86718 2005-03-25 16:08 0000 net-dns/dnsmasq 2.21 fixes remote vulnerabilities 2005-04-04 05:24:45 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.securityfocus.com/bid/12897/info/ B4 [glsa] koon P2 minor --- 87091 1 alex00882007@gmail.com security@gentoo.org avenj@gentoo.org lucent@gmail.com uberlord@gentoo.org alex00882007@gmail.com 2005-03-25 16:08:20 0000 The discussion portion tells that dnsmasq is vulnerable to an off-by-one overflow and some DNS poisoning as well. It can quickly be fixed by updating dnsmasq to version 2.21 Reproducible: Always Steps to Reproduce: n/a Actual Results: n/a Expected Results: n/a Portage 2.0.51.19 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.11fishsticks i686) ================================================================= System uname: 2.6.11fishsticks i686 Pentium II (Klamath) Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4 [2.3.4 (#1, Oct 24 2004, 04:58:11)] dev-lang/python: 2.3.4 sys-devel/autoconf: 2.59-r5 sys-devel/automake: 1.8.5-r1 sys-devel/binutils: 2.14.90.0.8-r1 sys-devel/libtool: 1.5.2-r5 virtual/os-headers: 2.4.21-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=i686 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X apm arts avi berkdb bitmap-fonts crypt cups emboss encode esd fam font-server foomaticdb fortran gdbm gif gnome gpm gtk gtk2 imlib ipv6 jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl spell ssl svga tcpd tiff truetype truetype-fonts type1-fonts xml2 xmms xv zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY solar@gentoo.org 2005-03-25 18:54:00 0000 local bump to 2.21 fails with netlink errors. starting with dnsmasq-2.21 there is new code to run dnsmasq/dhcp on alias interfaces. My guess is the author was a little rushed to get the code out the door and thus it's incomplete and or not well tested. The diff -Nrup dnsmasq-2.2{0,1} is rather large so pinpointing the exact fix needed to patch 2.20 might be a little tricky. solar@gentoo.org 2005-03-25 19:13:40 0000 Created an attachment (id=54493) dnsmasq-2.21.ebuild solar@gentoo.org 2005-03-25 19:16:10 0000 Created an attachment (id=54494) dnsmasq-2.21-nonetlink.patch patch to allow 2.21 to build. This is not the ideal fix but seeing as the rt netlink handling is new functionality I don't think were really missing out on anything. avenj@gentoo.org 2005-03-27 03:16:10 0000 dnsmasq-2.21 committed with upstream's netlink.c fix (the correct fix is to include types.h) jaervosz@gentoo.org 2005-03-27 03:54:18 0000 Arches please test and mark stable. hansmi@gentoo.org 2005-03-27 04:11:11 0000 Stable on ppc. voxus@gentoo.org 2005-03-27 05:59:09 0000 stable on amd64 and x86 weeve@gentoo.org 2005-03-27 15:01:39 0000 Stable on SPARC koon@gentoo.org 2005-03-28 05:57:22 0000 The off-by-one affects the reading of lease files which are not under the control of a remote attacker (interestingly it was found by our own audit team). That leaves us with the DNS cache poisoning things, so this is minor... but everyone agreed it needed a GLSA anyway, so I drafted one. tigger@gentoo.org 2005-03-29 00:41:10 0000 The off-by-one is actually two off-by-ones per evil lease entry. This bug can be triggered by anyone on the local LAN segment who sends clientid and hostnames over a certain length. It is possible this may lead to a crash when dnsmasq restarts and parses the lease file (the bugs exist in the lease file parsing code). During my tests I never saw dnsmasq crash as a result of this, hence me not filing a bug myself. vapier@gentoo.org 2005-03-29 05:47:49 0000 arm/ia64/s390 done avenj@gentoo.org 2005-03-31 16:34:26 0000 2.22 is in the tree and has a bunch of fixes, but I've committed it