Hello QA,

I just pushed a fix for this CVE to cauldron and 6.

Here is a tentative advisory:

=======================

Updated dnsmasq packages fix security vulnerability:

Dnsmasq could be made to crash on a large DNS query.

A DNS query received by UDP which exceeds 512 bytes (or the EDNS0 packet size,
if different.) is enough to cause SIGSEGV. (CVE-2017-13704)

References:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011692.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/

Updated packages in core/updates_testing:
========================
dnsmasq-2.77-1.1.mga6
dnsmasq-base-2.77-1.1.mga6
dnsmasq-utils-2.77-1.1.mga6

from dnsmasq-2.77-1.1.mga6.src.rpm


regards
Julien

Whiteboard: MGA6TOO => (none)
Assignee: julien.moragny => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => julien.moragny

RedHat has issued an advisory today (October 2):
https://access.redhat.com/errata/RHSA-2017:2836

It fixes 6 more serious security issues.

Summary: dnsmasq new security issue CVE-2017-13704 => dnsmasq new security issues CVE-2017-13704 and CVE-2017-1449[1-6]
Severity: normal => critical
CC: (none) => qa-bugs
Assignee: qa-bugs => julien.moragny

Hello,

I just pushed 2.78 to cauldron and 2.77-1.2 to 6/updates_testing. Discussion for mga5 will be on bug 19528.

Here is a tentative advisory:

=======================

Updated dnsmasq packages fix security vulnerabilities:


CVE-2017-13704: Dnsmasq could be made to crash on a large DNS query. A DNS query received by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV.

CVE-2017-14491: A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, execute arbitrary code.

CVE-2017-14492: A heap buffer overflow was discovered in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless.

CVE-2017-14493: A stack buffer overflow was found in dnsmasq in the DHCPv6 code. An attacker on the local network could send a crafted DHCPv6 request to dnsmasq which would cause it to a crash or, potentially, execute arbitrary code.

CVE-2017-14494: An information leak was found in dnsmasq in the DHCPv6 relay code. An attacker on the local network could send crafted DHCPv6 packets to dnsmasq causing it to forward the contents of process memory, potentially leaking sensitive data.

CVE-2017-14495: A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet.

CVE-2017-14496: An integer underflow flaw leading to a buffer over-read was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet.


References:
https://bugs.mageia.org/show_bug.cgi?id=21793
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011692.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/
https://access.redhat.com/errata/RHSA-2017:2836
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html


Updated packages in core/updates_testing:
========================
dnsmasq-2.77-1.2.mga6
dnsmasq-base-2.77-1.2.mga6
dnsmasq-utils-2.77-1.2.mga6

from dnsmasq-2.77-1.2.mga6.src.rpm

Assignee: julien.moragny => qa-bugs

Hello,

I wrote a procedure to test the upgrade on bug 19528 (comment 4):

https://bugs.mageia.org/show_bug.cgi?id=19528#c4

thanks
regards
Julien

Thanks Julien.

[root@localhost brian]# uname -a
Linux localhost 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:14:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

The following 3 packages are going to be installed:

- dnsmasq-2.77-1.2.mga6.x86_64
- dnsmasq-base-2.77-1.2.mga6.x86_64
- dnsmasq-utils-2.77-1.2.mga6.x86_64

901KB of additional disk space will be used.

392KB of packages will be retrieved.

Is it ok to continue?

[root@localhost brian]# systemctl start dnsmasq.service 
[root@localhost brian]# ps -ef | grep dns
nobody    3195     1  0 21:21 ?        00:00:00 /usr/sbin/dnsmasq -k
root      3259  3159  0 21:22 pts/0    00:00:00 grep --color dns
[root@localhost brian]#

[root@localhost brian]# host arstechnica.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

arstechnica.com has address 50.31.169.131
arstechnica.com mail is handled by 5 alt2.aspmx.l.google.com.
arstechnica.com mail is handled by 10 alt4.aspmx.l.google.com.
arstechnica.com mail is handled by 10 alt3.aspmx.l.google.com.
arstechnica.com mail is handled by 1 aspmx.l.google.com.
arstechnica.com mail is handled by 5 alt1.aspmx.l.google.com.
[root@localhost brian]# dig arstechnica.com @localhost

; <<>> DiG 9.10.5-P2 <<>> arstechnica.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33358
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;arstechnica.com.		IN	A

;; ANSWER SECTION:
arstechnica.com.	190	IN	A	50.31.169.131

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Oct 05 21:32:28 CDT 2017
;; MSG SIZE  rcvd: 60

working as designed

CC: (none) => brtians1
Whiteboard: (none) => mga6-64-ok

[brian@localhost ~]$ uname -a
Linux localhost 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:15:15 UTC 2017 i686 i686 i686 GNU/Linux

The following 3 packages are going to be installed:

- dnsmasq-2.77-1.2.mga6.i586
- dnsmasq-base-2.77-1.2.mga6.i586
- dnsmasq-utils-2.77-1.2.mga6.i586

911KB of additional disk space will be used.

396KB of packages will be retrieved.

Is it ok to continue?



[brian@localhost ~]$ ps -ef | grep dns
nobody    1257     1  0 11:28 ?        00:00:00 /usr/sbin/dnsmasq -k
brian    12767 12365  0 12:05 pts/0    00:00:00 grep --color dns
[brian@localhost ~]$ 

[brian@localhost ~]$ host mageia.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

mageia.org has address 217.70.188.116
mageia.org mail is handled by 20 krampouezh.mageia.org.
mageia.org mail is handled by 10 alamut.mageia.org.
[brian@localhost ~]$ host slashdot.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

slashdot.org has address 216.34.181.45
slashdot.org mail is handled by 10 mx.sourceforge.net.
[brian@localhost ~]$ dig mageia.org @localhost

; <<>> DiG 9.10.5-P2 <<>> mageia.org @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3148
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.			IN	A

;; ANSWER SECTION:
mageia.org.		1739	IN	A	217.70.188.116

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Oct 06 12:08:29 CDT 2017
;; MSG SIZE  rcvd: 55

[brian@localhost ~]$ 

working as designed

Whiteboard: mga6-64-ok => mga6-64-ok mga6-32-ok

Thank you Brian for testing this.
Advisory from comment 3; validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0364.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED