Update to 2.85rc2

Fixes CVE-2021-3448 and few more regressions.
2021-03-31 09:49:03 +02:00 · 2021-03-31 09:49:03 +02:00 · f497e41434
commit f497e41434
parent 93943b79fb
5 changed files with 11 additions and 132 deletions
--- a/.gitignore
+++ b/.gitignore
@ -38,3 +38,5 @@ dnsmasq-2.52.tar.lzma
 /dnsmasq-2.83.tar.xz.asc
 /dnsmasq-2.84.tar.xz
 /dnsmasq-2.84.tar.xz.asc
+/dnsmasq-2.85rc2.tar.xz
+/dnsmasq-2.85rc2.tar.xz.asc
--- a/dnsmasq-2.80-SIOCGSTAMP.patch
+++ b/dnsmasq-2.80-SIOCGSTAMP.patch
@ -1,59 +0,0 @@
-From 02b6209f8085cbe3443f8623ccdc31f020825507 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Wed, 31 Jul 2019 20:35:35 +0200
-Subject: [PATCH] Recent kernel no longer supports SIOCGSTAMP
-
-Build without it defined by kernel headers. Do not try SO_TIMESTAMP
-until fixed properly.
---
- src/dhcp.c | 30 +++++++++++++++++-------------
- 1 file changed, 17 insertions(+), 13 deletions(-)
-
-diff --git a/src/dhcp.c b/src/dhcp.c
-index bea4688..13373ae 100644
--- a/src/dhcp.c
-+++ b/src/dhcp.c
-@@ -178,23 +178,27 @@ void dhcp_packet(time_t now, int pxe_fd)
-       (sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))) 
-     return;
-     
-  #if defined (HAVE_LINUX_NETWORK)
-+#if defined (HAVE_LINUX_NETWORK)
-+#ifdef SIOCGSTAMP
-   if (ioctl(fd, SIOCGSTAMP, &tv) == 0)
-     recvtime = tv.tv_sec;
-+#endif
- 
-   if (msg.msg_controllen >= sizeof(struct cmsghdr))
-    for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
-      if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
-	{
-	  union {
-	    unsigned char *c;
-	    struct in_pktinfo *p;
-	  } p;
-	  p.c = CMSG_DATA(cmptr);
-	  iface_index = p.p->ipi_ifindex;
-	  if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
-	    unicast_dest = 1;
-	}
-+    {
-+      for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
-+        if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
-+	  {
-+	    union {
-+	      unsigned char *c;
-+	      struct in_pktinfo *p;
-+	    } p;
-+	    p.c = CMSG_DATA(cmptr);
-+	    iface_index = p.p->ipi_ifindex;
-+	    if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
-+	      unicast_dest = 1;
-+	  }
-+    }
- 
- #elif defined(HAVE_BSD_NETWORK) 
-   if (msg.msg_controllen >= sizeof(struct cmsghdr))
-- 
-2.26.2
-
--- a/dnsmasq-2.81-rh1834454.patch
+++ b/dnsmasq-2.81-rh1834454.patch
@ -1,62 +0,0 @@
-From 3d113137fd64cd0723cbecab6a36a75d3ecfb0a6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Harald=20Jens=C3=A5s?= <hjensas@redhat.com>
-Date: Thu, 7 May 2020 00:33:54 +0200
-Subject: [PATCH 1/1] Fix regression in s_config_in_context() method
-
-Prior to commit 137286e9baecf6a3ba97722ef1b49c851b531810
-a config would not be considered in context if:
-a) it has no address family flags set
-b) it has the address family flag of current context set
-
-Since above commit config is considered in context if the
-address family is the opposite of current context.
-
-The result is that a config with two dhcp-host records,
-one for IPv6 and another for IPv4 no longer works, for
-example with the below config the config with the IPv6
-address would be considered in context for a DHCP(v4)
-request.
- dhcp-host=52:54:00:bc:c3:fd,172.20.0.11,host2
- dhcp-host=52:54:00:bc:c3:fd,[fd12:3456:789a:1::aadd],host2
-
-This commit restores the previous behavior.
---
- src/dhcp-common.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/src/dhcp-common.c b/src/dhcp-common.c
-index eae9886..ffc78ca 100644
--- a/src/dhcp-common.c
-+++ b/src/dhcp-common.c
-@@ -280,14 +280,18 @@ static int is_config_in_context(struct dhcp_context *context, struct dhcp_config
- {
-   if (!context) /* called via find_config() from lease_update_from_configs() */
-     return 1; 
-  
-+
-+  /* No address present in config == in context */
-+  if (!(config->flags & (CONFIG_ADDR | CONFIG_ADDR6)))
-+    return 1;
-+
- #ifdef HAVE_DHCP6
-   if (context->flags & CONTEXT_V6)
-     {
-        struct addrlist *addr_list;
- 
-        if (!(config->flags & CONFIG_ADDR6))
-	 return 1;
-+	 return 0;
-        
-         for (; context; context = context->current)
- 	  for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
-@@ -303,7 +307,7 @@ static int is_config_in_context(struct dhcp_context *context, struct dhcp_config
- #endif
-     {
-       if (!(config->flags & CONFIG_ADDR))
-	return 1;
-+	return 0;
-       
-       for (; context; context = context->current)
- 	if ((config->flags & CONFIG_ADDR) && is_same_net(config->addr, context->start, context->netmask))
-- 
-2.25.4
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -1,5 +1,5 @@
 %define testrelease 0
-%define releasecandidate 0
+%define releasecandidate 2
 %if 0%{testrelease}
  %define extrapath test-releases/
  %define extraversion test%{testrelease}
@ -19,8 +19,8 @@
 %bcond_with sourcegit

