From 6379c5b2d4ab49a7328ce46c16db138b5724c2c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 2 Oct 2017 17:17:17 +0200 Subject: [PATCH] Security fix, CVE-2017-14491, DNS heap buffer overflow. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc Handles case when RR name is not a pointer to the question, only occurs for some auth-mode replies, therefore not detected by fuzzing (?) Signed-off-by: Petr Menšík --- dnsmasq-2.77-CVE-2017-14491-2.patch | 68 +++++++++++++++++++++++++++++ dnsmasq.spec | 2 + 2 files changed, 70 insertions(+) create mode 100644 dnsmasq-2.77-CVE-2017-14491-2.patch diff --git a/dnsmasq-2.77-CVE-2017-14491-2.patch b/dnsmasq-2.77-CVE-2017-14491-2.patch new file mode 100644 index 0000000..31a065c --- /dev/null +++ b/dnsmasq-2.77-CVE-2017-14491-2.patch @@ -0,0 +1,68 @@ +From 62cb936cb7ad5f219715515ae7d32dd281a5aa1f Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 26 Sep 2017 22:00:11 +0100 +Subject: [PATCH 10/10] Security fix, CVE-2017-14491, DNS heap buffer overflow. + +Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc +Handles case when RR name is not a pointer to the question, +only occurs for some auth-mode replies, therefore not +detected by fuzzing (?) +--- + src/rfc1035.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 27af023..56ab88b 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1086,32 +1086,35 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int + + va_start(ap, format); /* make ap point to 1st unamed argument */ + +- /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ +- CHECK_LIMIT(12); +- + if (nameoffset > 0) + { ++ CHECK_LIMIT(2); + PUTSHORT(nameoffset | 0xc000, p); + } + else + { + char *name = va_arg(ap, char *); +- if (name) +- p = do_rfc1035_name(p, name, limit); +- if (!p) +- { +- va_end(ap); +- goto truncated; +- } +- ++ if (name && !(p = do_rfc1035_name(p, name, limit))) ++ { ++ va_end(ap); ++ goto truncated; ++ } ++ + if (nameoffset < 0) + { ++ CHECK_LIMIT(2); + PUTSHORT(-nameoffset | 0xc000, p); + } + else +- *p++ = 0; ++ { ++ CHECK_LIMIT(1); ++ *p++ = 0; ++ } + } + ++ /* type (2) + class (2) + ttl (4) + rdlen (2) */ ++ CHECK_LIMIT(10); ++ + PUTSHORT(type, p); + PUTSHORT(class, p); + PUTLONG(ttl, p); /* TTL */ +-- +2.9.5 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 8cda69b..ffd75ec 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -30,6 +30,7 @@ Patch5: dnsmasq-2.77-CVE-2017-14494.patch Patch6: dnsmasq-2.77-CVE-2017-14496.patch Patch7: dnsmasq-2.77-CVE-2017-14495.patch Patch8: dnsmasq-2.77-misc-cleanups.patch +Patch9: dnsmasq-2.77-CVE-2017-14491-2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -72,6 +73,7 @@ query/remove a DHCP server's leases. %patch6 -p1 -b .CVE-2017-14496 %patch7 -p1 -b .CVE-2017-14495 %patch8 -p1 -b .misc-cleanups +%patch9 -p1 -b .CVE-2017-14491-2 # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do