Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package dnsmasq.15577 for
openSUSE:Leap:15.2:Update checked in at 2021-01-20 10:03:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/dnsmasq.15577 (Old)
and /work/SRC/openSUSE:Leap:15.2:Update/.dnsmasq.15577.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dnsmasq.15577"
Wed Jan 20 10:03:58 2021 rev:1 rq:864384 version:2.78
Changes:
--------
New Changes file:
--- /dev/null 2021-01-11 18:20:20.070723563 +0100
+++
/work/SRC/openSUSE:Leap:15.2:Update/.dnsmasq.15577.new.28504/dnsmasq.changes
2021-01-20 10:04:00.993809064 +0100
@@ -0,0 +1,1669 @@
+-------------------------------------------------------------------
+Thu Jan 14 14:06:27 UTC 2021 - Reinhard Max <[email protected]>
+
+- bsc#1177077: Fixed DNSpooq vulnerabilities (dnsmasq-dnspooq.patch)
+- CVE-2020-25684, CVE-2020-25685, CVE-2020-25686:
+ Fixed multiple Cache Poisoning attacks.
+- CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687:
+ Fixed multiple potential Heap-based overflows when DNSSEC is
+ enabled.
+
+-------------------------------------------------------------------
+Fri Dec 18 16:36:08 UTC 2020 - Reinhard Max <[email protected]>
+
+- Retry query to other servers on receipt of SERVFAIL rcode
+ (bsc#1176076, dnsmasq-servfail.patch)
+
+-------------------------------------------------------------------
+Wed Nov 13 10:23:27 UTC 2019 - Reinhard Max <[email protected]>
+
+- bsc#1154849, CVE-2019-14834, dnsmasq-CVE-2019-14834.patch:
+ memory leak in the create_helper() function in /src/helper.c
+- bsc#1156543: include linux/sockios.h to get SIOCGSTAMP
+ (dnsmasq-siocgstamp.patch).
+- bsc#1138743: remove cache size limit (dnsmasq-cache-size.patch).
+- bsc#1152539: include config files from /etc/dnsmasq.d/*.conf .
+- bsc#1076958, CVE-2017-15107, dnsmasq-CVE-2017-15107.patch:
+ A vulnerability in DNSSEC implementation of Dnsmasq was found.
+ Processing of wildcard synthesized NSEC records may result in
+ improper validation for non-existance in some implementations of
+ DNSSEC. While synthesis of NSEC records is allowed by RFC4592,
+ the synthesized owner names should not be used in the NSEC
+ processing.
+- Package contrib/lease-tools/dhcp_release6.
+
+-------------------------------------------------------------------
+Fri Oct 19 15:01:00 UTC 2018 - [email protected]
+
+- enabled lua scripting interface (FATE#327143).
+
+-------------------------------------------------------------------
+Wed Aug 29 16:22:13 UTC 2018 - [email protected]
+
+- add missing prereq on the group to be created (bsc#1106446)
+
+-------------------------------------------------------------------
+Mon Jul 16 10:15:54 CEST 2018 - [email protected]
+
+- Don't require systemd explicit, fix spec file to handle both
+ cases correct. In containers we don't have systemd.
+- Adjust pre/post install for transactional updates.
+- Use %license instead of %doc [bsc#1082318]
+
+-------------------------------------------------------------------
+Mon Dec 4 13:39:32 UTC 2017 - [email protected]
+
+- Update keyring
+
+-------------------------------------------------------------------
+Fri Dec 1 14:50:09 UTC 2017 - [email protected]
+
+- Get rid of python dependency due to examples. (fate#323526)
+
+-------------------------------------------------------------------
+Mon Oct 2 14:09:59 UTC 2017 - [email protected]
+
+- Security update to version 2.78:
+ * bsc#1060354, CVE-2017-14491: 2 byte heap based overflow.
+ * bsc#1060355, CVE-2017-14492: heap based overflow.
+ * bsc#1060360, CVE-2017-14493: stack based overflow.
+ * bsc#1060361, CVE-2017-14494: DHCP - info leak.
+ * bsc#1060362, CVE-2017-14495: DNS - OOM DoS.
+ * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow.
+ * Fix DHCP relaying, broken in 2.76 and 2.77.
+ * For other changes, see
+ http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
+- Obsoleted patches:
+ * Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
+ * Handle-binding-upstream-servers-to-an-interface.patch
+
+-------------------------------------------------------------------
+Tue Sep 12 08:29:59 UTC 2017 - [email protected]
+
+- Fix /srv/tftpboot permissions wrt bsc#940608
+
+-------------------------------------------------------------------
+Fri Aug 18 11:16:03 UTC 2017 - [email protected]
+
+- reload system dbus to pick up policy change on install (bsc#1054429)
+
+-------------------------------------------------------------------
+Wed Jan 4 17:29:37 UTC 2017 - [email protected]
+
+- Handle binding upstream servers to an interface if interface
+ is destroyed and recreated (boo#1018160)
+ Added two patches from upstream:
+ * added Handle-binding-upstream-servers-to-an-interface.patch
+ * added Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
+
+-------------------------------------------------------------------
+Wed Aug 3 13:46:06 UTC 2016 - [email protected]
+
+- Update to 2.76:
+
+ * Include 0.0.0.0/8 in DNS rebind checks.
+ * Enhance --add-subnet to allow arbitrary subnet addresses.
+ * Respect the --no-resolv flag in inotify code. Fixes bug
+ which caused dnsmasq to fail to start if a resolv-file
+ was a dangling symbolic link, even of --no-resolv set.
+ * Fix crash when an A or AAAA record is defined locally,
+ in a hosts file, and an upstream server sends a reply
+ that the same name is empty (CVE-2015-8899, bsc#983273).
+ * Fix failure to correctly calculate cache-size when reading a
+ hosts-file fails.
+ * Fix wrong answer to simple name query when --domain-needed
+ set, but no upstream servers configured.
+ * Return REFUSED when running out of forwarding table slots,
+ not SERVFAIL.
+ * Add --max-port configuration.
+ * Add --script-arp and two new functions for the dhcp-script.
+ * Extend --add-mac to allow a new encoding of the MAC address
+ as base64, by configurting --add-mac=base64
+ * Add --add-cpe-id option.
+
+ * Don't crash with divide-by-zero if an IPv6 dhcp-range is
+ declared as a whole /64.
+ (ie xx::0 to xx::ffff:ffff:ffff:ffff)
+ * Add support for a TTL parameter in --host-record and --cname.
+ * Add --dhcp-ttl option.
+ * Add --tftp-mtu option.
+ * Check return-code of inet_pton() when parsing dhcp-option.
+ * Fix wrong value for EDNS UDP packet size when using
+ --servers-file to define upstream DNS servers.
+ * Add dhcp_release6 to contrib/lease-tools.
+
+-------------------------------------------------------------------
+Thu Jun 16 12:39:18 UTC 2016 - [email protected]
+
+- dnsmasq-groups.patch: Initialize the supplementary groups of the
+ dnsmasq user (bsc#859298).
+
+-------------------------------------------------------------------
+Tue Feb 2 21:34:39 UTC 2016 - [email protected]
+
+- Add gpg signature
+
+-------------------------------------------------------------------
+Mon Aug 24 18:10:01 UTC 2015 - [email protected]
+
+- spec file cleanup, get rid of redifinition warnings
+
+-------------------------------------------------------------------
+Tue Aug 11 01:41:02 UTC 2015 - [email protected]
+
+- Update to 2.75, announce message:
+ Fix reversion on 2.74 which caused 100% CPU use when a
+ dhcp-script is configured. Thanks to Adrian Davey for
+ reporting the bug and testing the fix.
+
+- Update to 2.74, announce message:
+ Fix reversion in 2.73 where --conf-file would attempt to
+ read the default file, rather than no file.
+
+ Fix inotify code to handle dangling symlinks better and
+ not SEGV in some circumstances.
+
+ DNSSEC fix. In the case of a signed CNAME generated by a
+ wildcard which pointed to an unsigned domain, the wrong
+ status would be logged, and some necessary checks omitted.
+
+- Update to 2.73, announce message:
+ Fix crash at startup when an empty suffix is supplied to
+ --conf-dir, also trivial memory leak. Thanks to
+ Tomas Hozza for spotting this.
+
+ Remove floor of 4096 on advertised EDNS0 packet size when
+ DNSSEC in use, the original rationale for this has long gone.
+ Thanks to Anders Kaseorg for spotting this.
+
+ Use inotify for checking on updates to /etc/resolv.conf and
+ friends under Linux. This fixes race conditions when the files are
+ updated rapidly and saves CPU by noy polling. To build
+ a binary that runs on old Linux kernels without inotify,
+ use make COPTS=-DNO_INOTIFY
+
+ Fix breakage of --domain=<domain>,<subnet>,local - only reverse
+ queries were intercepted. THis appears to have been broken
+ since 2.69. Thanks to Josh Stone for finding the bug.
+
+ Eliminate IPv6 privacy addresses and deprecated addresses from
+ the answers given by --interface-name. Note that reverse queries
+ (ie looking for names, given addresses) are not affected.
+ Thanks to Michael Gorbach for the suggestion.
+
+ Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
+ for the bug report.
+
+ Add --ignore-address option. Ignore replies to A-record
++++ 1472 more lines (skipped)
++++ between /dev/null
++++ and
/work/SRC/openSUSE:Leap:15.2:Update/.dnsmasq.15577.new.28504/dnsmasq.changes
New:
----
SuSEFirewall.dnsmasq-dhcp
SuSEFirewall.dnsmasq-dns
dnsmasq-2.78.tar.xz
dnsmasq-2.78.tar.xz.asc
dnsmasq-CVE-2017-15107.patch
dnsmasq-CVE-2019-14834.patch
dnsmasq-cache-size.patch
dnsmasq-dnspooq.patch
dnsmasq-groups.patch
dnsmasq-rpmlintrc
dnsmasq-servfail.patch
dnsmasq-siocgstamp.patch
dnsmasq.changes
dnsmasq.keyring
dnsmasq.reg
dnsmasq.service
dnsmasq.spec
rc.dnsmasq-suse
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dnsmasq.spec ++++++
#
# spec file for package dnsmasq
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: dnsmasq
Summary: Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
License: GPL-2.0-only OR GPL-3.0-only
Group: Productivity/Networking/DNS/Servers
Version: 2.78
Release: 0
Provides: dns_daemon
PreReq: /usr/sbin/useradd /bin/mkdir
Url: http://www.thekelleys.org.uk/dnsmasq/
Source0: http://www.thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz
Source1:
http://www.thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz.asc
Source2: %{name}.keyring
Source3: dnsmasq.reg
Source4: dnsmasq.service
Source5: rc.dnsmasq-suse
Source6: SuSEFirewall.dnsmasq-dhcp
Source7: SuSEFirewall.dnsmasq-dns
Source8: %{name}-rpmlintrc
Patch0: dnsmasq-groups.patch
Patch1: dnsmasq-CVE-2017-15107.patch
Patch2: dnsmasq-cache-size.patch
Patch3: dnsmasq-siocgstamp.patch
Patch4: dnsmasq-CVE-2019-14834.patch
Patch5: dnsmasq-servfail.patch
Patch6: dnsmasq-dnspooq.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: dbus-1-devel
BuildRequires: dos2unix
BuildRequires: libidn-devel
BuildRequires: libnettle-devel
BuildRequires: lua-devel
BuildRequires: pkg-config
BuildRequires: pkgconfig(libnetfilter_conntrack)
Requires(pre): group(nogroup)
%if 0%{?suse_version} >= 1210
BuildRequires: systemd
%endif
%description
Dnsmasq is a lightweight, easy-to-configure DNS forwarder and DHCP
server. It is designed to provide DNS and, optionally, DHCP, to a small
network. It can serve the names of local machines that are not in the
global DNS. The DHCP server integrates with the DNS server and allows
machines with DHCP-allocated addresses to appear in DNS with names
configured either in each host or in a central configuration file.
Dnsmasq supports static and dynamic DHCP leases and BOOTP for network
booting of diskless machines.
%package utils
Summary: Utilities for manipulating DHCP server leases
Group: Productivity/Networking/DNS/Servers
%description utils
Utilities that use the standard DHCP protocol to query/remove a DHCP
server's leases.
%prep
%setup -q
%patch0
%patch1
%patch2
%patch3
%patch4
%patch5
%patch6
# Remove the executable bit from python example files to
# avoid unwanted automatic dependencies
find contrib -name *.py -exec chmod a-x '{}' \;
# Some docs have the DOS line ends
dos2unix contrib/systemd/dbus_activation
# use lua5.3 instead of lua5.3
sed -i -e 's|lua5.2|lua5.3|' Makefile
# SED-FIX-UPSTREAM -- Fix paths
sed -i -e 's|\(PREFIX *= *\)/usr/local|\1/usr|;
s|$(LDFLAGS)|$(CFLAGS) $(LDFLAGS)|' \
Makefile
# SED-FIX-UPSTREAM -- Fix man page
sed -i -e 's|The defaults to "dip",|The default is "nogroup",|' \
man/dnsmasq.8
# SED-FIX-UPSTREAM -- Fix cachesize, group and user
sed -i -e 's|CACHESIZ 150|CACHESIZ 2000|;
s|CHUSER "nobody"|CHUSER "dnsmasq"|;
s|CHGRP "dip"|CHGRP "nogroup"|' \
src/config.h
# Fix trust-anchor.conf location and include /etc/dnsmasq.d/*.conf by default
sed -i -e '/trust-anchors.conf/c\#conf-file=/etc/dnsmasq.d/trust-anchors.conf' \
-e '/conf-dir=.*conf/s/^\#//' \
dnsmasq.conf.example
%build
mv po/no.po po/nb.po
export CFLAGS="%optflags -std=gnu99 -fPIC -DPIC -fpie"
export LDFLAGS="-Wl,-z,relro,-z,now -pie"
# the dnsmasq make system hashes the configuration flags, so we have to supply
the
# same flags for make and make install, else everything gets recompiled
%define _copts "-DHAVE_DBUS -DHAVE_CONNTRACK -DHAVE_IDN -DHAVE_DNSSEC
-DHAVE_LUASCRIPT"
make %{?_smp_mflags} AWK=gawk all-i18n CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
COPTS=%{_copts}
%pre
if ! /usr/bin/getent group tftp >/dev/null; then
%{_sbindir}/groupadd -r tftp 2>/dev/null || :
fi
if ! /usr/bin/getent passwd tftp >/dev/null; then
%{_sbindir}/useradd -c "TFTP account" -d /srv/tftpboot -G tftp -g tftp \
-r -s /bin/false tftp 2>/dev/null || :
fi
if ! /usr/bin/getent passwd dnsmasq >/dev/null; then
/usr/sbin/useradd -r -d /var/lib/empty -s /bin/false -c "dnsmasq" -g
nogroup -G tftp dnsmasq || :
fi
%service_add_pre %{name}.service
%post
%service_add_post %{name}.service
# reload dbus after install or upgrade to apply new policies
if [ -z "${TRANSACTIONAL_UPDATE}" -a -x /usr/bin/systemctl ]; then
/usr/bin/systemctl reload dbus.service 2>/dev/null || :
fi
%preun
%service_del_preun %{name}.service
%postun
%service_del_postun %{name}.service
# reload dbus after uninstall, our policies are gone again
if [ ${FIRST_ARG:-$1} -eq 0 -a -z "${TRANSACTIONAL_UPDATE}" \
-a -x /usr/bin/systemctl ]; then
/usr/bin/systemctl reload dbus.service 2>/dev/null || :
fi
%install
make install-i18n DESTDIR=$RPM_BUILD_ROOT PREFIX=/usr AWK=gawk COPTS=%{_copts}
install -d -m 755 ${RPM_BUILD_ROOT}/%{_sysconfdir}/slp.reg.d
install -d -m 755
${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
install -m 644 dnsmasq.conf.example $RPM_BUILD_ROOT/%{_sysconfdir}/dnsmasq.conf
install -m 644 %SOURCE3 $RPM_BUILD_ROOT/%{_sysconfdir}/slp.reg.d/
install -m 644 %SOURCE7
${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/dnsmasq-dns
install -m 644 %SOURCE6
${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/dnsmasq-dhcp
install -d 755 ${RPM_BUILD_ROOT}/etc/dbus-1/system.d/
install -m 644 dbus/dnsmasq.conf
${RPM_BUILD_ROOT}/etc/dbus-1/system.d/dnsmasq.conf
install -D -m 0644 %SOURCE4 %{buildroot}%{_unitdir}/dnsmasq.service
install -d -m 0755 ${RPM_BUILD_ROOT}/srv/tftpboot
ln -sf %{_sbindir}/service $RPM_BUILD_ROOT/usr/sbin/rcdnsmasq
install -d -m 755 ${RPM_BUILD_ROOT}/%{_sysconfdir}/dnsmasq.d
install -m 644 trust-anchors.conf
${RPM_BUILD_ROOT}/%{_sysconfdir}/dnsmasq.d/trust-anchors.conf
# utils subpackage
mkdir -p $RPM_BUILD_ROOT%{_bindir} $RPM_BUILD_ROOT%{_mandir}/man1
make -C contrib/lease-tools %{?_smp_mflags}
install -m 755 contrib/lease-tools/dhcp_release
${RPM_BUILD_ROOT}%{_bindir}/dhcp_release
install -m 644 contrib/lease-tools/dhcp_release.1
${RPM_BUILD_ROOT}%{_mandir}/man1/dhcp_release.1
install -m 755 contrib/lease-tools/dhcp_release6
%{buildroot}/%{_bindir}/dhcp_release6
install -m 644 contrib/lease-tools/dhcp_release6.1
%{buildroot}/%{_mandir}/man1/dhcp_release6.1
install -m 755 contrib/lease-tools/dhcp_lease_time
${RPM_BUILD_ROOT}%{_bindir}/dhcp_lease_time
install -m 644 contrib/lease-tools/dhcp_lease_time.1
${RPM_BUILD_ROOT}%{_mandir}/man1/dhcp_lease_time.1
make -C contrib/lease-tools clean
rm -rf contrib/Suse
rm -rf contrib/Solaris10
rm -rf contrib/dnsmasq_MacOSX-pre10.4
rm -rf contrib/slackware-dnsmasq
rm -rf contrib/MacOSX-launchd
%find_lang %{name} --with-man
%files -f %{name}.lang
%defattr(-,root,root,-)
%license COPYING COPYING-v3
%doc CHANGELOG FAQ doc.html setup.html dnsmasq.conf.example contrib dbus
%config(noreplace) %{_sysconfdir}/dnsmasq.conf
%{_sbindir}/dnsmasq
%{_sbindir}/rcdnsmasq
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/dnsmasq-dns
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/dnsmasq-dhcp
%dir %{_sysconfdir}/slp.reg.d/
%config %attr(0644,root,root) /%{_sysconfdir}/slp.reg.d/dnsmasq.reg
%{_mandir}/man8/dnsmasq.8.gz
%config(noreplace) /etc/dbus-1/system.d/dnsmasq.conf
%{_unitdir}/dnsmasq.service
%dir %{_sysconfdir}/dnsmasq.d
%config(noreplace) %{_sysconfdir}/dnsmasq.d/trust-anchors.conf
%dir %attr(0755,tftp,tftp) /srv/tftpboot
%files utils
%defattr(-,root,root,-)
%{_bindir}/dhcp_*
%{_mandir}/man1/dhcp_*
%changelog
++++++ SuSEFirewall.dnsmasq-dhcp ++++++
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#
## Name: dnsmasq
## Description: Open ports for the dnsmasq DNS/DHCP server
# space separated list of allowed TCP ports
TCP=""
# space separated list of allowed UDP ports
UDP="bootps"
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST="bootps"
++++++ SuSEFirewall.dnsmasq-dns ++++++
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#
## Name: dnsmasq
## Description: Open ports for the dnsmasq DNS/DHCP server
# space separated list of allowed TCP ports
TCP=""
# space separated list of allowed UDP ports
UDP="domain"
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""
++++++ dnsmasq-CVE-2017-15107.patch ++++++
--- src/dnssec.c.orig
+++ src/dnssec.c
@@ -424,15 +424,17 @@ static void from_wire(char *name)
static int count_labels(char *name)
{
int i;
-
+ char *p;
+
if (*name == 0)
return 0;
- for (i = 0; *name; name++)
- if (*name == '.')
+ for (p = name, i = 0; *p; p++)
+ if (*p == '.')
