Bug 30318

Hello,

I just pushed an update to fix this bug in cauldron (2.86-3) and update_testing/8 (2.85-2)

Can you please test and validate this update.

A basic test procedure is provided below the proposed advisory but in this specific case, I'm not sure it's very useful since the bug is in the DHCP part of dnsmasq and I don't know of a simple procedure to test it.


Proposed advisory:

Mageia 8
=======================

Updated dnsmasq packages fix security vulnerability:

CVE-2022-0934: a write after free has been discovered in DHCPv6 code. A special request could be crafted to modify already freed memory.

References:
https://bugs.mageia.org/show_bug.cgi?id=30318
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016272.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934

Updated packages in core/updates_testing:
========================
dnsmasq-2.85-2.mga8
dnsmasq-utils-2.85-2.mga8

from dnsmasq-2.85-2.mga8.src.rpm


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Test procedure:

to install: urpmi dnsmasq

to start: systemctl start dnsmasq.service 
or reboot since dnsmasq.service is started automatically at boot.


in journalctl, you should get something like that :
localhost dnsmasq[1426]: demarré, version 2.85 (taille de cache 150)
localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID
localhost dnsmasq[1426]: Lecture de /etc/resolv.conf
localhost dnsmasq[1426]: utilise le serveur de nom 10.0.2.2#53
localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses


which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's 10.0.2.2). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53).


You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv)

To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 ; i.e. the dnsmasq we just started):

host mageia.org 127.0.0.1

which should answer something like that :

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

mageia.org has address 217.70.188.116
mageia.org mail is handled by 10 alamut.mageia.org.
mageia.org mail is handled by 20 krampouezh.mageia.org.



I don't know how to test the dhcp part of dnsmasq without a complex configuration.

regards
Julien

Assignee: julien.moragny => qa-bugs
CC: (none) => julien.moragny
Status: NEW => ASSIGNED

Installing this update showed the following message:
"Warning: The unit file, source configuration file or drop-ins of dnsmasq.service changed on disk. Run 'systemctl daemon-reload' to reload units."

I'm not certain but I think I didn't see this message when installing a package.
I have an override for the service but it should not make a difference.

# cat /etc/systemd/system/dnsmasq.service.d/override.conf
[Unit]
Wants=network-online.target


It is easy to resolve but shouldn't the package script restart the service automatically?


System: Mageia 8, x86_64, Intel CPU.


# uname -a
Linux marte 5.15.32-desktop-1.mga8 #1 SMP Mon Mar 28 08:31:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q dnsmasq
dnsmasq-2.85-2.mga8
# systemctl status dnsmasq.service 
● dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/dnsmasq.service.d
             └─override.conf
     Active: active (running) since Thu 2022-04-21 23:56:59 WEST; 7s ago
   Main PID: 52260 (dnsmasq)
      Tasks: 1 (limit: 4690)
     Memory: 1.9M
        CPU: 9ms
     CGroup: /system.slice/dnsmasq.service
             └─52260 /usr/sbin/dnsmasq -k --local-service

abr 21 23:56:59 marte systemd[1]: Started DNS caching server..
abr 21 23:57:00 marte dnsmasq[52260]: started, version 2.85 cachesize 150
abr 21 23:57:00 marte dnsmasq[52260]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
abr 21 23:57:00 marte dnsmasq[52260]: using nameserver 192.168.1.1#53
abr 21 23:57:00 marte dnsmasq[52260]: read /etc/hosts - 15 addresses

CC: (none) => mageia

The message:
"Warning: The unit file, source configuration file or drop-ins of dnsmasq.service changed on disk. Run 'systemctl daemon-reload' to reload units."

means exactly what it says...it's not that it needs restarted (although that should also happen here) it needs systemctl daemon-reload.  That's something that should be handled automatically if the correct scriplets are used in the package:
https://wiki.mageia.org/en/System_Service_policy

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Qouting Julien above "reboot since dnsmasq.service is started automatically at boot."
So rebooted and then:
# systemctl -l status dnsmasq
* dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
But this is inline with behavior of previous updates.
Anyway, continuing following tests of bugs 29030 and 26964:

# systemctl start dnsmasq

# systemctl -l status dnsmasq
* dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2022-05-11 11:40:23 CEST; 3s ago
   Main PID: 35366 (dnsmasq)
      Tasks: 1 (limit: 9395)
     Memory: 1.3M
        CPU: 6ms
     CGroup: /system.slice/dnsmasq.service
             `-35366 /usr/sbin/dnsmasq -k --local-service

mei 11 11:40:23 mach5.hviaene.thuis systemd[1]: Started DNS caching server..
mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: started, version 2.85 cachesize 150
mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: DNS service limited to local subnets
mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSS>
mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: reading /etc/resolv.conf
mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: using nameserver 192.168.2.1#53
mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: using nameserver 212.71.0.33#53
mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: read /etc/hosts - 2 addresses

# lsof | grep dnsmasq.*IPv
dnsmasq   35366                    dnsmasq    4u     IPv4              37722          0t0        UDP *:domain 
dnsmasq   35366                    dnsmasq    5u     IPv4              37723          0t0        TCP *:domain (LISTEN)
dnsmasq   35366                    dnsmasq    6u     IPv6              37724          0t0        UDP *:domain 
dnsmasq   35366                    dnsmasq    7u     IPv6              37725          0t0        TCP *:domain (LISTEN)

