Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 282653 (CVE-2009-2957) - <net-dns/dnsmasq-2.5.0[tftp] Multiple vulnerabilities (CVE-2009-{2957,2958})
Summary: <net-dns/dnsmasq-2.5.0[tftp] Multiple vulnerabilities (CVE-2009-{2957,2958})
Status: RESOLVED FIXED
Alias: CVE-2009-2957
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.coresecurity.com/content/d...
Whiteboard: C1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-25 09:17 UTC by Alex Legler (RETIRED)
Modified: 2009-09-20 19:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
dnsmasq-CVE-2009-2957+2958.patch (dnsmasq-CVE-2009-2957+2958.patch,2.73 KB, patch)
2009-08-25 09:30 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-25 09:17:38 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Simon Kelley informed us about the following issues in the dnsmasq TFTP code:

CVE-2009-2957:
A heap buffer can be overflowed by 2+strlen(tftp-prefix) bytes.
The problem is after access control, so only hosts which can do TFTP can attack, that's usually local net, not the wider internet. 
It's not clear if that's enough for an attack, but it may well be, on some platforms.

CVE-2009-2958:
DoS by NULL-pointer dereference, triggered by crafted malformed packet.

The current disclosure date is Aug, 31.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-25 09:21:44 UTC
I'll attach a patch we got from upstream. Chutzpah, please prepare an ebuild that applies this patch and attach it to the bug, we can do prestabling here then.

As usual, no commits to CVS before the issue is public, please.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-25 09:30:48 UTC
Created attachment 202237 [details, diff]
dnsmasq-CVE-2009-2957+2958.patch
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-31 22:15:37 UTC
This is now public per $URL.
Adapting whiteboard.

+*dnsmasq-2.50 (31 Aug 2009)
+
+  31 Aug 2009; Alex Legler <a3li@gentoo.org> -dnsmasq-2.46.ebuild,
+  -dnsmasq-2.47.ebuild, -dnsmasq-2.49.ebuild, +dnsmasq-2.50.ebuild:
+  Non-maintainer commit: Version bump for security bug 282653. Removing
+  unneded vulnerable versions.
+
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-31 22:16:25 UTC
Arches, please test and mark stable:
=net-dns/dnsmasq-2.50
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-01 06:53:28 UTC
x86 stable
Comment 6 Jeroen Roovers gentoo-dev 2009-09-01 13:59:45 UTC
Stable for HPPA.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-09-02 18:42:57 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-06 09:44:04 UTC
CVE-2009-2957 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2957):
  Heap-based buffer overflow in the tftp_request function in tftp.c in
  dnsmasq before 2.50, when --enable-tftp is used, might allow remote
  attackers to execute arbitrary code via a long filename in a TFTP
  packet, as demonstrated by a read (aka RRQ) request.

CVE-2009-2958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2958):
  The tftp_request function in tftp.c in dnsmasq before 2.50, when
  --enable-tftp is used, allows remote attackers to cause a denial of
  service (NULL pointer dereference and daemon crash) via a TFTP read
  (aka RRQ) request with a malformed blksize option.

Comment 9 Markus Meier gentoo-dev 2009-09-11 19:17:07 UTC
amd64 stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-09-13 12:35:37 UTC
ppc64 done
Comment 11 Wernfried Haas (RETIRED) gentoo-dev 2009-09-19 09:42:15 UTC
If it's any help, net-dns/dnsmasq-2.50 with USE="dhcp ipv6 nls tftp -dbus" builds fine on ppc here, dns and dhcp work fine too (don't know about tftp, haven't used it).
Comment 12 nixnut (RETIRED) gentoo-dev 2009-09-20 18:53:46 UTC
ppc stable. thanks amne :)
Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-20 19:38:18 UTC
GLSA 200909-19, thanks everyone.