Bug 31770

Summary: dnsmasq new security issue CVE-2023-28450
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, julien.moragny, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: dnsmasq-2.89-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-04-06 19:26:15 CEST 
Fedora has issued an advisory today (April 6):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OU2ZT4ITSEOOR2CFBAHK4Z67KXJIEWQA/

The issue is fixed upstream in 2.90.

Mageia 8 is also affected.
David Walser 2023-04-06 19:26:25 CEST

Status comment: (none) => Fixed upstream in 2.90
Whiteboard: (none) => MGA8TOO

Comment 1 Julien Moragny 2023-04-19 18:14:43 CEST 
Hello,

an update has been pushed for cauldron last week, and for 8 some minutes ago.

here is the tentative advisory:


Mageia 8
=======================

Updated dnsmasq packages fix security vulnerability:

CVE-2023-28450: A flaw was found in Dnsmasq. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

References:
https://bugs.mageia.org/show_bug.cgi?id=31770
http://www.dnsflagday.net/2020/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28450

Updated packages in core/updates_testing:
========================
dnsmasq-2.85-6.mga8
dnsmasq-utils-2.85-6.mga8

from dnsmasq-2.85-6.mga8.src.rpm


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I don't expect any problem with this update, other resolvers use this configuration for years.

Test procedure:

to install: urpmi dnsmasq

to start: systemctl start dnsmasq.service 
or reboot since dnsmasq.service is started automatically at boot.


in journalctl, you should get something like that :
localhost dnsmasq[1426]: demarré, version 2.85 (taille de cache 150)
localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID
localhost dnsmasq[1426]: Lecture de /etc/resolv.conf
localhost dnsmasq[1426]: utilise le serveur de nom 10.0.2.2#53
localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses


which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's 10.0.2.2). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53).


You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv)

To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 ; i.e. the dnsmasq we just started):

host mageia.org 127.0.0.1

which should answer something like that :

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

mageia.org has address 217.70.188.116
mageia.org mail is handled by 10 alamut.mageia.org.
mageia.org mail is handled by 20 krampouezh.mageia.org.


I don't know how to test the dhcp part of dnsmasq without a complex configuration.

regards
Julien

Assignee: julien.moragny => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => julien.moragny

David Walser 2023-04-19 20:21:01 CEST

Status comment: Fixed upstream in 2.90 => (none)

Thomas Backlund 2023-04-19 22:41:42 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 Thomas Andrews 2023-04-23 17:11:22 CEST 
MGA8-64 Plasma system. Installed dnsmasq, then immediately updated using qarepo.

Not entirely sure what I am doing here, so I followed Herman's lead from Bug 30318:

[root@localhost ~]# systemctl enable dnsmasq
Created symlink /etc/systemd/system/multi-user.target.wants/dnsmasq.service → /usr/lib/systemd/system/dnsmasq.service.
[root@localhost ~]# systemctl start dnsmasq
[root@localhost ~]# systemctl -l status dnsmasq
● dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
     Active: active (running) since Sun 2023-04-23 10:36:22 EDT; 3min 18s ago
   Main PID: 35402 (dnsmasq)
      Tasks: 1 (limit: 9446)
     Memory: 900.0K
        CPU: 10ms
     CGroup: /system.slice/dnsmasq.service
             └─35402 /usr/sbin/dnsmasq -k --local-service

Apr 23 10:36:22 localhost.localdomain systemd[1]: Started DNS caching server..

[root@localhost ~]# lsof | grep dnsmasq.*IPv
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
lsof: WARNING: can't stat() fuse.portal file system /run/user/1000/doc
      Output information may be incomplete.
dnsmasq   35402                    dnsmasq    4u     IPv4              40543       0t0        UDP *:domain 
dnsmasq   35402                    dnsmasq    5u     IPv4              40544       0t0        TCP *:domain (LISTEN)
dnsmasq   35402                    dnsmasq    6u     IPv6              40545       0t0        UDP *:domain 
dnsmasq   35402                    dnsmasq    7u     IPv6              40546       0t0        TCP *:domain (LISTEN)

[root@localhost ~]# dnsmasq --test
dnsmasq: syntax check OK.

[root@localhost ~]# netstat -atun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN     
tcp        0      0 192.168.1.116:34982     34.117.65.55:443        ESTABLISHED
tcp6       0      0 :::1716                 :::*                    LISTEN     
tcp6       0      0 :::53                   :::*                    LISTEN     
tcp6       0      0 :::631                  :::*                    LISTEN     
tcp6       0      0 2603:7080:7a00:9d:40922 2606:4700::6810:f9f:443 ESTABLISHED
tcp6       0      0 2603:7080:7a00:9d:44824 2606:4700::6810:f8f:443 ESTABLISHED
udp        0      0 0.0.0.0:36151           0.0.0.0:*                          
udp        0      0 0.0.0.0:53              0.0.0.0:*                          
udp        0      0 192.168.1.116:68        192.168.1.1:67          ESTABLISHED
udp        0      0 127.0.0.1:323           0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp6       0      0 :::53                   :::*                               
udp6       0      0 ::1:323                 :::*                               
udp6       0      0 :::5353                 :::*                               
udp6       0      0 :::34048                :::*                               
udp6       0      0 :::1716                 :::*  

[root@localhost ~]# host mageia.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

mageia.org has address 163.172.148.228
mageia.org has IPv6 address 2001:bc8:628:1f00::1
mageia.org mail is handled by 20 neru.mageia.org.
mageia.org mail is handled by 10 sucuk.mageia.org.

[root@localhost ~]# dig mageia.org @localhost

; <<>> DiG 9.11.37Mageia-1.1.mga8 <<>> mageia.org @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64873
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1745    IN      A       163.172.148.228

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Apr 23 10:47:14 EDT 2023
;; MSG SIZE  rcvd: 55

This appears to be consistent with Herman's results, allowing for differences in our networks.

I rebooted, and the dnsmasq service was started automatically.

CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2023-04-23 17:12:14 CEST 
Giving this an OK, and validating. Advisory in comment 1.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2023-04-23 23:55:22 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-04-24 02:21:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0153.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED