dnsmasq is vulnerable to CVE-2021-3448

  • Done
  • quality assurance status badge
Details
3 participants
  • Nicolò Balzarotti
  • Leo Famulari
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Nicolò Balzarotti
Severity
normal
N
N
Nicolò Balzarotti wrote on 9 Apr 2021 17:10
(address . bug-guix@gnu.org)
87pmz3mr2k.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
CVE-2021-3448

A flaw was found in dnsmasq in versions before 2.85. When configured to
use a specific server for a given network interface, dnsmasq uses a
fixed port while forwarding queries. An attacker on the network, able to
find the outgoing port used by dnsmasq, only needs to guess the random
transmission ID to forge a reply and get it accepted by dnsmasq. This
flaw makes a DNS Cache Poisoning attack much easier. The highest threat
from this vulnerability is to data integrity.

guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
and there are 43 dependent packages so this can go directly to master.

All dependent packages (refresh -l) build fine except for
python2-libvirt@7.2.0, which is failing also on master
(libvirt-python requires Python >= 3.5 to build). Since it's a python2
package and no other packages depends on it, can we just drop it?

Thanks, Nicolò
From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
From: nixo <nicolo@nixo.xyz>
Date: Fri, 9 Apr 2021 16:19:03 +0200
Subject: [PATCH] gnu: dnsmasq: Update to 2.85.

* gnu/packages/dns.scm (dnsmasq): Update to 2.85.
---
gnu/packages/dns.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index c940657ce9..3cf88febae 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -278,7 +278,7 @@ prompt the user with the option to go with insecure DNS only.")
(define-public dnsmasq
(package
(name "dnsmasq")
- (version "2.84")
+ (version "2.85")
(source (origin
(method url-fetch)
(uri (string-append
@@ -286,7 +286,7 @@ prompt the user with the option to go with insecure DNS only.")
version ".tar.xz"))
(sha256
(base32
- "0305a0c3snwqcv77sipyynr55xip1fp2843yn04pc4vk9g39acb0"))))
+ "1yhjwgz8g5qrqvxh6bbmg3443zi8qqjks3q872wyb1zn7n0d765d"))))
(build-system gnu-build-system)
(native-inputs
`(("pkg-config" ,pkg-config)))
--
2.31.1
N
N
Nicolò Balzarotti wrote on 9 Apr 2021 17:12
(no subject)
(address . control@debbugs.gnu.org)
87mtu7mqzk.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
tags 47674 + security
quit
L
L
Leo Famulari wrote on 9 Apr 2021 21:33
Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCsAioNoPoTh5EH@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
Toggle quote (18 lines)
> CVE-2021-3448
>
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
>
> guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
>
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?

Yes, sounds good.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBwrAIACgkQJkb6MLrK
fwhojxAAo4Fh1COO5Q0PhKkgXu3xELiU1524x6yweg5Rqseuob6V7HrpuljmcsfO
XFMPq2wMVghq6w6FcQDWxPblMkj3hRBquLnB1QZS0A/60RusX2gXQtg/DF+fkpIH
IVLndXxS3npMp3Lo/06xls8WYCSVYCTP6CH5gS11wqaLK18a7nV1nxAsreHODUzs
nLrLaArKcTouxe4rOsZWvD12dlePS45qBgKvMuwU/5W+jmHv60i8ExKUREs3LGux
wAskCd0FZVtdIQpnD/e/NAboSgscqELnhehI0rMcGNrGIGQl+UIIGQ37iRL9e25f
kDb2QC3x+R0oayQow0/x35dUNVSuKz9fIosrhrQvnWkeEHUVFteAZC1V7f7XJloo
FnbC6rGb9Ch7+td1YHXdl7XX0xBNwo4SFdvbwAKQK4kjjxTiqNe5BS4BoaQGtxE+
5X/LZMkI/ob56pyfVdmpRTd9G8VwjoccpESasmJx9xDWetfv1JSi9a5jZ9ulGu2l
LBkVmhyVK4v3+Cu4AjWSTG0vDozH/4GgIZx5H9FH0QgEYqqktRx/d6WkFLyuk4Is
CAbrnToJVek6q3y163XMivF9cSsxAGtBN+NnKshtvOoKL+qXWRe2JZ96LoayIGNd
rdSTcrn7AiF0uUuTyTfz+JoWqFS+YWLdrkrpIX1Jz9lH8bzzbXA=
=Oiqy
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 Apr 2021 21:34
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674-done@debbugs.gnu.org)
YHCsSh9+7Uqdq0VU@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicol� Balzarotti wrote:
Toggle quote (7 lines)
> From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
> From: nixo <nicolo@nixo.xyz>
> Date: Fri, 9 Apr 2021 16:19:03 +0200
> Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
>
> * gnu/packages/dns.scm (dnsmasq): Update to 2.85.