i++;
- return i+1;
+ /* Don't count empty first label. */
+ return *name == '.' ? i : i+1;
}
/* Implement RFC1982 wrapped compare for 32-bit numbers */
@@ -1405,8 +1407,8 @@ static int hostname_cmp(const char *a, c
}
}
-static int prove_non_existence_nsec(struct dns_header *header, size_t plen,
unsigned char **nsecs, int nsec_count,
- char *workspace1, char *workspace2, char
*name, int type, int *nons)
+static int prove_non_existence_nsec(struct dns_header *header, size_t plen,
unsigned char **nsecs, unsigned char **labels, int nsec_count,
+ char *workspace1_in, char *workspace2, char
*name, int type, int *nons)
{
int i, rc, rdlen;
unsigned char *p, *psave;
@@ -1419,6 +1421,9 @@ static int prove_non_existence_nsec(stru
/* Find NSEC record that proves name doesn't exist */
for (i = 0; i < nsec_count; i++)
{
+ char *workspace1 = workspace1_in;
+ int sig_labels, name_labels;
+
p = nsecs[i];
if (!extract_name(header, plen, &p, workspace1, 1, 10))
return 0;
@@ -1427,7 +1432,27 @@ static int prove_non_existence_nsec(stru
psave = p;
if (!extract_name(header, plen, &p, workspace2, 1, 10))
return 0;
-
+
+ /* If NSEC comes from wildcard expansion, use original wildcard
+ as name for computation. */
+ sig_labels = *labels[i];
+ name_labels = count_labels(workspace1);
+
+ if (sig_labels < name_labels)
+ {
+ int k;
+ for (k = name_labels - sig_labels; k != 0; k--)
+ {
+ while (*workspace1 != '.' && *workspace1 != 0)
+ workspace1++;
+ if (k != 1 && *workspace1 == '.')
+ workspace1++;
+ }
+
+ workspace1--;
+ *workspace1 = '*';
+ }
+
rc = hostname_cmp(workspace1, name);
if (rc == 0)
@@ -1825,24 +1850,26 @@ static int prove_non_existence_nsec3(str
static int prove_non_existence(struct dns_header *header, size_t plen, char
*keyname, char *name, int qtype, int qclass, char *wildname, int *nons)
{
- static unsigned char **nsecset = NULL;
- static int nsecset_sz = 0;
+ static unsigned char **nsecset = NULL, **rrsig_labels = NULL;
+ static int nsecset_sz = 0, rrsig_labels_sz = 0;
int type_found = 0;
- unsigned char *p = skip_questions(header, plen);
+ unsigned char *auth_start, *p = skip_questions(header, plen);
int type, class, rdlen, i, nsecs_found;
/* Move to NS section */
if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen)))
return 0;
+
+ auth_start = p;
for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--)
{
unsigned char *pstart = p;
- if (!(p = skip_name(p, header, plen, 10)))
+ if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10))
return 0;
-
+
GETSHORT(type, p);
GETSHORT(class, p);
p += 4; /* TTL */
@@ -1859,7 +1886,69 @@ static int prove_non_existence(struct dn
if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found))
return 0;
- nsecset[nsecs_found++] = pstart;
+ if (type == T_NSEC)
+ {
+ /* If we're looking for NSECs, find the corresponding SIGs, to
+ extract the labels value, which we need in case the NSECs
+ are the result of wildcard expansion.
+ Note that the NSEC may not have been validated yet
+ so if there are multiple SIGs, make sure the label value
+ is the same in all, to avoid be duped by a rogue one.
+ If there are no SIGs, that's an error */
+ unsigned char *p1 = auth_start;
+ int res, j, rdlen1, type1, class1;
+
+ if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz,
nsecs_found))
+ return 0;
+
+ rrsig_labels[nsecs_found] = NULL;
+
+ for (j = ntohs(header->nscount); j != 0; j--)
+ {
+ if (!(res = extract_name(header, plen, &p1,
daemon->workspacename, 0, 10)))
+ return 0;
+
+ GETSHORT(type1, p1);
+ GETSHORT(class1, p1);
+ p1 += 4; /* TTL */
+ GETSHORT(rdlen1, p1);
+
+ if (!CHECK_LEN(header, p1, plen, rdlen1))
+ return 0;
+
+ if (res == 1 && class1 == qclass && type1 == T_RRSIG)
+ {
+ int type_covered;
+ unsigned char *psav = p1;
+
+ if (rdlen < 18)
+ return 0; /* bad packet */
+
+ GETSHORT(type_covered, p1);
+
+ if (type_covered == T_NSEC)
+ {
+ p1++; /* algo */
+
+ /* labels field must be the same in every SIG we
find. */
+ if (!rrsig_labels[nsecs_found])
+ rrsig_labels[nsecs_found] = p1;
+ else if (*rrsig_labels[nsecs_found] != *p1) /* algo
*/
+ return 0;
+ }
+ p1 = psav;
+ }
+
+ if (!ADD_RDLEN(header, p1, plen, rdlen1))
+ return 0;
+ }
+