# dnsmasq --test
dnsmasq: syntax check OK.

# netstat -atun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:10026         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN     
tcp        0      0 192.168.2.5:43910       212.219.56.184:80       TIME_WAIT  
tcp        0      0 192.168.2.5:58484       35.81.71.18:443         ESTABLISHED
tcp        0      0 192.168.2.5:41782       142.251.36.3:80         TIME_WAIT  
tcp        0      0 192.168.2.5:43912       212.219.56.184:80       TIME_WAIT  
tcp        0      0 192.168.2.5:43902       212.219.56.184:80       TIME_WAIT  
tcp        0      0 192.168.2.5:42010       212.85.158.151:443      TIME_WAIT  
tcp        0      0 192.168.2.5:43906       212.219.56.184:80       TIME_WAIT  
tcp        0      0 192.168.2.5:43898       212.219.56.184:80       TIME_WAIT  
tcp        0      0 192.168.2.5:43904       212.219.56.184:80       TIME_WAIT  
tcp        0      0 192.168.2.5:43894       212.219.56.184:80       TIME_WAIT  
tcp        0      0 192.168.2.5:43908       212.219.56.184:80       TIME_WAIT  
tcp        0      0 192.168.2.5:43900       212.219.56.184:80       TIME_WAIT  
tcp6       0      0 ::1:25                  :::*                    LISTEN     
tcp6       0      0 :::53                   :::*                    LISTEN     
tcp6       0      0 :::631                  :::*                    LISTEN     
udp        0      0 0.0.0.0:36861           0.0.0.0:*                          
udp        0      0 0.0.0.0:53              0.0.0.0:*                          
udp        0      0 127.0.0.1:323           0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp6       0      0 :::53                   :::*                               
udp6       0      0 ::1:323                 :::*                               
udp6       0      0 :::5353                 :::*                               
udp6       0      0 :::59078                :::*                               

# host mageia.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

mageia.org has address 163.172.148.228
mageia.org has IPv6 address 2001:bc8:628:1f00::1
mageia.org mail is handled by 20 neru.mageia.org.
mageia.org mail is handled by 10 sucuk.mageia.org.

# dig mageia.org @localhost

; <<>> DiG 9.11.37Mageia-1.mga8 <<>> mageia.org @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31833
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1751    IN      A       163.172.148.228

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: wo mei 11 11:43:56 CEST 2022
;; MSG SIZE  rcvd: 55

This all looks OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

So it seems to work OK, but should the "correct scriplets" issue from Comment 3 be addressed before validating?

CC: (none) => andrewsfarm

Yes, Julien should look at this.

Keywords: (none) => feedback

I must admit that I'm a bit puzzled by this message (that I can't reproduce at the moment) since daemon-reload is invoked at the end of the transaction when using the systemd pre|post macros like the spec is doing (see (1) & (2)) for about 5~6 years now.

You can see it in the journal with the line: systemd[1]: Reloading.

(1) https://fedoraproject.org/wiki/Changes/systemd_file_triggers
(2) https://github.com/systemd/systemd/pull/1909/commits/873e413323dfff4023604849c70944674ae5cd29

I just looked at the spec, and it's using Fedora macros for the service and not ours.  See the link in Comment 3.

Which doesn't change the fact that it has worked for 5 years and that this message is bogus since daemon-reload is executed at the end of the transaction.

Anyway, xkcd#386 and all that,  dnsmasq-2.85-3.mga8 is building at the moment which revert to standard mageia macros.

regards
julien

Thanks.  You missed the postun that's not needed with our macros.  Fixed in -4.

Updated packages in core/updates_testing:
========================
dnsmasq-2.85-4.mga8
dnsmasq-utils-2.85-4.mga8

from dnsmasq-2.85-4.mga8.src.rpm

Keywords: feedback => (none)
Whiteboard: MGA8-64-OK => (none)

Installed the new version
I didn't see a message like mentioned in Comment 2 and 3, but the remark I made in Comment 4 still stands: the service does not run automatically after a reboot, I had to start it manually.
So, all my results at the CLI are the same as in Comment 4.

Herman, I'm guessing you have the service masked.  Try systemctl unmask dnsmasq.service, or removing /etc/systemd/system/dnsmasq.service

Gave as root the command systemctl unmask dnsmasq.service ans rebooted. Still the same, service is inactive.
As far as /etc/systemd/system/dnsmasq.service is concerned, this file is simply not there.

Installed dnsmasq in a vb guest.
As root ran "systemctl enable dnsmasq.service", and started it.
Confirmed it's running. Rebooted.
[root@x8v ~]# systemctl status dnsmasq.service 
● dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-06-17 13:50:13 EDT; 29s ago
   Main PID: 1220 (dnsmasq)
      Tasks: 1 (limit: 4695)
     Memory: 2.2M
        CPU: 9ms
     CGroup: /system.slice/dnsmasq.service
             └─1220 /usr/sbin/dnsmasq -k --local-service

Jun 17 13:50:13 x8v.hodgins.homeip.net systemd[1]: Started DNS caching server..
Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: started, version 2.85 cachesize 150
Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: DNS service limited to local subnets
Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: reading /etc/resolv.conf
Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: using nameserver 192.168.10.2#53
Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: using nameserver 192.168.10.101#53
Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: read /etc/hosts - 2 addresses
[root@x8v ~]# nslookup mageia.org localhost
Server:         localhost
Address:        ::1#53

Non-authoritative answer:
Name:   mageia.org
Address: 163.172.148.228
Name:   mageia.org
Address: 2001:bc8:628:1f00::1

Herman, I suspect you forgot to enable the service.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0233.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED