Mozilla has published the results of a security audit of dnsmasq: https://wiki.mozilla.org/images/f/f7/Dnsmasq-report.pdf Links to the fixes are in this document: https://docs.google.com/document/d/14y2kiXgB69fLBY0xuMeqc-YiZg4UDCw2xd4-mZspoP8/edit Note that the second commit linked in that document was actually the fourth that was committed, going in chronological order (which is important, since it depends on the fourth one linked). I have added these patches in Cauldron.
Hello, I didn't manage to rediff properly the patches so I decided to update the package to MGA6 version (2.77) and add the fix to CVE-2017-13704. The package build (of course), install, update, uninstall. The service start, stop and seems to works as expected on MGA5 64 bits. So here is a tentative advisory: ======================= Updated dnsmasq packages fix security vulnerability: An audit by mozilla security found several vulnerability and potential vulnerability in dnsmasq: - Uninitialized buffer leads to memory leakage - Allocated memory is not cleared - Unchecked return value can lead to NULL pointer dereference - Hardcoded values in fscanf() format strings with aliased buffers Dnsmasq could be made to crash on a large DNS query: A DNS query received by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV. (CVE-2017-13704; bug 21793) References: https://bugs.mageia.org/show_bug.cgi?id=19528 https://bugs.mageia.org/show_bug.cgi?id=21793 https://wiki.mozilla.org/images/f/f7/Dnsmasq-report.pdf https://docs.google.com/document/d/14y2kiXgB69fLBY0xuMeqc-YiZg4UDCw2xd4-mZspoP8 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011692.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/ Updated packages in core/updates_testing: ======================== dnsmasq-2.77-1.mga5 dnsmasq-base-2.77-1.mga5 dnsmasq-utils-2.77-1.mga5 from dnsmasq-2.77-1.mga5.src.rpm regards Julien
Assignee: julien.moragny => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => julien.moragny
Depends on: (none) => 21793
Hello, Please disregard previous advisory. I just pushed 2.77-1.1 do 5/core/updates_testing. Here is a tentative advisory: ======================= Updated dnsmasq packages fix security vulnerability: An audit by mozilla security found several vulnerability and potential vulnerability in dnsmasq: - Uninitialized buffer leads to memory leakage - Allocated memory is not cleared - Unchecked return value can lead to NULL pointer dereference - Hardcoded values in fscanf() format strings with aliased buffers CVE-2017-13704: Dnsmasq could be made to crash on a large DNS query: A DNS query received by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV. (bug 21793) CVE-2017-14491: A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. CVE-2017-14492: A heap buffer overflow was discovered in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless. CVE-2017-14493: A stack buffer overflow was found in dnsmasq in the DHCPv6 code. An attacker on the local network could send a crafted DHCPv6 request to dnsmasq which would cause it to a crash or, potentially, execute arbitrary code. CVE-2017-14494: An information leak was found in dnsmasq in the DHCPv6 relay code. An attacker on the local network could send crafted DHCPv6 packets to dnsmasq causing it to forward the contents of process memory, potentially leaking sensitive data. CVE-2017-14495: A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. CVE-2017-14496: An integer underflow flaw leading to a buffer over-read was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. References: https://bugs.mageia.org/show_bug.cgi?id=19528 https://bugs.mageia.org/show_bug.cgi?id=21793 https://wiki.mozilla.org/images/f/f7/Dnsmasq-report.pdf https://docs.google.com/document/d/14y2kiXgB69fLBY0xuMeqc-YiZg4UDCw2xd4-mZspoP8 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011692.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/ https://access.redhat.com/errata/RHSA-2017:2836 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Updated packages in core/updates_testing: ======================== dnsmasq-2.77-1.1.mga5 dnsmasq-base-2.77-1.1.mga5 dnsmasq-utils-2.77-1.1.mga5 from dnsmasq-2.77-1.1.mga5.src.rpm
(In reply to Julien Moragny from comment #1) > I didn't manage to rediff properly the patches so I decided to update the > package to MGA6 version (2.77) and add the fix to CVE-2017-13704. The > package build (of course), install, update, uninstall. The service start, > stop and seems to works as expected on MGA5 64 bits....... Would you please author a short paragraph or to procedure on how to install and test that this package, dnsmasq, is working properly.
CC: (none) => wilcal.int
Sure, to install: urpmi dnsmasq (which should pull dnsmasq-base) to start: systemctl start dnsmasq.service or reboot since dnsmasq.service is started automatically at boot. in journalctl, you should get something like that : localhost dnsmasq[1426]: demarré, version 2.77 (taille de cache 150) localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID localhost dnsmasq[1426]: Lecture de /etc/resolv.conf localhost dnsmasq[1426]: utilise le serveur de nom 10.0.2.2#53 localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's 10.0.2.2). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53). You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv) To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 ; i.e. the dnsmasq we just started): host mageia.org 127.0.0.1 which should answer something like that : Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 217.70.188.116 mageia.org mail is handled by 10 alamut.mageia.org. mageia.org mail is handled by 20 krampouezh.mageia.org. I don't know how to test the dhcp part of dnsmasq without a complex configuration. regards Julien
Hello, All the last CVE are fixed in the 2.78 version (with some 2.77 regression fix). It should be interesting to update mga5 & 6 with this last version of dnsmasq. http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
CC: (none) => richard
Installed dnsmasq-2.77-1.1.mga5 dnsmasq-base-2.77-1.1.mga5 dnsmasq-utils-2.77-1.1.mga5 followed the instructions above and confirmed it is running in a VM From my testing, working as designed.
CC: (none) => brtians1Whiteboard: (none) => mga5-32-ok
mga5-64 installed three packages restarted # dig mageia.org @localhost ; <<>> DiG 9.10.3-P4 <<>> mageia.org @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1792 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1135 IN A 217.70.188.116 ;; Query time: 25 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Oct 04 09:15:36 CDT 2017 ;; MSG SIZE rcvd: 55 [root@localhost etc]# [root@localhost etc]# nslookup debian.org localhost Server: localhost Address: 127.0.0.1#53 Non-authoritative answer: Name: debian.org Address: 128.31.0.62 Name: debian.org Address: 5.153.231.4 Name: debian.org Address: 130.89.148.14 Name: debian.org Address: 149.20.4.15 [root@localhost etc]# nslookup debian.org localhost Server: localhost Address: 127.0.0.1#53 Non-authoritative answer: Name: debian.org Address: 128.31.0.62 Name: debian.org Address: 5.153.231.4 Name: debian.org Address: 130.89.148.14 Name: debian.org Address: 149.20.4.15 I can't do the dhcp testing, but the packages are installing and running. this appears to be working as designed
Whiteboard: mga5-32-ok => mga5-32-ok mga5-64-ok
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0367.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
CVE-2019-14513 was also fixed by this update (fixed in 2.76): https://ubuntu.com/security/notices/USN-4924-1