet.
References:
https://bugs.mageia.org/show_bug.cgi?id=19528
https://bugs.mageia.org/show_bug.cgi?id=21793
https://wiki.mozilla.org/images/f/f7/Dnsmasq-report.pdf
https://docs.google.com/document/d/14y2kiXgB69fLBY0xuMeqc-YiZg4UDCw2xd4-mZspoP8
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011692.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/
https://access.redhat.com/errata/RHSA-2017:2836
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Updated packages in core/updates_testing:
========================
dnsmasq-2.77-1.1.mga5
dnsmasq-base-2.77-1.1.mga5
dnsmasq-utils-2.77-1.1.mga5
from dnsmasq-2.77-1.1.mga5.src.rpm
(In reply to Julien Moragny from comment #1) > I didn't manage to rediff properly the patches so I decided to update the > package to MGA6 version (2.77) and add the fix to CVE-2017-13704. The > package build (of course), install, update, uninstall. The service start, > stop and seems to works as expected on MGA5 64 bits....... Would you please author a short paragraph or to procedure on how to install and test that this package, dnsmasq, is working properly. CC:
(none) =>
wilcal.int Sure, to install: urpmi dnsmasq (which should pull dnsmasq-base) to start: systemctl start dnsmasq.service or reboot since dnsmasq.service is started automatically at boot. in journalctl, you should get something like that : localhost dnsmasq[1426]: demarré, version 2.77 (taille de cache 150) localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID localhost dnsmasq[1426]: Lecture de /etc/resolv.conf localhost dnsmasq[1426]: utilise le serveur de nom 10.0.2.2#53 localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's 10.0.2.2). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53). You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv) To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 ; i.e. the dnsmasq we just started): host mageia.org 127.0.0.1 which should answer something like that : Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 217.70.188.116 mageia.org mail is handled by 10 alamut.mageia.org. mageia.org mail is handled by 20 krampouezh.mageia.org. I don't know how to test the dhcp part of dnsmasq without a complex configuration. regards Julien Hello, All the last CVE are fixed in the 2.78 version (with some 2.77 regression fix). It should be interesting to update mga5 & 6 with this last version of dnsmasq. http://www.thekelleys.org.uk/dnsmasq/CHANGELOG CC:
(none) =>
richard Installed dnsmasq-2.77-1.1.mga5 dnsmasq-base-2.77-1.1.mga5 dnsmasq-utils-2.77-1.1.mga5 followed the instructions above and confirmed it is running in a VM From my testing, working as designed. CC:
(none) =>
brtians1 mga5-64 installed three packages restarted # dig mageia.org @localhost ; <<>> DiG 9.10.3-P4 <<>> mageia.org @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1792 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1135 IN A 217.70.188.116 ;; Query time: 25 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Oct 04 09:15:36 CDT 2017 ;; MSG SIZE rcvd: 55 [root@localhost etc]# [root@localhost etc]# nslookup debian.org localhost Server: localhost Address: 127.0.0.1#53 Non-authoritative answer: Name: debian.org Address: 128.31.0.62 Name: debian.org Address: 5.153.231.4 Name: debian.org Address: 130.89.148.14 Name: debian.org Address: 149.20.4.15 [root@localhost etc]# nslookup debian.org localhost Server: localhost Address: 127.0.0.1#53 Non-authoritative answer: Name: debian.org Address: 128.31.0.62 Name: debian.org Address: 5.153.231.4 Name: debian.org Address: 130.89.148.14 Name: debian.org Address: 149.20.4.15 I can't do the dhcp testing, but the packages are installing and running. this appears to be working as designed Whiteboard:
mga5-32-ok =>
mga5-32-ok mga5-64-ok
Lewis Smith
2017-10-05 21:57:40 CEST
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0367.html Resolution:
(none) =>
FIXED CVE-2019-14513 was also fixed by this update (fixed in 2.76): https://ubuntu.com/security/notices/USN-4924-1 |