Bug 22694

Summary: dnsmasq running as nobody creates security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, julien.moragny, mageia, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: dnsmasq-2.78-4.mga7.src.rpm CVE:
Status comment: dnsmasq should run as its own system user

Description David Walser 2018-03-03 19:18:08 CET 
Fedora has issued an advisory on February 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5WAECSZDCDMVB4SBXYHDEHOH24P6UCHM/

They fixed it to add a dnsmasq user and run as that.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-03 19:18:37 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-03-11 16:11:16 CET

Status comment: (none) => dnsmasq should run as its own system user

Comment 1 Julien Moragny 2018-10-20 23:33:49 CEST 
Hi,

I just pushed dnsmasq-2.80-1 which run as user dnsmasq.

regards
julien
Comment 2 David Walser 2018-10-21 18:53:04 CEST 
OK, so that leaves Mageia 6 still to be fixed.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 Julien Moragny 2018-10-21 19:02:58 CEST 
I want to wait a little to see if no problem arise on cauldron. I will update mga6 in a week or so.

regards
julien
Julien Moragny 2018-10-21 19:03:07 CEST

Status: NEW => ASSIGNED

Comment 4 Julien Moragny 2018-10-29 21:25:11 CET 
Hello,

I just pushed dnsmasq 2.77-1.3 to core/updates_testing for mga6 which use a specific user for dnsmasq. 
I have used for the last week on mga6 x86_64 without issue so far.

Tentative advisory :

===========================

Updated dnsmasq packages fix a security issue

Upstream dnsmasq run as nobody user which could lead to security issue if multiple services run as this same user.

This update force dnsmasq to run as its own user: dnsmasq.

References:
https://bugs.mageia.org/show_bug.cgi?id=22694

Updated packages in core/updates_testing:
=========================
dnsmasq-2.77-1.3.mga6
dnsmasq-base-2.77-1.3.mga6
dnsmasq-utils-2.77-1.3.mga6

Source RPM:
dnsmasq-2.77-1.3.mga6.src.rpm
=========================

regards
Julien

Assignee: julien.moragny => qa-bugs
CC: (none) => julien.moragny

Comment 5 PC LX 2018-10-30 01:04:45 CET 
Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.

Tested DNS features (e.g. caching, local domains, block spam/ads/crap domains).
DHCP was NOT tested.

$ uname -a
Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep dnsmasq | sort
dnsmasq-2.77-1.3.mga6
dnsmasq-base-2.77-1.3.mga6
$ journalctl -b0 -u dnsmasq.service 
-- Logs begin at Sáb 2018-10-27 12:40:38 WEST, end at Ter 2018-10-30 00:02:00 WET. --
<SNIP>
Out 29 23:56:16 marte systemd[1]: Started DNS caching server..
Out 29 23:56:16 marte dnsmasq[26493]: started, version 2.77 cachesize 150
Out 29 23:56:16 marte dnsmasq[26493]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth no-DNSSEC loop-detect inotify
Out 29 23:56:16 marte dnsmasq[26493]: using nameserver 192.168.1.1#53
Out 29 23:56:16 marte dnsmasq[26493]: read /etc/hosts - 16 addresses

CC: (none) => mageia

Comment 6 David Walser 2018-10-30 01:16:13 CET 
Advisory note, correct URL for references is in Comment 0.  Thanks.
Comment 7 Herman Viaene 2018-10-31 17:32:38 CET 
MGA6-32 MATE on IBM Thinkpad R50e
At installation required to remove bind: OK as this was only present because of a previous update test.
At CLI:
# systemctl start dnsmasq
# systemctl -l status dnsmasq
● dnsmasq.service - DNS caching server.
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since wo 2018-10-31 17:19:56 CET; 7min ago
 Main PID: 18701 (dnsmasq)
   CGroup: /system.slice/dnsmasq.service
           └─18701 /usr/sbin/dnsmasq -k

okt 31 17:19:56 mach6.hviaene.thuis systemd[1]: Started DNS caching server..
okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: started, version 2.77 cachesize 150
okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: compile time options: IPv6 GNU-getopt DBus i18n ID
okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: reading /etc/resolv.conf
okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: using nameserver 192.168.2.1#53
okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: using nameserver 212.71.0.33#53
okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: read /etc/hosts - 2 addresses
 and 
Looks OK

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 8 PC LX 2018-11-02 14:32:06 CET 
Have been using this update for a few days (see comment #5) without issues so I'm marking it as OK for x86_64.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 9 Thomas Andrews 2018-11-02 14:34:16 CET 
Validating. Advisory information in Comments 4, 6, and 0.
Thomas Andrews 2018-11-02 14:34:38 CET

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-11-03 10:42:00 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 10 Mageia Robot 2018-11-03 12:56:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0427.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 11 Thomas Backlund 2018-11-03 16:19:21 CET 
And this turned out to be a broken update :/

adding of dnsmasq user was done in dnsmasq package, but it should have been done in dnsmasq-base.

This broke mageia infra that only has dnsmasq-base package installed as part of libvirt setup.
Comment 12 Thomas Backlund 2018-11-03 17:37:47 CET 
I've fixed it in dnsmasq-2.77-1.5.mga6, tested it on infra and flushed it out to updates and it's syncing out... 

so hopefully not many users will get hit by it ....


Advisory updated with the fixed srpm