From f132a4c40bce5ad8b240e860fb6ce29814c03821 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 3 Apr 2023 16:23:51 +0200 Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232 Resolves: CVE-2023-28450 --- dnsmasq-2.89-edns0-size.patch | 45 +++++++++++++++++++++++++++++++++++ dnsmasq.spec | 8 ++++++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 dnsmasq-2.89-edns0-size.patch diff --git a/dnsmasq-2.89-edns0-size.patch b/dnsmasq-2.89-edns0-size.patch new file mode 100644 index 0000000..ff835b2 --- /dev/null +++ b/dnsmasq-2.89-edns0-size.patch @@ -0,0 +1,45 @@ +From 9d8270be2e2b31437684f2d87add9a28a41f0c75 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +http://www.dnsflagday.net/2020/ refers. + +Thanks to Xiang Li for the prompt. + +(cherry picked from commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5) +--- + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index fce580f..4b0b180 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -171,7 +171,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max= + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port= + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index 8c41943..62b7fa1 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.39.2 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 3595088..9700bc9 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.79 -Release: 26%{?extraversion:.%{extraversion}}%{?dist} +Release: 27%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -83,6 +83,8 @@ Patch37: dnsmasq-2.81-linux-SIOCGSTAMP.patch Patch38: dnsmasq-2.79-server-domain-fixup.patch # https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=f8c77edbdffb8ada7753ea9fa104f0f6da70cfe3 Patch39: dnsmasq-2.81-dhcpv6-relay-link-address.patch +# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 +Patch40: dnsmasq-2.89-edns0-size.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -155,6 +157,7 @@ server's leases. %patch37 -p1 -b .SIOCGSTAMP %patch38 -p1 -b .rh2120357 %patch39 -p1 -b .rh2169355 +%patch40 -p1 -b .CVE-2023-28450 # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -254,6 +257,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf %{_mandir}/man1/dhcp_* %changelog +* Mon Apr 03 2023 Petr Menšík - 2.79-27 +- Limit offered EDNS0 size to 1232 (CVE-2023-28450) + * Wed Feb 15 2023 Petr Menšík - 2.79-26 - Avoid DHCPv6 relayed replies with Client Link-Layer Address (#2169355)