From d63c7d423ae5eb8c3b12741e8a3afef4f7d889df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 24 Oct 2018 19:26:46 +0200 Subject: [PATCH] Update to dnsmasq 2.80 Fix underflow patch --- .gitignore | 1 + dnsmasq-2.77-underflow.patch | 16 +++---- dnsmasq-2.78-fips.patch | 12 ++--- dnsmasq-2.79-randomize-ports.patch | 18 ++++---- dnsmasq-2.80-dnssec.patch | 73 ------------------------------ dnsmasq.spec | 11 +++-- sources | 2 +- 7 files changed, 31 insertions(+), 102 deletions(-) delete mode 100644 dnsmasq-2.80-dnssec.patch diff --git a/.gitignore b/.gitignore index 1e0c820..041189e 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ dnsmasq-2.52.tar.lzma /dnsmasq-2.77.tar.xz /dnsmasq-2.78.tar.xz /dnsmasq-2.79.tar.xz +/dnsmasq-2.80.tar.xz diff --git a/dnsmasq-2.77-underflow.patch b/dnsmasq-2.77-underflow.patch index 2e900bf..f42212e 100644 --- a/dnsmasq-2.77-underflow.patch +++ b/dnsmasq-2.77-underflow.patch @@ -1,4 +1,4 @@ -From c82a594d95431e8615126621397ea595eb037a6b Mon Sep 17 00:00:00 2001 +From 0ef799244732871e043d848f2f845c797f5a0745 Mon Sep 17 00:00:00 2001 From: Doran Moppert Date: Tue, 26 Sep 2017 14:48:20 +0930 Subject: [PATCH] google patch hand-applied @@ -31,10 +31,10 @@ index af33877..ba6ff0c 100644 free(buff); p += rdlen; diff --git a/src/forward.c b/src/forward.c -index cdd11d3..3078f64 100644 +index 3dd8633..64af66f 100644 --- a/src/forward.c +++ b/src/forward.c -@@ -1438,6 +1438,10 @@ void receive_query(struct listener *listen, time_t now) +@@ -1577,6 +1577,10 @@ void receive_query(struct listener *listen, time_t now) udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ } @@ -46,18 +46,18 @@ index cdd11d3..3078f64 100644 if (auth_dns) { diff --git a/src/rfc1035.c b/src/rfc1035.c -index b078b59..777911b 100644 +index 6290f22..a943ecb 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c -@@ -1281,6 +1281,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, +@@ -1292,6 +1292,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; struct mx_srv_record *rec; size_t len; + // Make sure we do not underflow here too. + if (qlen > (limit - ((char *)header))) return 0; - if (ntohs(header->ancount) != 0 || - ntohs(header->nscount) != 0 || + /* never answer queries with RD unset, to avoid cache snooping. */ + if (!(header->hb3 & HB3_RD) || -- -2.14.3 +2.14.4 diff --git a/dnsmasq-2.78-fips.patch b/dnsmasq-2.78-fips.patch index 011433c..1b77981 100644 --- a/dnsmasq-2.78-fips.patch +++ b/dnsmasq-2.78-fips.patch @@ -1,4 +1,4 @@ -From 89f57e39b69f92beacb6bad9c68d61f9c4fb0e77 Mon Sep 17 00:00:00 2001 +From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 2 Mar 2018 13:17:04 +0100 Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq @@ -9,7 +9,7 @@ Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index ce44809..9f6c020 100644 +index 480c5f9..5fd229e 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -187,6 +187,7 @@ int main (int argc, char **argv) @@ -20,10 +20,10 @@ index ce44809..9f6c020 100644 #else die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF); #endif -@@ -769,7 +770,10 @@ int main (int argc, char **argv) - } - - my_syslog(LOG_INFO, _("DNSSEC validation enabled")); +@@ -786,7 +787,10 @@ int main (int argc, char **argv) + my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted")); + else + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); - + + if (access("/etc/system-fips", F_OK) == 0) diff --git a/dnsmasq-2.79-randomize-ports.patch b/dnsmasq-2.79-randomize-ports.patch index e37931b..0f6a815 100644 --- a/dnsmasq-2.79-randomize-ports.patch +++ b/dnsmasq-2.79-randomize-ports.patch @@ -1,4 +1,4 @@ -From 6899c5c5b9a32aa2ce0513b5e69356844988c64e Mon Sep 17 00:00:00 2001 +From 8455bcbe5311ee0d15bcebe494580fec8868a93a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 9 Aug 2018 18:17:26 +0200 Subject: [PATCH] Use OS random ports by default @@ -13,20 +13,20 @@ separately. Would use port according to system policy. 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 9f6c020..4cd478e 100644 +index ac5d8aa..6d51d3b 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -226,7 +226,7 @@ int main (int argc, char **argv) - die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); +@@ -230,7 +230,7 @@ int main (int argc, char **argv) + die(_("Ubus not available: set HAVE_UBUS in src/config.h"), NULL, EC_BADCONF); #endif - + - if (daemon->max_port < daemon->min_port) + if (daemon->max_port >= 0 && daemon->max_port < daemon->min_port) die(_("max_port cannot be smaller than min_port"), NULL, EC_BADCONF); now = dnsmasq_time(); diff --git a/src/network.c b/src/network.c -index 0381513..9747d26 100644 +index 8ae7a70..58a2819 100644 --- a/src/network.c +++ b/src/network.c @@ -1138,18 +1138,27 @@ int random_sock(int family) @@ -61,10 +61,10 @@ index 0381513..9747d26 100644 if (family == AF_INET) { diff --git a/src/option.c b/src/option.c -index d358d99..b7eaff0 100644 +index 7ccbdea..477dd52 100644 --- a/src/option.c +++ b/src/option.c -@@ -2602,6 +2602,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma +@@ -2619,6 +2619,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma case LOPT_MINPORT: /* --min-port */ if (!atoi_check16(arg, &daemon->min_port)) ret_err(gen_err); @@ -73,7 +73,7 @@ index d358d99..b7eaff0 100644 break; case LOPT_MAXPORT: /* --max-port */ -@@ -4678,7 +4680,7 @@ void read_opts(int argc, char **argv, char *compile_opts) +@@ -4754,7 +4756,7 @@ void read_opts(int argc, char **argv, char *compile_opts) daemon->soa_refresh = SOA_REFRESH; daemon->soa_retry = SOA_RETRY; daemon->soa_expiry = SOA_EXPIRY; diff --git a/dnsmasq-2.80-dnssec.patch b/dnsmasq-2.80-dnssec.patch deleted file mode 100644 index a34f46e..0000000 --- a/dnsmasq-2.80-dnssec.patch +++ /dev/null @@ -1,73 +0,0 @@ -From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Fri, 29 Jun 2018 14:39:41 +0100 -Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not - enabled. - -Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective -of of having DNSSEC validation compiled in or enabled. - -The thing to understand here is that the cache does not store all the -DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required -to determine the set of DNSSEC RRs required in an answer. Therefore if -the client wants the DNSSEC RRs, the query can not be answered from -the cache. When DNSSEC validation is enabled, any query with the -do-bit set is never answered from the cache, unless the domain is -known not to be signed: the query is always forwarded. This ensures -that the DNSEC RRs are included. - -The same thing should be true when DNSSEC validation is not enabled, -but there's a bug in the logic. - -line 1666 of src/rfc1035.c looks like this - - if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) - -{ ...answer from cache ... } - -So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set -then the query is answered, and if the domain is known not to be -signed, the query is answered. - -Unfortunately, if DNSSEC validation is not turned on then the -F_DNSSECOK bit is not valid, and it's always zero, so the question -always gets answered from the cache, even when the do-bit is set. - -This code should look like that at line 1468, dealing with PTR queries - - if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || - !do_bit || - (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) - -where the F_DNSSECOK bit is only used when validation is enabled. ---- - src/rfc1035.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index ebb1f36..580f5ef 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - } - - /* If the client asked for DNSSEC don't use cached data. */ -- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) -+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || -+ !do_bit || -+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) - do - { - /* don't answer wildcard queries with data not from /etc/hosts -@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - { - if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) && - (qtype == T_CNAME || (crecp->flags & F_CONFIG)) && -- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK))) -+ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))) - { - if (!(crecp->flags & F_DNSSECOK)) - sec_data = 0; --- -2.14.4 - diff --git a/dnsmasq.spec b/dnsmasq.spec index 3319fd7..4d46827 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -12,8 +12,8 @@ %define _hardened_build 1 Name: dnsmasq -Version: 2.79 -Release: 8%{?extraversion:.%{extraversion}}%{?dist} +Version: 2.80 +Release: 1%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -25,8 +25,7 @@ Source2: dnsmasq-systemd-sysusers.conf # https://bugzilla.redhat.com/show_bug.cgi?id=1495409 Patch1: dnsmasq-2.77-underflow.patch Patch3: dnsmasq-2.78-fips.patch -Patch4: dnsmasq-2.80-dnssec.patch -Patch5: dnsmasq-2.79-randomize-ports.patch +Patch5: dnsmasq-2.79-randomize-ports.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -63,7 +62,6 @@ server's leases. %setup -q -n %{name}-%{version}%{?extraversion} %patch1 -p1 -b .underflow %patch3 -p1 -b .fips -%patch4 -p1 -b .dnssec %patch5 -p1 -b .ports # use /var/lib/dnsmasq instead of /var/lib/misc @@ -165,6 +163,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf %{_mandir}/man1/dhcp_* %changelog +* Mon Aug 20 2018 Petr Menšík - 2.80-1 +- Update to 2.80 + * Thu Aug 09 2018 Petr Menšík - 2.79-8 - Better randomize ports diff --git a/sources b/sources index c0990c5..fd1fa6d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (dnsmasq-2.79.tar.xz) = 2c06212696ab55e1584f6133872f5b196013509e4b1822d0457787b456e14341afdde887749e370a2e512124cb4138f012f4601b08690707be4acc7cf2f2876f +SHA512 (dnsmasq-2.80.tar.xz) = 58e56beb553fc41311e5dc16d8b0eb3b6801e2bdfbcd0e7a6659703f08960b6ad10d48b0b14a4d727636faf35483e01597cff2ae49e7fe9fa9e214f437b1c068