+ /* Must have found at least one sig. */
+ if (!rrsig_labels[nsecs_found])
+ return 0;
+ }
+
+ nsecset[nsecs_found++] = pstart;
}
if (!ADD_RDLEN(header, p, plen, rdlen))
@@ -1867,7 +1956,7 @@ static int prove_non_existence(struct dn
}
if (type_found == T_NSEC)
- return prove_non_existence_nsec(header, plen, nsecset, nsecs_found,
daemon->workspacename, keyname, name, qtype, nons);
+ return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels,
nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
else if (type_found == T_NSEC3)
return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found,
daemon->workspacename, keyname, name, qtype, wildname, nons);
else
++++++ dnsmasq-CVE-2019-14834.patch ++++++
X-Git-Url:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blobdiff_plain;f=src%2Fhelper.c;h=c392eeced3e73762d3ea6a2f9fa27ab5ae389241;hp=33ba120ab39e3788719a18796b5b58338972e1e8;hb=69bc94779c2f035a9fffdb5327a54c3aeca73ed5;hpb=3052ce208acf602f0163166dcefb7330d537cedb
--- src/helper.c.orig
+++ src/helper.c
@@ -82,7 +82,8 @@ int create_helper(int event_fd, int err_
pid_t pid;
int i, pipefd[2];
struct sigaction sigact;
-
+ unsigned char *alloc_buff = NULL;
+
/* create the pipe through which the main program sends us commands,
then fork our process. */
if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
@@ -188,11 +189,16 @@ int create_helper(int event_fd, int err_
struct script_data data;
char *p, *action_str, *hostname = NULL, *domain = NULL;
unsigned char *buf = (unsigned char *)daemon->namebuff;
- unsigned char *end, *extradata, *alloc_buff = NULL;
+ unsigned char *end, *extradata;
int is6, err = 0;
int pipeout[2];
- free(alloc_buff);
+ /* Free rarely-allocated memory from previous iteration. */
+ if (alloc_buff)
+ {
+ free(alloc_buff);
+ alloc_buff = NULL;
+ }
/* we read zero bytes when pipe closed: this is our signal to exit */
if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
++++++ dnsmasq-cache-size.patch ++++++
--- src/dnsmasq.c.orig
+++ src/dnsmasq.c
@@ -717,7 +717,11 @@ int main (int argc, char **argv)
else
{
if (daemon->cachesize != 0)
- my_syslog(LOG_INFO, _("started, version %s cachesize %d"), VERSION,
daemon->cachesize);
+ {
+ my_syslog(LOG_INFO, _("started, version %s cachesize %d"), VERSION,
daemon->cachesize);
+ if (daemon->cachesize > 10000)
+ my_syslog(LOG_WARNING, _("cache size greater than 10000 may cause
performance issues, and is unlikely to be useful."));
+ }
else
my_syslog(LOG_INFO, _("started, version %s cache disabled"), VERSION);
--- src/option.c.orig
+++ src/option.c
@@ -2579,8 +2579,6 @@ static int one_opt(int option, char *arg
if (size < 0)
size = 0;
- else if (size > 10000)
- size = 10000;
daemon->cachesize = size;
}
++++++ dnsmasq-dnspooq.patch ++++++
++++ 1383 lines (skipped)
++++++ dnsmasq-groups.patch ++++++
--- src/dnsmasq.c.orig
+++ src/dnsmasq.c
@@ -581,11 +581,10 @@ int main (int argc, char **argv)
if (!option_bool(OPT_DEBUG) && getuid() == 0)
{
int bad_capabilities = 0;
- gid_t dummy;
- /* remove all supplementary groups */
+ /* set the supplementary groups of the daemon user */
if (gp &&
- (setgroups(0, &dummy) == -1 ||
+ (initgroups(daemon->username, gp->gr_gid) == -1 ||
setgid(gp->gr_gid) == -1))
{
send_event(err_pipe[1], EVENT_GROUP_ERR, errno, daemon->groupname);
++++++ dnsmasq-rpmlintrc ++++++
# This are example scripts
addFilter("doc-file-dependency")
# This is correct user
addFilter("non-standard-uid")
++++++ dnsmasq-servfail.patch ++++++
--- src/forward.c
+++ src/forward.c
@@ -817,7 +817,7 @@ void reply_query(int fd, int family, time_t now)
/* Note: if we send extra options in the EDNS0 header, we can't recreate
the query from the reply. */
- if (RCODE(header) == REFUSED &&
+ if ((RCODE(header) == REFUSED || RCODE(header) == SERVFAIL) &&
forward->forwardall == 0 &&
!(forward->flags & FREC_HAS_EXTRADATA))
/* for broken servers, attempt to send to another one. */
++++++ dnsmasq-siocgstamp.patch ++++++
From: Jiri Slaby <[email protected]>
Date: Wed, 10 Jul 2019 08:19:06 +0200
Subject: fix build after y2038 changes in glibc
Patch-mainline: submitted on 2019/07/10
SIOCGSTAMP is defined in linux/sockios.h, not asm/sockios.h now.
