Update to 2.85rc2

Fixes CVE-2021-3448 and few more regressions.
This commit is contained in:
Petr Menšík 2021-03-31 09:49:03 +02:00
parent 93943b79fb
commit f497e41434
5 changed files with 11 additions and 132 deletions

2
.gitignore vendored
View File

@ -38,3 +38,5 @@ dnsmasq-2.52.tar.lzma
/dnsmasq-2.83.tar.xz.asc /dnsmasq-2.83.tar.xz.asc
/dnsmasq-2.84.tar.xz /dnsmasq-2.84.tar.xz
/dnsmasq-2.84.tar.xz.asc /dnsmasq-2.84.tar.xz.asc
/dnsmasq-2.85rc2.tar.xz
/dnsmasq-2.85rc2.tar.xz.asc

View File

@ -1,59 +0,0 @@
From 02b6209f8085cbe3443f8623ccdc31f020825507 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 31 Jul 2019 20:35:35 +0200
Subject: [PATCH] Recent kernel no longer supports SIOCGSTAMP
Build without it defined by kernel headers. Do not try SO_TIMESTAMP
until fixed properly.
---
src/dhcp.c | 30 +++++++++++++++++-------------
1 file changed, 17 insertions(+), 13 deletions(-)
diff --git a/src/dhcp.c b/src/dhcp.c
index bea4688..13373ae 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -178,23 +178,27 @@ void dhcp_packet(time_t now, int pxe_fd)
(sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options))))
return;
- #if defined (HAVE_LINUX_NETWORK)
+#if defined (HAVE_LINUX_NETWORK)
+#ifdef SIOCGSTAMP
if (ioctl(fd, SIOCGSTAMP, &tv) == 0)
recvtime = tv.tv_sec;
+#endif
if (msg.msg_controllen >= sizeof(struct cmsghdr))
- for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
- if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
- {
- union {
- unsigned char *c;
- struct in_pktinfo *p;
- } p;
- p.c = CMSG_DATA(cmptr);
- iface_index = p.p->ipi_ifindex;
- if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
- unicast_dest = 1;
- }
+ {
+ for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+ if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
+ {
+ union {
+ unsigned char *c;
+ struct in_pktinfo *p;
+ } p;
+ p.c = CMSG_DATA(cmptr);
+ iface_index = p.p->ipi_ifindex;
+ if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
+ unicast_dest = 1;
+ }
+ }
#elif defined(HAVE_BSD_NETWORK)
if (msg.msg_controllen >= sizeof(struct cmsghdr))
--
2.26.2

View File

@ -1,62 +0,0 @@
From 3d113137fd64cd0723cbecab6a36a75d3ecfb0a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Harald=20Jens=C3=A5s?= <hjensas@redhat.com>
Date: Thu, 7 May 2020 00:33:54 +0200
Subject: [PATCH 1/1] Fix regression in s_config_in_context() method
Prior to commit 137286e9baecf6a3ba97722ef1b49c851b531810
a config would not be considered in context if:
a) it has no address family flags set
b) it has the address family flag of current context set
Since above commit config is considered in context if the
address family is the opposite of current context.
The result is that a config with two dhcp-host records,
one for IPv6 and another for IPv4 no longer works, for
example with the below config the config with the IPv6
address would be considered in context for a DHCP(v4)
request.
dhcp-host=52:54:00:bc:c3:fd,172.20.0.11,host2
dhcp-host=52:54:00:bc:c3:fd,[fd12:3456:789a:1::aadd],host2
This commit restores the previous behavior.
---
src/dhcp-common.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/dhcp-common.c b/src/dhcp-common.c
index eae9886..ffc78ca 100644
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -280,14 +280,18 @@ static int is_config_in_context(struct dhcp_context *context, struct dhcp_config
{
if (!context) /* called via find_config() from lease_update_from_configs() */
return 1;
-
+
+ /* No address present in config == in context */
+ if (!(config->flags & (CONFIG_ADDR | CONFIG_ADDR6)))
+ return 1;
+
#ifdef HAVE_DHCP6
if (context->flags & CONTEXT_V6)
{
struct addrlist *addr_list;
if (!(config->flags & CONFIG_ADDR6))
- return 1;
+ return 0;
for (; context; context = context->current)
for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
@@ -303,7 +307,7 @@ static int is_config_in_context(struct dhcp_context *context, struct dhcp_config
#endif
{
if (!(config->flags & CONFIG_ADDR))
- return 1;
+ return 0;
for (; context; context = context->current)
if ((config->flags & CONFIG_ADDR) && is_same_net(config->addr, context->start, context->netmask))
--
2.25.4

View File

@ -1,5 +1,5 @@
%define testrelease 0 %define testrelease 0
%define releasecandidate 0 %define releasecandidate 2
%if 0%{testrelease} %if 0%{testrelease}
%define extrapath test-releases/ %define extrapath test-releases/
%define extraversion test%{testrelease} %define extraversion test%{testrelease}
@ -19,8 +19,8 @@
%bcond_with sourcegit %bcond_with sourcegit
Name: dnsmasq Name: dnsmasq
Version: 2.84 Version: 2.85
Release: 2%{?extraversion:.%{extraversion}}%{?dist} Release: 1%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3 License: GPLv2 or GPLv3
@ -41,13 +41,8 @@ Patch1: dnsmasq-2.77-underflow.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1852373 # https://bugzilla.redhat.com/show_bug.cgi?id=1852373
Patch2: dnsmasq-2.81-configuration.patch Patch2: dnsmasq-2.81-configuration.patch
Patch3: dnsmasq-2.78-fips.patch Patch3: dnsmasq-2.78-fips.patch
Patch9: dnsmasq-2.80-SIOCGSTAMP.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1834454
Patch17: dnsmasq-2.81-rh1834454.patch
# This is workaround to nettle bug #1549190 Requires: nettle
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
Requires: nettle >= 3.4
BuildRequires: dbus-devel BuildRequires: dbus-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
@ -186,6 +181,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%{_mandir}/man1/dhcp_* %{_mandir}/man1/dhcp_*
%changelog %changelog
* Wed Mar 31 2021 Petr Menšík <pemensik@redhat.com> - 2.85-1.rc2
- Update to 2.85rc2 (CVE-2021-3448)
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.84-2 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.84-2
- Rebuilt for updated systemd-rpm-macros - Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583. See https://pagure.io/fesco/issue/2583.

View File

@ -1,2 +1,2 @@
SHA512 (dnsmasq-2.84.tar.xz) = e84bdcdf3cf35f08e8492eb5aa89ee6543233bdb821d01f164783bd6d0913ec01c513e85e2109352c77e77142a1a94bedcd3361f37d7b2a9a5d35a02448e85c6 SHA512 (dnsmasq-2.85rc2.tar.xz) = a27576702c7f162d84dafc0e1d5fb41c76647191eb687eab902b8d2f8e10cf4a901fc3273cae5f0c315c83d2987416c8d8da7eb35118294ffcc67a803c2c7f72
SHA512 (dnsmasq-2.84.tar.xz.asc) = 097bc87a6aa9c5a01b3eefd4593b1de26c8565e2ad40bbf8627a0fa143101deeea313d0266eb068ab378996e0ac033f4a5b1890a823b69a9dc216049239e316a SHA512 (dnsmasq-2.85rc2.tar.xz.asc) = 72bbe0c1602244af27172f4ae07c77e05095b747f0a353e8c883b6abcb2bba898fd83b85fa8631a62652ec784348481327b059e7ce8084613d6815a022e54d24