as ~arch due to changes not related to 2.21 regressions. Dunno if the security folks want to go through the effort of stabilizing 2.22 (2.21 is masked) koon@gentoo.org 2005-04-01 00:45:23 0000 Well, we need to have a fixed stable version for people to upgrade to. TARGET KEYWORDS="~alpha amd64 arm ~hppa ia64 mips ppc s390 ~sh sparc x86" Arches, 2.21 was regressing in some ugly cases, please test and adjust keywords on 2.22 according to TARGET KEYWORDS. hansmi@gentoo.org 2005-04-01 01:05:08 0000 Stable on ppc. gustavoz@gentoo.org 2005-04-01 07:04:52 0000 2.22 stable on sparc. luckyduck@gentoo.org 2005-04-01 09:46:58 0000 stable on amd64 kloeri@gentoo.org 2005-04-03 01:48:49 0000 ~alpha keyworded. hardave@gentoo.org 2005-04-03 04:34:48 0000 Stable on mips. koon@gentoo.org 2005-04-03 05:50:35 0000 Still missing x86 stable keyword to send GLSA avenj/uberlord/x86-herd: please test and mark stable on x86 avenj@gentoo.org 2005-04-03 06:02:41 0000 I'd ask that Uberlord please do it, as far as I know it's stable but he's the only one I can think of offhand who can confirm the 2.21 bugs are fixed for good (his setup's much more complex than mine) avenj@gentoo.org 2005-04-04 02:40:42 0000 Stable on x86 avenj@gentoo.org 2005-04-04 02:41:52 0000 *** Bug 87564 has been marked as a duplicate of this bug. *** koon@gentoo.org 2005-04-04 05:24:45 0000 GLSA 200504-03 54493 2005-03-25 19:13 0000 dnsmasq-2.21.ebuild dnsmasq-2.21.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA1IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L25ldC1kbnMvZG5zbWFzcS9kbnNtYXNxLTIuMjAu ZWJ1aWxkLHYgMS4xIDIwMDUvMDEvMjUgMDA6MzI6MjQgYXZlbmogRXhwICQKCmluaGVyaXQgdG9v bGNoYWluLWZ1bmNzIGV1dGlscwoKTVlfUD0iJHtQL18vfSIKTVlfUFY9IiR7UFYvX3JjKi99IgpE RVNDUklQVElPTj0iU21hbGwgZm9yd2FyZGluZyBETlMgc2VydmVyIgpIT01FUEFHRT0iaHR0cDov L3d3dy50aGVrZWxsZXlzLm9yZy51ay9kbnNtYXNxLyIKU1JDX1VSST0iaHR0cDovL3d3dy50aGVr ZWxsZXlzLm9yZy51ay9kbnNtYXNxLyR7TVlfUH0udGFyLmd6IgoKTElDRU5TRT0iR1BMLTIiClNM T1Q9IjAiCktFWVdPUkRTPSJ+YW1kNjQgfmFybSB+aHBwYSB+aWE2NCB+bWlwcyB+cHBjIH5zMzkw IH5zaCB+c3BhcmMgfng4NiIKSVVTRT0iIgoKUkRFUEVORD0idmlydHVhbC9saWJjIgpERVBFTkQ9 IiR7UkRFUEVORH0KCT49c3lzLWFwcHMvc2VkLTQKCT49c3lzLWFwcHMvcG9ydGFnZS0yLjAuNTEi CgpTPSIke1dPUktESVJ9LyR7UE59LSR7TVlfUFZ9IgoKc3JjX3VucGFjaygpIHsKCXVucGFjayAk e0F9CgljZCAke1N9CgoJIyB0aGUgbmV0bGluayBoYW5kbGluZyBjb2RlIGluIDIuMjEgZmFpbHMg dG8gYnVpbGQgc28gd2UgZGlzYWJsZSAKCSMgdGhpcyBuZXcgZmVhdHVyZSB0aWxsIGl0J3MgaGFk IGEgY2hhbmNlIHRvIHN0YWJsaXplIHVwc3RyZWFtLgoJZXBhdGNoICR7RklMRVNESVJ9L2Ruc21h c3EtMi4yMS1ub25ldGxpbmsucGF0Y2gKfQoKc3JjX2NvbXBpbGUoKSB7CgllbWFrZSBDQz0iJCh0 Yy1nZXRDQykiIHx8IGRpZQp9CgpzcmNfaW5zdGFsbCgpIHsKCW1ha2UgXAoJCVBSRUZJWD0vdXNy IFwKCQlNQU5ESVI9L3Vzci9zaGFyZS9tYW4gXAoJCURFU1RESVI9JHtEfSBcCgkJaW5zdGFsbCB8 fCBkaWUKCWRvZG9jIENIQU5HRUxPRyBGQVEKCWRvaHRtbCAqLmh0bWwKCgluZXdpbml0ZCAke0ZJ TEVTRElSfS9kbnNtYXNxLWluaXQgZG5zbWFzcQoJbmV3Y29uZmQgJHtGSUxFU0RJUn0vZG5zbWFz cS5jb25mZCBkbnNtYXNxCglpbnNpbnRvIC9ldGMKCW5ld2lucyBkbnNtYXNxLmNvbmYuZXhhbXBs ZSBkbnNtYXNxLmNvbmYKfQo= 54494 2005-03-25 19:16 0000 dnsmasq-2.21-nonetlink.patch dnsmasq-2.21-nonetlink.patch text/plain LS0tIHNyYy9kbnNtYXNxLmgub3JpZwkyMDA1LTAzLTI1IDIyOjAwOjUzLjAwMDAwMDAwMCAtMDUw MAorKysgc3JjL2Ruc21hc3EuaAkyMDA1LTAzLTI1IDIyOjAyOjUzLjAwMDAwMDAwMCAtMDUwMApA QCAtODUsNiArODUsNyBAQAogICAgVGhpcyBtaWdodCBiZSBpbmNyZWFzZWQgaXMgRUROUyBwYWNr ZXQgc2l6ZSBpZiBncmVhdGVyIHRoYW4gdGhlIG1pbmltdW0uCiAgICBUaGUgYnVmZmVyIGlzIGFs c28gdXNlZCBmb3IgTkVUTElOSywgd2hpY2ggbmVlZHMgdG8gYmUgYWJvdXQgMjAwMAogICAgb24g c3lzdGVtcyB3aXRoIG1hbnkgaW50ZXJmYWNlcy9hZGRyZXNzZXMuICovCisjdW5kZWYgSEFWRV9S VE5FVExJTksKICNpZmRlZiBIQVZFX1JUTkVUTElOSwogIyBkZWZpbmUgRE5TTUFTUV9QQUNLRVRT WiBQQUNLRVRTWitNQVhETkFNRStSUkZJWEVEU1oKICNlbHNlCg==