 Name:           dnsmasq
-Version:        2.84
-Release:        2%{?extraversion:.%{extraversion}}%{?dist}
+Version:        2.85
+Release:        1%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server

 License:        GPLv2 or GPLv3
@ -41,13 +41,8 @@ Patch1:         dnsmasq-2.77-underflow.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1852373
 Patch2:         dnsmasq-2.81-configuration.patch
 Patch3:         dnsmasq-2.78-fips.patch
-Patch9:         dnsmasq-2.80-SIOCGSTAMP.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1834454
-Patch17:        dnsmasq-2.81-rh1834454.patch

-# This is workaround to nettle bug #1549190
-# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
-Requires:       nettle >= 3.4
+Requires:       nettle

 BuildRequires:  dbus-devel
 BuildRequires:  pkgconfig
@ -186,6 +181,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
 %{_mandir}/man1/dhcp_*

 %changelog
+* Wed Mar 31 2021 Petr Menšík <pemensik@redhat.com> - 2.85-1.rc2
+- Update to 2.85rc2 (CVE-2021-3448)
+
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.84-2
 - Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (dnsmasq-2.84.tar.xz) = e84bdcdf3cf35f08e8492eb5aa89ee6543233bdb821d01f164783bd6d0913ec01c513e85e2109352c77e77142a1a94bedcd3361f37d7b2a9a5d35a02448e85c6
-SHA512 (dnsmasq-2.84.tar.xz.asc) = 097bc87a6aa9c5a01b3eefd4593b1de26c8565e2ad40bbf8627a0fa143101deeea313d0266eb068ab378996e0ac033f4a5b1890a823b69a9dc216049239e316a
+SHA512 (dnsmasq-2.85rc2.tar.xz) = a27576702c7f162d84dafc0e1d5fb41c76647191eb687eab902b8d2f8e10cf4a901fc3273cae5f0c315c83d2987416c8d8da7eb35118294ffcc67a803c2c7f72
+SHA512 (dnsmasq-2.85rc2.tar.xz.asc) = 72bbe0c1602244af27172f4ae07c77e05095b747f0a353e8c883b6abcb2bba898fd83b85fa8631a62652ec784348481327b059e7ce8084613d6815a022e54d24