From b46d7615d29fe2830d7632fa157d610aace65abf Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 05:13:01 +0000 Subject: import dnsmasq-2.76-7.el7 --- diff --git a/SOURCES/dnsmasq-2.76-CVE-2017-14491-2.patch b/SOURCES/dnsmasq-2.76-CVE-2017-14491-2.patch new file mode 100644 index 0000000..3935566 --- /dev/null +++ b/SOURCES/dnsmasq-2.76-CVE-2017-14491-2.patch @@ -0,0 +1,68 @@ +From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 26 Sep 2017 22:00:11 +0100 +Subject: Security fix, CVE-2017-14491, DNS heap buffer overflow. + +Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc +Handles case when RR name is not a pointer to the question, +only occurs for some auth-mode replies, therefore not +detected by fuzzing (?) +--- + src/rfc1035.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 27af023..56ab88b 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + + va_start(ap, format); /* make ap point to 1st unamed argument */ + +- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ +- CHECK_LIMIT(12); +- + if (nameoffset > 0) + { ++ CHECK_LIMIT(2); + PUTSHORT(nameoffset | 0xc000, p); + } + else + { + char *name = va_arg(ap, char *); +- if (name) +- p = do_rfc1035_name(p, name, limit); +- if (!p) +- { +- va_end(ap); +- goto truncated; +- } +- ++ if (name && !(p = do_rfc1035_name(p, name, limit))) ++ { ++ va_end(ap); ++ goto truncated; ++ } ++ + if (nameoffset < 0) + { ++ CHECK_LIMIT(2); + PUTSHORT(-nameoffset | 0xc000, p); + } + else +- *p++ = 0; ++ { ++ CHECK_LIMIT(1); ++ *p++ = 0; ++ } + } + ++ /* type (2) + class (2) + ttl (4) + rdlen (2) */ ++ CHECK_LIMIT(10); ++ + PUTSHORT(type, p); + PUTSHORT(class, p); + PUTLONG(ttl, p); /* TTL */ +-- +2.7.4 + diff --git a/SOURCES/dnsmasq-2.76-inotify.patch b/SOURCES/dnsmasq-2.76-inotify.patch new file mode 100644 index 0000000..6387d3f --- /dev/null +++ b/SOURCES/dnsmasq-2.76-inotify.patch @@ -0,0 +1,14 @@ +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index e1d3bbd..99e5437 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -358,7 +358,8 @@ int main (int argc, char **argv) + } + + #ifdef HAVE_INOTIFY +- if (daemon->port != 0 || daemon->dhcp || daemon->doing_dhcp6) ++ if ((daemon->port != 0 || daemon->dhcp || daemon->doing_dhcp6) ++ && (!option_bool(OPT_NO_RESOLV) || daemon->dynamic_dirs)) + inotify_dnsmasq_init(); + else + daemon->inotifyfd = -1; diff --git a/SPECS/dnsmasq.spec b/SPECS/dnsmasq.spec index b312ef3..4ae8196 100644 --- a/SPECS/dnsmasq.spec +++ b/SPECS/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.76 -Release: 5%{?extraversion}%{?dist} +Release: 7%{?extraversion}%{?dist} Summary: A lightweight DHCP/caching DNS server Group: System Environment/Daemons @@ -54,6 +54,8 @@ Patch16: dnsmasq-2.76-CVE-2017-14495.patch Patch17: dnsmasq-2.76-gita3303e196.patch Patch18: dnsmasq-2.76-underflow.patch Patch19: dnsmasq-2.76-misc-cleanups.patch +Patch20: dnsmasq-2.76-CVE-2017-14491-2.patch +Patch21: dnsmasq-2.76-inotify.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -108,6 +110,8 @@ query/remove a DHCP server's leases. %patch17 -p1 -b .gita3303e196 %patch18 -p1 -b .underflow %patch19 -p1 -b .misc +%patch20 -p1 -b .CVE-2017-14491-2 +%patch21 -p1 -b .inotify # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -194,6 +198,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/dhcp_* %changelog +* Wed May 09 2018 Martin Sehnoutka - 2.76-7 +- Resolves: #1474515 dhcp-agent dnsmasq max files + +* Wed Sep 27 2017 Petr Menšík - 2.76-6 +- Small correction of CVE-2017-14491 + * Tue Sep 26 2017 Petr Menšík - 2.76-5 - Fix CVE-2017-14491 - Fix CVE-2017-14492