Looks like this change was already done with commit
c8d809f9a49c2b4ec5500c2685e96168dcd9afa9
Closed
L
L
Leo Famulari wrote on 9 Apr 2021 21:38
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCtHf4Pa4ER9N7j@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicol� Balzarotti wrote:
Toggle quote (5 lines)
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?

I notice that python2-libvirt builds okay on staging:

N
N
Nicolò Balzarotti wrote on 9 Apr 2021 21:47
(name . Leo Famulari)(address . leo@famulari.name)(address . 47674@debbugs.gnu.org)
87h7kfme9q.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Leo Famulari <leo@famulari.name> writes:

Toggle quote (10 lines)
> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
>> All dependent packages (refresh -l) build fine except for
>> python2-libvirt@7.2.0, which is failing also on master
>> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
>> package and no other packages depends on it, can we just drop it?
>
> I notice that python2-libvirt builds okay on staging:
>
> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835

Staging has an older version (5.8 vs 7.2, which has been released in
november 2019 [fn:1] though), and it got updated a few days ago
(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
fail on staging too. Am I wrong?


L
L
Leo Famulari wrote on 9 Apr 2021 22:07
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCz69IMc+4ESoa0@jasmine.lan
On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicol� Balzarotti wrote:
Toggle quote (5 lines)
> Staging has an older version (5.8 vs 7.2, which has been released in
> november 2019 [fn:1] though), and it got updated a few days ago
> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> fail on staging too. Am I wrong?

Ah, could be. The new staging builds haven't been performed yet.
N
N
Nicolò Balzarotti wrote on 10 Apr 2021 23:39
(name . Leo Famulari)(address . leo@famulari.name)(address . 47674@debbugs.gnu.org)
87eefh3jl2.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Leo Famulari <leo@famulari.name> writes:

Toggle quote (7 lines)
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
>> Staging has an older version (5.8 vs 7.2, which has been released in
>> november 2019 [fn:1] though), and it got updated a few days ago
>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
>> fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging
L
L
Leo Famulari wrote on 11 Apr 2021 00:05
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHIhEnD1mWwtlLn8@jasmine.lan
On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
Toggle quote (8 lines)
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicol� Balzarotti wrote:
> > Staging has an older version (5.8 vs 7.2, which has been released in
> > november 2019 [fn:1] though), and it got updated a few days ago
> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> > fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.

Thanks for following up. Sure, I think it's fine to remove a package
if it does not build and has no dependents.
T
T
Tobias Geerinckx-Rice wrote on 11 Apr 2021 00:27
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)
878s5phj18.fsf@nckx
Nicolò,

Nicolò Balzarotti writes:
Toggle quote (2 lines)
> gnu/packages/dns.scm (dnsmasq): Update to 2.85.

I see you managed to aim this beautifully between me searching the
issue tracker for ‘dnsmasq’ and me actually pushing an update, so
well done I guess.

(Also: sorry for the duplicated effort, and thanks for keeping an
eye on the securities. :-)

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYHImZA0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15/lYBAIdy87NnZyCQC3xB6NzcYF8sOQ8H4O1SnVDzr53e
0uhkAQDIYLIyHPJfMuKojir4w4uIJPK392rXg1fpPA4HQKmdBw==
=jkh7
-----END PGP SIGNATURE-----

?
Your comment

This issue is archived.

To comment on this conversation send an email to 47674@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47674
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch