[Touch-packages] [Bug 1741262] [NEW] regression in dnsmasq breaks DNS resolution for precise ESM

[Leonidas S. Barbosa]

*** This bug is a security vulnerability ***

Private security bug reported:

Haw Loeung reports the follow issue in dnsmasq

ubuntu@instance-lcy01:~$ host www.googleapis.com
;; Warning: Message parser reports malformed message packet.
;; Warning: Message parser reports malformed message packet.
www.googleapis.com is an alias for googleapis.l.google.com.
ubuntu@instance-lcy01:$ grep nameserver /etc/resolv.conf
nameserver 10.55.60.1

ubuntu@instance-lcy02:~$ host www.googleapis.com
;; Warning: Message parser reports malformed message packet.
;; Warning: Message parser reports malformed message packet.
www.googleapis.com is an alias for googleapis.l.google.com.
ubuntu@instance-lcy02:~$ grep nameserver /etc/resolv.conf
nameserver 10.55.32.1

[hloeung@silver ~]$ host www.googleapis.com 10.55.32.1 | grep Warning
;; Warning: Message parser reports malformed message packet.
;; Warning: Message parser reports malformed message packet.

[hloeung@silver ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
[hloeung@silver ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
[hloeung@silver ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
[hloeung@silver ~]$ host www.googleapis.com 10.55.59.1 | grep Warning


[hloeung@dziban ~]$ host www.googleapis.com 10.55.60.1 | grep Warning
;; Warning: Message parser reports malformed message packet.
;; Warning: Message parser reports malformed message packet.

[hloeung@dziban ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
[hloeung@dziban ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
[hloeung@dziban ~]$ host www.googleapis.com 10.55.59.1 | grep Warning


[hloeung@dziban ~]$ apt-cache policy dnsmasq-base
dnsmasq-base:
  Installed: 2.59-4ubuntu0.3

[hloeung@silver ~]$ apt-cache policy dnsmasq-base
dnsmasq-base:
  Installed: 2.59-4ubuntu0.3
  Candidate: 2.59-4ubuntu0.3
  Version table:
 *** 2.59-4ubuntu0.3 0
        500 https://esm.ubuntu.com/ubuntu/ precise/main amd64 Packages


[hloeung@silver ~]$ dig +tcp a www.googleapis.com @10.55.32.1
;; Warning: Message parser reports malformed message packet.
...
;; WARNING: Messages has 109 extra bytes at end
...
;; MSG SIZE  rcvd: 157

[hloeung@silver ~]$ sudo strace -f -p 2418 -s 10240000 2>&1 | grep googleapis 
-B3 -A3
[pid 11479] getpeername(10, {sa_family=AF_INET, sin_port=htons(33976), 
sin_addr=inet_addr("10.55.32.1")}, [16]) = 0
[pid 11479] read(10, "\0", 1)           = 1
[pid 11479] read(10, "$", 1)            = 1
[pid 11479] read(10, 
"\334r\1\0\0\1\0\0\0\0\0\0\3www\ngoogleapis\3com\0\0\1\0\1", 36) = 36
[pid 11479] write(10, "\0", 1)          = 1
[pid 11479] write(10, "\235", 1)        = 1
[pid 11479] write(10, 
"\334r\201\200\0\1\0\6\0\0\0\0\3www\ngoogleapis\3com\0\0\1\0\1\300\f\0\5\0\1\0\0\10\2\0\35\ngoogleapis.\1l.\6google.\3com\0\0\3000\0\1\0\1\0\0\0%\0\4\330:\301J\3000\0\1\0\1\0\0\0%\0\4\254\331\3\312\3000\0\1\0\1\0\0\0%\0\4\254\331\3\252\3000\0\1\0\1\0\0\0%\0\4\330:\330\252\3000\0\1\0\1\0\0\0%\0\4\330:\330\212",
 157) = 157
[pid 11479] read(10, "", 1)             = 0
[pid 11479] shutdown(10, 2 /* send and receive */) = 0
[pid 11479] close(10)                   = 0
--
[pid 11491] getpeername(10, {sa_family=AF_INET, sin_port=htons(54452), 
sin_addr=inet_addr("10.55.32.1")}, [16]) = 0
[pid 11491] read(10, "\0", 1)           = 1
[pid 11491] read(10, "$", 1)            = 1
[pid 11491] read(10, 
"\352t\1\0\0\1\0\0\0\0\0\0\3www\ngoogleapis\3com\0\0\1\0\1", 36) = 36
[pid 11491] write(10, "\0", 1)          = 1
[pid 11491] write(10, "\235", 1)        = 1
[pid 11491] write(10, 
"\352t\201\200\0\1\0\6\0\0\0\0\3www\ngoogleapis\3com\0\0\1\0\1\300\f\0\5\0\1\0\0\10\1\0\35\ngoogleapis.\1l.\6google.\3com\0\0\3000\0\1\0\1\0\0\0$\0\4\330:\301J\3000\0\1\0\1\0\0\0$\0\4\254\331\3\312\3000\0\1\0\1\0\0\0$\0\4\254\331\3\252\3000\0\1\0\1\0\0\0$\0\4\330:\330\252\3000\0\1\0\1\0\0\0$\0\4\330:\330\212",
 157) = 157
[pid 11491] read(10, "", 1)             = 0
[pid 11491] shutdown(10, 2 /* send and receive */) = 0
[pid 11491] close(10)                   = 0
^C

157 bytes (= 157 from strace)


Junien has also seen this with a tcpdump:

https://pastebin.canonical.com/204043/

For now, I've downgraded to dnsmasq-base to 2.59-4ubuntu0.2:

[hloeung@silver ~]$ apt-cache policy dnsmasq-base
dnsmasq-base:
  Installed: 2.59-4ubuntu0.2
  Candidate: 2.59-4ubuntu0.3
  Version table:
     2.59-4ubuntu0.3 0
        500 https://esm.ubuntu.com/ubuntu/ precise/main amd64 Packages
 *** 2.59-4ubuntu0.2 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 
Packages
        100 /var/lib/dpkg/status

[hloeung@dziban ~]$ apt-cache policy dnsmasq-base
dnsmasq-base:
  Installed: 2.59-4ubuntu0.2
  Candidate: 2.59-4ubuntu0.3
  Version table:
     2.59-4ubuntu0.3 0
        500 https://esm.ubuntu.com/ubuntu/ precise/main amd64 Packages
 *** 2.59-4ubuntu0.2 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 
Packages
        100 /var/lib/dpkg/status

** Affects: dnsmasq (Ubuntu)
     Importance: Medium
     Assignee: Leonidas S. Barbosa (leosilvab)
         Status: In Progress

** Changed in: dnsmasq (Ubuntu)
       Status: New => In Progress

** Information type changed from Public to Private Security

** Changed in: dnsmasq (Ubuntu)
   Importance: Undecided => Medium

** Changed in: dnsmasq (Ubuntu)
     Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/1741262

Title:
  regression in dnsmasq  breaks DNS resolution for precise ESM

Status in dnsmasq package in Ubuntu:
  In Progress

Bug description:
  Haw Loeung reports the follow issue in dnsmasq

  ubuntu@instance-lcy01:~$ host www.googleapis.com
  ;; Warning: Message parser reports malformed message packet.
  ;; Warning: Message parser reports malformed message packet.
  www.googleapis.com is an alias for googleapis.l.google.com.
  ubuntu@instance-lcy01:$ grep nameserver /etc/resolv.conf
  nameserver 10.55.60.1

  ubuntu@instance-lcy02:~$ host www.googleapis.com
  ;; Warning: Message parser reports malformed message packet.
  ;; Warning: Message parser reports malformed message packet.
  www.googleapis.com is an alias for googleapis.l.google.com.
  ubuntu@instance-lcy02:~$ grep nameserver /etc/resolv.conf
  nameserver 10.55.32.1

  [hloeung@silver ~]$ host www.googleapis.com 10.55.32.1 | grep Warning
  ;; Warning: Message parser reports malformed message packet.
  ;; Warning: Message parser reports malformed message packet.

  [hloeung@silver ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
  [hloeung@silver ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
  [hloeung@silver ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
  [hloeung@silver ~]$ host www.googleapis.com 10.55.59.1 | grep Warning

  
  [hloeung@dziban ~]$ host www.googleapis.com 10.55.60.1 | grep Warning
  ;; Warning: Message parser reports malformed message packet.
  ;; Warning: Message parser reports malformed message packet.

  [hloeung@dziban ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
  [hloeung@dziban ~]$ host www.googleapis.com 10.55.59.1 | grep Warning
  [hloeung@dziban ~]$ host www.googleapis.com 10.55.59.1 | grep Warning

  
  [hloeung@dziban ~]$ apt-cache policy dnsmasq-base
  dnsmasq-base:
    Installed: 2.59-4ubuntu0.3

  [hloeung@silver ~]$ apt-cache policy dnsmasq-base
  dnsmasq-base:
    Installed: 2.59-4ubuntu0.3
    Candidate: 2.59-4ubuntu0.3
    Version table:
   *** 2.59-4ubuntu0.3 0
          500 https://esm.ubuntu.com/ubuntu/ precise/main amd64 Packages

  
  [hloeung@silver ~]$ dig +tcp a www.googleapis.com @10.55.32.1
  ;; Warning: Message parser reports malformed message packet.
  ...
  ;; WARNING: Messages has 109 extra bytes at end
  ...
  ;; MSG SIZE  rcvd: 157

  [hloeung@silver ~]$ sudo strace -f -p 2418 -s 10240000 2>&1 | grep googleapis 
-B3 -A3
  [pid 11479] getpeername(10, {sa_family=AF_INET, sin_port=htons(33976), 
sin_addr=inet_addr("10.55.32.1")}, [16]) = 0
  [pid 11479] read(10, "\0", 1)           = 1
  [pid 11479] read(10, "$", 1)            = 1
  [pid 11479] read(10, 
"\334r\1\0\0\1\0\0\0\0\0\0\3www\ngoogleapis\3com\0\0\1\0\1", 36) = 36
  [pid 11479] write(10, "\0", 1)          = 1
  [pid 11479] write(10, "\235", 1)        = 1
  [pid 11479] write(10, 
"\334r\201\200\0\1\0\6\0\0\0\0\3www\ngoogleapis\3com\0\0\1\0\1\300\f\0\5\0\1\0\0\10\2\0\35\ngoogleapis.\1l.\6google.\3com\0\0\3000\0\1\0\1\0\0\0%\0\4\330:\301J\3000\0\1\0\1\0\0\0%\0\4\254\331\3\312\3000\0\1\0\1\0\0\0%\0\4\254\331\3\252\3000\0\1\0\1\0\0\0%\0\4\330:\330\252\3000\0\1\0\1\0\0\0%\0\4\330:\330\212",
 157) = 157
  [pid 11479] read(10, "", 1)             = 0
  [pid 11479] shutdown(10, 2 /* send and receive */) = 0
  [pid 11479] close(10)                   = 0
  --
  [pid 11491] getpeername(10, {sa_family=AF_INET, sin_port=htons(54452), 
sin_addr=inet_addr("10.55.32.1")}, [16]) = 0
  [pid 11491] read(10, "\0", 1)           = 1
  [pid 11491] read(10, "$", 1)            = 1
  [pid 11491] read(10, 
"\352t\1\0\0\1\0\0\0\0\0\0\3www\ngoogleapis\3com\0\0\1\0\1", 36) = 36
  [pid 11491] write(10, "\0", 1)          = 1
  [pid 11491] write(10, "\235", 1)        = 1
  [pid 11491] write(10, 
"\352t\201\200\0\1\0\6\0\0\0\0\3www\ngoogleapis\3com\0\0\1\0\1\300\f\0\5\0\1\0\0\10\1\0\35\ngoogleapis.\1l.\6google.\3com\0\0\3000\0\1\0\1\0\0\0$\0\4\330:\301J\3000\0\1\0\1\0\0\0$\0\4\254\331\3\312\3000\0\1\0\1\0\0\0$\0\4\254\331\3\252\3000\0\1\0\1\0\0\0$\0\4\330:\330\252\3000\0\1\0\1\0\0\0$\0\4\330:\330\212",
 157) = 157
  [pid 11491] read(10, "", 1)             = 0
  [pid 11491] shutdown(10, 2 /* send and receive */) = 0
  [pid 11491] close(10)                   = 0
  ^C

  157 bytes (= 157 from strace)

  
  Junien has also seen this with a tcpdump:

  https://pastebin.canonical.com/204043/

  For now, I've downgraded to dnsmasq-base to 2.59-4ubuntu0.2:

  [hloeung@silver ~]$ apt-cache policy dnsmasq-base
  dnsmasq-base:
    Installed: 2.59-4ubuntu0.2
    Candidate: 2.59-4ubuntu0.3
    Version table:
       2.59-4ubuntu0.3 0
          500 https://esm.ubuntu.com/ubuntu/ precise/main amd64 Packages
   *** 2.59-4ubuntu0.2 0
          500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
          500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 
Packages
          100 /var/lib/dpkg/status

  [hloeung@dziban ~]$ apt-cache policy dnsmasq-base
  dnsmasq-base:
    Installed: 2.59-4ubuntu0.2
    Candidate: 2.59-4ubuntu0.3
    Version table:
       2.59-4ubuntu0.3 0
          500 https://esm.ubuntu.com/ubuntu/ precise/main amd64 Packages
   *** 2.59-4ubuntu0.2 0
          500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 
Packages
          500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 
Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1741262/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp