232523 2008-07-20 23:22 0000 net-dns/dnsmasq <2.45 DHCP lease renewal crash (CVE-2008-3350) 2008-09-04 20:12:40 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://article.gmane.org/gmane.network.dns.dnsmasq.general/2189 B3 [glsa] P2 minor --- 1 justin@bellmor.com security@gentoo.org arm@gentoo.org chutzpah@gentoo.org s390@gentoo.org sh@gentoo.org zoltarx@o2.pl justin@bellmor.com 2008-07-20 23:22:01 0000 dnsmasq 2.43 introduced a bug where an unknown client attempts to renew a lease causing a segfault. This has potential security implications. A new version upstream (and another for other issues) have been released to resolve this. One of my clients keeps triggering this bug, so I've had to isolate it for the time being. rbu@gentoo.org 2008-07-20 23:55:42 0000 Justin, do you have a reproducer for this issue? Either a client configuration, packet dump, or similar? Patrick, can you please bump the package? justin@bellmor.com 2008-07-21 03:14:41 0000 Snipped (and MAC address masked slightly) from my syslog: Jul 20 22:53:34 ansible dnsmasq[24246]: DHCPREQUEST(eth1) 10.0.2.4 00:21:e9:44:af:XX Jul 20 22:53:34 ansible dnsmasq[24246]: DHCPNAK(eth1) 10.0.2.4 00:21:e9:44:af:XX wrong address Jul 20 22:53:37 ansible dnsmasq[24246]: segfault at 10 ip 0805d69d sp bf8cc7e8 error 4 in dnsmasq[8048000+22000] Jul 20 22:53:37 ansible dnsmasq[24246]: DHCPDISCOVER(eth1) 00:21:e9:44:af:XX Jul 20 22:53:37 ansible dnsmasq[24246]: DHCPOFFER(eth1) 10.0.0.86 00:21:e9:44:af:XX Jul 20 22:53:37 ansible dnsmasq[24246]: DHCPREQUEST(eth1) 10.0.2.4 00:21:e9:44:af:XX Jul 20 22:53:37 ansible dnsmasq[24246]: DHCPNAK(eth1) 10.0.2.4 00:21:e9:44:af:XX wrong network I setup a NAT on my MacBook Pro (OS X) for the wireless and connected my iPhone to it, it was given a lease of 10.0.2.4. Then I connected to an AP on my dnsmasq-powered network and it attempts to acquire that lease (from a network range that dnsmasq doesn't deal with). dnsmasq isn't a fan and segfaults. My iPhone seems to be the client that triggers this most often, since it hops around so many networks throughout the day. If you'd really like my config file, let me know and I'll attach an unmangled copy, but I have some public IPs in there so I'm in no rush to publicize them. If you don't mind an altered configuration, I can just mask the public IPs. chutzpah@gentoo.org 2008-07-21 04:40:49 0000 net-dns/dnsmasq-2.45 is now in the portage tree rbu@gentoo.org 2008-07-21 09:05:12 0000 Arches, please test and mark stable: =net-dns/dnsmasq-2.45 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" chainsaw@gentoo.org 2008-07-21 11:43:49 0000 Stable AMD64 keyword for 2.45; tested on hardened Opteron 2218 and Core 2 Duo systems. corsair@gentoo.org 2008-07-21 16:38:43 0000 ppc64 stable jer@gentoo.org 2008-07-21 18:54:16 0000 Stable for HPPA. bluebird@gentoo.org 2008-07-21 20:07:10 0000 sparc stable armin76@gentoo.org 2008-07-21 20:15:59 0000 alpha/ia64/x86 stable dertobi123@gentoo.org 2008-07-22 19:54:32 0000 ppc stable rbu@gentoo.org 2008-07-24 02:23:54 0000 This issue looks similar to CVE-2008-3214, which was assigned to dnsmasq 2.25. A reproducer created by Jamie Strandboge [1] for that older version will also crash 2.43. Earlier versions are unaffected, and so is 2.44. [1] http://thread.gmane.org/gmane.comp.security.oss.general/596/focus=635 rbu@gentoo.org 2008-07-24 02:24:08 0000 GLSA vote: YES zoltarx@o2.pl 2008-07-24 04:57:07 0000 I have the same problem on gentoo hardened, and following lines in /var/log/grsec.log Jul 23 16:18:16 agryf grsec: signal 11 sent to /usr/sbin/dnsmasq[dnsmasq:25473] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 Jul 24 05:12:15 agryf grsec: From 10.103.30.100: signal 11 sent to /usr/sbin/dnsmasq[dnsmasq:28201] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 After moving to recent 2.45 version by simply renaming ebuild file :) problem seems to go away. http://freshmeat.net/projects/dnsmasq/?branch_id=1991&release_id=281597 Maybe 2.43 should be masked before 2.45 approval? rbu@gentoo.org 2008-07-24 11:17:07 0000 Filip, it does not need to be masked since a later stable version is available. You should "emerge --sync" and update to that. Marking of a vulnerable version will be done via a GLSA and your local tools. rbu@gentoo.org 2008-07-30 00:47:13 0000 CVE-2008-3350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3350): dnsmasq 2.43 allows remote attackers to cause a denial of service (daemon crash) by (1) sending a DHCPINFORM while lacking a DHCP lease, or (2) attempting to renew a nonexistent DHCP lease for an invalid subnet as an "unknown client," a different vulnerability than CVE-2008-3214. rbu@gentoo.org 2008-08-03 21:52:49 0000 I'll take the lack of an answer as a YES and filed a request together with bug 231282. rbu@gentoo.org 2008-09-04 20:12:40 0000 GLSA 200809-02