Signed-off-by: Jiri Slaby <[email protected]>
---
src/dnsmasq.h | 1 +
1 file changed, 1 insertion(+)
--- src/dnsmasq.h.orig
+++ src/dnsmasq.h
@@ -128,6 +128,7 @@ typedef unsigned long long u64;
#endif
#if defined(HAVE_LINUX_NETWORK)
+#include <linux/sockios.h>
#include <linux/capability.h>
/* There doesn't seem to be a universally-available
userspace header for these. */
++++++ dnsmasq.reg ++++++
#############################################################################
#
# OpenSLP registration file
#
# register domain name service (DNS) daemon
#
#############################################################################
service:domain://$HOSTNAME:53,en,65535
watch-port-udp=53
description=Domain Name Service
++++++ dnsmasq.service ++++++
[Unit]
Description=DNS caching server.
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target
[Service]
Type=dbus
BusName=uk.org.thekelleys.dnsmasq
ExecStartPre=/usr/sbin/dnsmasq --test
ExecStart=/usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground
ExecReload=/bin/kill -HUP $MAINPID
#### kills logging, so not enabled
# PrivateDevices=yes
####
[Install]
WantedBy=multi-user.target
++++++ rc.dnsmasq-suse ++++++
#! /bin/sh
#
# init.d/dnsmasq
#
### BEGIN INIT INFO
# Provides: dnsmasq
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 3 5
# Default-Stop:
# Description: Starts internet name service masq caching server (DNS)
### END INIT INFO
NAMED_BIN=/usr/sbin/dnsmasq
NAMED_PID=/var/run/dnsmasq.pid
NAMED_CONF=/etc/dnsmasq.conf
if [ ! -x $NAMED_BIN ] ; then
echo -n "dnsmasq not installed! "
exit 5
fi
. /etc/rc.status
rc_reset
case "$1" in
start)
if grep "^[^#].*/etc/ppp/" /etc/dnsmasq.conf >/dev/null 2>&1; then
echo
echo "Warning! dnsmasq can not read the /etc/ppp directory
anymore";
echo " but /etc/ppp seems to be used in your config";
echo " use /var/run/ instead like
/var/run/dnsmasq-forwarders.conf";
echo
fi
echo -n "Starting name service masq caching server "
checkproc -p $NAMED_PID $NAMED_BIN
if [ $? -eq 0 ] ; then
echo -n "- Warning: dnsmasq already running! "
else
[ -e $NAMED_PID ] && echo -n "- Warning: $NAMED_PID exists! "
fi
startproc -p $NAMED_PID $NAMED_BIN -u dnsmasq
rc_status -v
;;
stop)
echo -n "Shutting name service masq caching server "
checkproc -p $NAMED_PID $NAMED_BIN
[ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running! "
killproc -p $NAMED_PID -TERM $NAMED_BIN
rc_status -v
;;
try-restart|force-reload)
if $0 status ; then
$0 restart
else
rc_reset
fi
rc_status
;;
restart)
if checkproc -p $NAMED_PID $NAMED_BIN ; then
$0 stop
fi
$0 start
rc_status
;;
reload)
echo -n "Reloading name service masq caching server unsupported "
rc_failed 3
rc_status -v
;;
sighup)
echo -n "Sending SIGHUP to name service masq caching server "
killproc -p $NAMED_PID -HUP $NAMED_BIN
rc_status -v
;;
status)
echo -n "Checking for name service masq caching server "
checkproc -p $NAMED_PID $NAMED_BIN
rc_status -v
;;
probe)
test $NAMED_CONF -nt $NAMED_PID && echo reload
;;
*)
echo "Usage: $0
{start|stop|status|try-restart|restart|force-reload|sighup|probe}"
exit 1
;;
esac
rc_exit
