dnsmasq: Update to version 2.83 (#6245)

This fixes the following security problems in dnsmasq: * CVE-2020-25681: Dnsmasq versions before 2.83 is susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device's memory that can lead to memory corruption and other unexpected behaviors on the target device. * CVE-2020-25682: Dnsmasq versions before 2.83 is susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. * CVE-2020-25683: Dnsmasq version before 2.83 is susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap- allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in Dnsmasq, resulting in a Denial of Service. * CVE-2020-25684: A lack of proper address/port check implemented in Dnsmasq version < 2.83 reply_query function makes forging replies easier to an off-path attacker. * CVE-2020-25685: A lack of query resource name (RRNAME) checks implemented in Dnsmasq's versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. * CVE-2020-25686: Multiple DNS query requests for the same resource name (RRNAME) by Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. * CVE-2020-25687: Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Co-authored-by: Hauke Mehrtens <hauke@hauke-m.de>
2025-04-16 04:13:31 +00:00 · 2021-01-25 01:37:23 +08:00 · 2021-01-25 01:37:23 +08:00 · 1c271cdd2c
commit 1c271cdd2c
parent d3d861a729
3 changed files with 32 additions and 37 deletions
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=dnsmasq
-PKG_UPSTREAM_VERSION:=2.81
+PKG_UPSTREAM_VERSION:=2.83
 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
-PKG_RELEASE:=7
+PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
-PKG_HASH:=749ca903537c5197c26444ac24b0dce242cf42595fdfe6b9a5b9e4c7ad32f8fb
+PKG_HASH:=ffc1f7e8b05e22d910b9a71d09f1128197292766dc7c54cb7018a1b2c3af4aea

 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
--- a/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch
+++ b/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch
@ -14,7 +14,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

 --- a/src/dnsmasq.c
 +++ b/src/dnsmasq.c
-@@ -94,10 +94,6 @@ int main (int argc, char **argv)
+@@ -95,10 +95,6 @@ int main (int argc, char **argv)
   
   read_opts(argc, argv, compile_opts);
  
@ -27,7 +27,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
 
 --- a/src/dnsmasq.h
 +++ b/src/dnsmasq.h
-@@ -1110,7 +1110,7 @@ extern struct daemon {
+@@ -1125,7 +1125,7 @@ extern struct daemon {
   int inotifyfd;
 #endif
 #if defined(HAVE_LINUX_NETWORK)
@ -36,7 +36,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
 #elif defined(HAVE_BSD_NETWORK)
   int dhcp_raw_fd, dhcp_icmp_fd, routefd;
 #endif
-@@ -1290,9 +1290,6 @@ int read_write(int fd, unsigned char *pa
+@@ -1306,9 +1306,6 @@ int read_write(int fd, unsigned char *pa
 void close_fds(long max_fd, int spare1, int spare2, int spare3);
 int wildcard_match(const char* wildcard, const char* match);
 int wildcard_matchn(const char* wildcard, const char* match, int num);
@ -141,16 +141,16 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
      my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
 --- a/src/netlink.c
 +++ b/src/netlink.c
-@@ -82,8 +82,7 @@ void netlink_init(void)
-     }
+@@ -92,8 +92,7 @@ char *netlink_init(void)
+   iov.iov_len = 100;
+   iov.iov_base = safe_malloc(iov.iov_len);
   
-   if (daemon->netlinkfd == -1 || 
-      (daemon->kernel_version >= KERNEL_VERSION(2,6,30) &&
-       setsockopt(daemon->netlinkfd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &opt, sizeof(opt)) == -1) ||
-+      (setsockopt(daemon->netlinkfd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &opt, sizeof(opt)) == -1) ||
-       getsockname(daemon->netlinkfd, (struct sockaddr *)&addr, &slen) == -1)
-     die(_("cannot create netlink socket: %s"), NULL, EC_MISC);
+-  if (daemon->kernel_version >= KERNEL_VERSION(2,6,30) &&
+-      setsockopt(daemon->netlinkfd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &opt, sizeof(opt)) == -1)
+  if (setsockopt(daemon->netlinkfd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &opt, sizeof(opt)) == -1)
+     return _("warning: failed to set NETLINK_NO_ENOBUFS on netlink socket");
   
+   return NULL;
 --- a/src/util.c
 +++ b/src/util.c
@@ -786,22 +786,3 @@ int wildcard_matchn(const char* wildcard
--- a/package/network/services/dnsmasq/patches/900-filter-aaaa.patch
+++ b/package/network/services/dnsmasq/patches/900-filter-aaaa.patch
@ -27,15 +27,15 @@ diff --git a/src/option.c b/src/option.c
 index 44b1dc5..f954d7f 100644
 --- a/src/option.c
 +++ b/src/option.c
-@@ -167,6 +167,7 @@
- #define LOPT_IGNORE_CLID   358
+@@ -168,6 +168,7 @@ struct myoption {
 #define LOPT_SINGLE_PORT   359
 #define LOPT_SCRIPT_TIME   360
-+#define LOPT_FILTER_AAAA   361
+ #define LOPT_PXE_VENDOR    361
+#define LOPT_FILTER_AAAA   362
  
 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
-@@ -339,6 +340,7 @@
+@@ -341,6 +342,7 @@ static const struct myoption opts[] =
     { "dumpfile", 1, 0, LOPT_DUMPFILE },
     { "dumpmask", 1, 0, LOPT_DUMPMASK },
     { "dhcp-ignore-clid", 0, 0,  LOPT_IGNORE_CLID },
@ -43,7 +43,7 @@ index 44b1dc5..f954d7f 100644
     { NULL, 0, 0, 0 }
   };
 
-@@ -518,6 +520,7 @@
+@@ -521,6 +523,7 @@ static struct {
   { LOPT_DUMPFILE, ARG_ONE, "<path>", gettext_noop("Path to debug packet dump file"), NULL },
   { LOPT_DUMPMASK, ARG_ONE, "<hex>", gettext_noop("Mask which packets to dump"), NULL },
   { LOPT_SCRIPT_TIME, OPT_LEASE_RENEW, NULL, gettext_noop("Call dhcp-script when lease expiry changes."), NULL },
@ -51,29 +51,24 @@ index 44b1dc5..f954d7f 100644
   { 0, 0, NULL, NULL, NULL }
 }; 
 
-
 diff --git a/src/rfc1035.c b/src/rfc1035.c
 index 6290f22..b67b169 100644
 --- a/src/rfc1035.c
 +++ b/src/rfc1035.c
-@@ -1953,9 +1953,18 @@
- 	      if (!dryrun)
- 		log_query(F_CONFIG | F_NEG, name, &addr, NULL);
+@@ -1908,6 +1908,16 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	    }
-	}
-+ 	}
-+ 
-+      //patch to filter aaaa forwards
-+      if (qtype == T_AAAA && option_bool(OPT_FILTER_AAAA) ){
-+        //return a null reply
-+        ans = 1;
-+        if (!dryrun) log_query(F_CONFIG | F_IPV6 | F_NEG, name, &addr, NULL);
-+        break;
-+      }
-+      //end of patch
+ 	}
 
-      if (!ans)
-+       if (!ans)
+      /* patch to filter aaaa forwards */
+      if (qtype == T_AAAA && option_bool(OPT_FILTER_AAAA))
+        {
+          /* return a null reply */
+          ans = 1;
+          if (!dryrun)
+            log_query(F_CONFIG | F_IPV6 | F_NEG, name, &addr, NULL);
+          break;
+        }
+
+       if (!ans)
 	return 0; /* failed to answer a question */
     }
-