Listen only localhost in default configuration

Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface.
2020-06-30 13:35:53 +02:00 · 2020-06-30 13:35:53 +02:00 · 744ba31be7
commit 744ba31be7
parent 4c831af38b
2 changed files with 85 additions and 15 deletions
--- a/dnsmasq-2.81-configuration.patch
+++ b/dnsmasq-2.81-configuration.patch
@ -0,0 +1,79 @@
+From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 30 Jun 2020 18:06:29 +0200
+Subject: [PATCH] Modify upstream configuration to safe defaults
+
+Most important change would be to listen only on localhost. Default
+configuration should not listen to request from remote hosts. Match also
+user and paths to directories shipped in Fedora.
+---
+ dnsmasq.conf.example | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
+index bf19424..a130118 100644
+--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
+@@ -22,7 +22,7 @@
+ 
+ # Uncomment these to enable DNSSEC validation and caching:
+ # (Requires dnsmasq to be built with DNSSEC option.)
+-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#conf-file=/usr/share/dnsmasq/trust-anchors.conf
+ #dnssec
+ 
+ # Replies which are not DNSSEC signed may be legitimate, because the domain
+@@ -96,14 +96,16 @@
+ 
+ # If you want dnsmasq to change uid and gid to something other
+ # than the default, edit the following lines.
+-#user=
+-#group=
+user=dnsmasq
+group=dnsmasq
+ 
+ # If you want dnsmasq to listen for DHCP and DNS requests only on
+ # specified interfaces (and the loopback) give the name of the
+ # interface (eg eth0) here.
+ # Repeat the line for more than one interface.
+ #interface=
+# Listen only on localhost by default
+interface=lo
+ # Or you can specify which interface _not_ to listen on
+ #except-interface=
+ # Or which to listen on by address (remember to include 127.0.0.1 if
+@@ -114,6 +116,10 @@
+ # disable DHCP and TFTP on it.
+ #no-dhcp-interface=
+ 
+# Serve DNS and DHCP only to networks directly connected to this machine.
+# Any interface= line will override it.
+#local-service
+
+ # On systems which support it, dnsmasq binds the wildcard address,
+ # even when it is listening on only some interfaces. It then discards
+ # requests that it shouldn't reply to. This has the advantage of
+@@ -535,7 +541,7 @@
+ # The DHCP server needs somewhere on disk to keep its lease database.
+ # This defaults to a sane location, but if you want to change it, use
+ # the line below.
+-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
+ 
+ # Set the DHCP server to authoritative mode. In this mode it will barge in
+ # and take over the lease for any client which broadcasts on the network,
+@@ -673,7 +679,11 @@
+ # Include all files in a directory which end in .conf
+ #conf-dir=/etc/dnsmasq.d/,*.conf
+ 
+# Include all files in /etc/dnsmasq.d except RPM backup files
+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
+
+ # If a DHCP client claims that its name is "wpad", ignore that.
+ # This fixes a security hole. see CERT Vulnerability VU#598349
+ #dhcp-name-match=set:wpad-ignore,wpad
+ #dhcp-ignore-names=tag:wpad-ignore
+
+-- 
+2.26.2
+
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -20,7 +20,7 @@

 Name:           dnsmasq
 Version:        2.81
-Release:        3%{?extraversion:.%{extraversion}}%{?dist}
+Release:        4%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server

 License:        GPLv2 or GPLv3
@ -38,6 +38,8 @@ Source4:        http://www.thekelleys.org.uk/srkgpg.txt

 # https://bugzilla.redhat.com/show_bug.cgi?id=1495409
 Patch1:         dnsmasq-2.77-underflow.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1852373
+Patch2:         dnsmasq-2.81-configuration.patch
 Patch3:         dnsmasq-2.78-fips.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1728701
 Patch7:         dnsmasq-2.80-rh1728701.patch
@ -106,12 +108,6 @@ for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
    sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g' "$file"
 done

-# fix the path to the trust anchor
-sed -i 's|%%%%PREFIX%%%%|%{_prefix}|' dnsmasq.conf.example
-
-#set dnsmasq user / group
-sed -i 's|#user=|user=dnsmasq|' dnsmasq.conf.example
-sed -i 's|#group=|group=dnsmasq|' dnsmasq.conf.example
 #set default user /group in src/config.h
 sed -i 's|#define CHUSER "nobody"|#define CHUSER "dnsmasq"|' src/config.h
 sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h
@ -119,14 +115,6 @@ sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h
 # optional parts
 sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|' Makefile

-#enable /etc/dnsmasq.d fix bz 526703, ignore RPM backup files
-cat << EOF >> dnsmasq.conf.example
-
-# Include all files in /etc/dnsmasq.d except RPM backup files
-conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
-EOF
-
-
 %build
 %make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
 %make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
@ -198,6 +186,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
 %{_mandir}/man1/dhcp_*

 %changelog
+* Tue Jun 30 2020 Petr Menšík <pemensik@redhat.com> - 2.81-4
+- Accept queries only from localhost (CVE-2020-14312)
+
 * Mon May 11 2020 Petr Menšík <pemensik@redhat.com> - 2.81-3
 - Correct multiple entries with the same mac address (#1834454)