The discussion portion tells that dnsmasq is vulnerable to an off-by-one overflow and some DNS poisoning as well. It can quickly be fixed by updating dnsmasq to version 2.21 Reproducible: Always Steps to Reproduce: n/a Actual Results: n/a Expected Results: n/a Portage 2.0.51.19 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.11fishsticks i686) ================================================================= System uname: 2.6.11fishsticks i686 Pentium II (Klamath) Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4 [2.3.4 (#1, Oct 24 2004, 04:58:11)] dev-lang/python: 2.3.4 sys-devel/autoconf: 2.59-r5 sys-devel/automake: 1.8.5-r1 sys-devel/binutils: 2.14.90.0.8-r1 sys-devel/libtool: 1.5.2-r5 virtual/os-headers: 2.4.21-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=i686 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X apm arts avi berkdb bitmap-fonts crypt cups emboss encode esd fam font-server foomaticdb fortran gdbm gif gnome gpm gtk gtk2 imlib ipv6 jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl spell ssl svga tcpd tiff truetype truetype-fonts type1-fonts xml2 xmms xv zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY
local bump to 2.21 fails with netlink errors. starting with dnsmasq-2.21 there is new code to run dnsmasq/dhcp on alias interfaces. My guess is the author was a little rushed to get the code out the door and thus it's incomplete and or not well tested. The diff -Nrup dnsmasq-2.2{0,1} is rather large so pinpointing the exact fix needed to patch 2.20 might be a little tricky.
Created attachment 54493 [details] dnsmasq-2.21.ebuild
Created attachment 54494 [details, diff] dnsmasq-2.21-nonetlink.patch patch to allow 2.21 to build. This is not the ideal fix but seeing as the rt netlink handling is new functionality I don't think were really missing out on anything.
dnsmasq-2.21 committed with upstream's netlink.c fix (the correct fix is to include types.h)
Arches please test and mark stable.
Stable on ppc.
stable on amd64 and x86
Stable on SPARC
The off-by-one affects the reading of lease files which are not under the control of a remote attacker (interestingly it was found by our own audit team). That leaves us with the DNS cache poisoning things, so this is minor... but everyone agreed it needed a GLSA anyway, so I drafted one.
The off-by-one is actually two off-by-ones per evil lease entry. This bug can be triggered by anyone on the local LAN segment who sends clientid and hostnames over a certain length. It is possible this may lead to a crash when dnsmasq restarts and parses the lease file (the bugs exist in the lease file parsing code). During my tests I never saw dnsmasq crash as a result of this, hence me not filing a bug myself.
arm/ia64/s390 done
2.22 is in the tree and has a bunch of fixes, but I've committed it as ~arch due to changes not related to 2.21 regressions. Dunno if the security folks want to go through the effort of stabilizing 2.22 (2.21 is masked)
Well, we need to have a fixed stable version for people to upgrade to. TARGET KEYWORDS="~alpha amd64 arm ~hppa ia64 mips ppc s390 ~sh sparc x86" Arches, 2.21 was regressing in some ugly cases, please test and adjust keywords on 2.22 according to TARGET KEYWORDS.
2.22 stable on sparc.
stable on amd64
~alpha keyworded.
Stable on mips.
Still missing x86 stable keyword to send GLSA avenj/uberlord/x86-herd: please test and mark stable on x86
I'd ask that Uberlord please do it, as far as I know it's stable but he's the only one I can think of offhand who can confirm the 2.21 bugs are fixed for good (his setup's much more complex than mine)
Stable on x86
*** Bug 87564 has been marked as a duplicate of this bug. ***
GLSA 200504-03