Bug 32853

Summary: Update Dnsmasq to fix CVE-2023-50387 and CVE-2023-50868
Product: Mageia Reporter: Julien Moragny <julien.moragny>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, julien.moragny, mageia, marja11, sysadmin-bugs
Version: 9Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://thekelleys.org.uk/dnsmasq/CHANGELOG
Whiteboard: MGA9-64-OK
Source RPM: dnsmasq-2.90-1.mga9.src.rpm CVE: CVE-2023-50387 CVE-2023-50868
Status comment:

Description Julien Moragny 2024-02-15 21:42:09 CET 
Hello,

I just updated dnsmasq in mga9 to v2.90 in order to fix CVE-2023-50387 and CVE-2023-50868 along with others bugfixes (including a potential segfault).

It landed in cauldron yesterday.

QA, can you please test and validate this update.


Here is a tentative advisory:

===================

This updated dnsmasq package fix security issues CVE-2023-50387 and CVE-2023-50868:

Certain DNSSEC aspects of the DNS protocol allow a remote attacker to trigger a denial of service via extreme consumption of resource caused by DNSSEC query or response:
    KeyTrap - Extreme CPU consumption in DNSSEC validator. (CVE-2023-50387)
    Preparing an NSEC3 closest encloser proof can exhaust CPU resources.(CVE-2023-50868)

this update also fix issues with udp packet size (fix already present in mageia package for 2.89), possible segfault and caching.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
https://thekelleys.org.uk/dnsmasq/CHANGELOG

========================


Updated packages in core/updates_testing:
========================
dnsmasq-2.90-1.mga9
dnsmasq-utils-2.90-1.mga9

Source RPMs:
dnsmasq-2.90-1.mga9


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Test procedure:

to install: urpmi dnsmasq

to start: systemctl start dnsmasq.service 
or reboot since dnsmasq.service is started automatically at boot.


in journalctl, you should get something like that :
localhost dnsmasq[1426]: demarré, version 2.85 (taille de cache 150)
localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID
localhost dnsmasq[1426]: Lecture de /etc/resolv.conf
localhost dnsmasq[1426]: utilise le serveur de nom 10.0.2.2#53
localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses


which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's 10.0.2.2). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53).


You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv)

To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 ; i.e. the dnsmasq we just started):

host mageia.org 127.0.0.1

which should answer something like that :

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

mageia.org has address 217.70.188.116
mageia.org mail is handled by 10 alamut.mageia.org.
mageia.org mail is handled by 20 krampouezh.mageia.org.


I don't know how to test the dhcp part of dnsmasq without a complex configuration.

thanks

regards
julien
Julien Moragny 2024-02-15 21:43:30 CET

CC: (none) => julien.moragny

katnatek 2024-02-16 04:24:21 CET

QA Contact: (none) => security

David Walser 2024-02-16 04:40:45 CET

Component: RPM Packages => Security

David Walser 2024-02-16 04:41:45 CET

Summary: Update Dnsmasq to fix CVE CVE-2023-50387 & CVE-2023-50868 => Update Dnsmasq to fix CVE-2023-50387 and CVE-2023-50868

Marja Van Waes 2024-02-16 22:13:49 CET

CVE: (none) => CVE-2023-50387 CVE-2023-50868
CC: (none) => marja11
URL: (none) => https://thekelleys.org.uk/dnsmasq/CHANGELOG

Marja Van Waes 2024-02-16 22:23:24 CET

Keywords: (none) => advisory

PC LX 2024-02-17 01:37:11 CET

CC: (none) => mageia

Comment 1 Thomas Andrews 2024-02-18 01:43:23 CET 
Thank you for the test procedure, Julien. It's very helpful.

MGA9-64 Plasma in VirtualBox. I installed dnsmasq and dnsmasq-utils, then used qarepo to get the update candidates. There were no installation issues. This particular VM had not been used in a couple of weeks, and there was a pending systemd update waiting, so a reboot was necessary. 

Contrary to the above procedure, dnsmasq did not start automatically - status of the service claimed it was disabled and "dead." Afte enabling and starting it, I got this:

[root@localhost ~]# systemctl status dnsmasq
● dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; preset: disabled)
     Active: active (running) since Sat 2024-02-17 19:16:50 EST; 1min 15s ago
   Main PID: 55292 (dnsmasq)
      Tasks: 1 (limit: 4690)
     Memory: 1.2M
        CPU: 4ms
     CGroup: /system.slice/dnsmasq.service
             └─55292 /usr/sbin/dnsmasq -k --local-service

Feb 17 19:16:50 localhost.localdomain systemd[1]: Started dnsmasq.service.
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: started, version 2.90 cachesize 150
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: DNS service limited to local subnets
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset au>
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: reading /etc/resolv.conf
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: using nameserver 192.168.1.1#53
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: read /etc/hosts - 8 names

Those last messages look like those in the procedure, but following up anyway:

[root@localhost ~]# journalctl -ab | grep dnsmasq
Feb 17 19:16:50 localhost.localdomain systemd[1]: Started dnsmasq.service.
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: started, version 2.90 cachesize 150
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: DNS service limited to local subnets
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: reading /etc/resolv.conf
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: using nameserver 192.168.1.1#53
Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: read /etc/hosts - 8 names

Continuing:

[root@localhost ~]# host mageia.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

mageia.org has address 163.172.148.228
mageia.org has IPv6 address 2001:bc8:710:175f:dc00:ff:fe2d:c0ff
mageia.org mail is handled by 10 sucuk.mageia.org.
mageia.org mail is handled by 20 neru.mageia.org.

Not sure why I get a different result for the mageia.org mail handlers, but it doesn't look like an error. Looks good to me otherwise. Validating the update.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => has_procedure, validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 2 Mageia Robot 2024-02-18 02:50:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0041.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED