dnsmasq is vulnerable to CVE-2021-3448

  • Done
  • quality assurance status badge
Details
3 participants
  • Nicolò Balzarotti
  • Leo Famulari
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Nicolò Balzarotti
Severity
normal
N
N
Nicolò Balzarotti wrote on 9 Apr 2021 17:10
(address . bug-guix@gnu.org)
87pmz3mr2k.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
CVE-2021-3448

A flaw was found in dnsmasq in versions before 2.85. When configured to
use a specific server for a given network interface, dnsmasq uses a
fixed port while forwarding queries. An attacker on the network, able to
find the outgoing port used by dnsmasq, only needs to guess the random
transmission ID to forge a reply and get it accepted by dnsmasq. This
flaw makes a DNS Cache Poisoning attack much easier. The highest threat
from this vulnerability is to data integrity.

guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
and there are 43 dependent packages so this can go directly to master.

All dependent packages (refresh -l) build fine except for
python2-libvirt@7.2.0, which is failing also on master
(libvirt-python requires Python >= 3.5 to build). Since it's a python2
package and no other packages depends on it, can we just drop it?

Thanks, Nicolò
From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
From: nixo <nicolo@nixo.xyz>
Date: Fri, 9 Apr 2021 16:19:03 +0200
Subject: [PATCH] gnu: dnsmasq: Update to 2.85.

* gnu/packages/dns.scm (dnsmasq): Update to 2.85.
---
gnu/packages/dns.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index c940657ce9..3cf88febae 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -278,7 +278,7 @@ prompt the user with the option to go with insecure DNS only.")
(define-public dnsmasq
(package
(name "dnsmasq")
- (version "2.84")
+ (version "2.85")
(source (origin
(method url-fetch)
(uri (string-append
@@ -286,7 +286,7 @@ prompt the user with the option to go with insecure DNS only.")
version ".tar.xz"))
(sha256
(base32
- "0305a0c3snwqcv77sipyynr55xip1fp2843yn04pc4vk9g39acb0"))))
+ "1yhjwgz8g5qrqvxh6bbmg3443zi8qqjks3q872wyb1zn7n0d765d"))))
(build-system gnu-build-system)
(native-inputs
`(("pkg-config" ,pkg-config)))
--
2.31.1
N
N
Nicolò Balzarotti wrote on 9 Apr 2021 17:12
(no subject)
(address . control@debbugs.gnu.org)
87mtu7mqzk.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
tags 47674 + security
quit
L
L
Leo Famulari wrote on 9 Apr 2021 21:33
Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCsAioNoPoTh5EH@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
Toggle quote (18 lines)
> CVE-2021-3448
>
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
>
> guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
>
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?

Yes, sounds good.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBwrAIACgkQJkb6MLrK
fwhojxAAo4Fh1COO5Q0PhKkgXu3xELiU1524x6yweg5Rqseuob6V7HrpuljmcsfO
XFMPq2wMVghq6w6FcQDWxPblMkj3hRBquLnB1QZS0A/60RusX2gXQtg/DF+fkpIH
IVLndXxS3npMp3Lo/06xls8WYCSVYCTP6CH5gS11wqaLK18a7nV1nxAsreHODUzs
nLrLaArKcTouxe4rOsZWvD12dlePS45qBgKvMuwU/5W+jmHv60i8ExKUREs3LGux
wAskCd0FZVtdIQpnD/e/NAboSgscqELnhehI0rMcGNrGIGQl+UIIGQ37iRL9e25f
kDb2QC3x+R0oayQow0/x35dUNVSuKz9fIosrhrQvnWkeEHUVFteAZC1V7f7XJloo
FnbC6rGb9Ch7+td1YHXdl7XX0xBNwo4SFdvbwAKQK4kjjxTiqNe5BS4BoaQGtxE+
5X/LZMkI/ob56pyfVdmpRTd9G8VwjoccpESasmJx9xDWetfv1JSi9a5jZ9ulGu2l
LBkVmhyVK4v3+Cu4AjWSTG0vDozH/4GgIZx5H9FH0QgEYqqktRx/d6WkFLyuk4Is
CAbrnToJVek6q3y163XMivF9cSsxAGtBN+NnKshtvOoKL+qXWRe2JZ96LoayIGNd
rdSTcrn7AiF0uUuTyTfz+JoWqFS+YWLdrkrpIX1Jz9lH8bzzbXA=
=Oiqy
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 Apr 2021 21:34
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674-done@debbugs.gnu.org)
YHCsSh9+7Uqdq0VU@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicol� Balzarotti wrote:
Toggle quote (7 lines)
> From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
> From: nixo <nicolo@nixo.xyz>
> Date: Fri, 9 Apr 2021 16:19:03 +0200
> Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
>
> * gnu/packages/dns.scm (dnsmasq): Update to 2.85.

Looks like this change was already done with commit
c8d809f9a49c2b4ec5500c2685e96168dcd9afa9
Closed
L
L
Leo Famulari wrote on 9 Apr 2021 21:38
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCtHf4Pa4ER9N7j@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicol� Balzarotti wrote:
Toggle quote (5 lines)
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?

I notice that python2-libvirt builds okay on staging:

N
N
Nicolò Balzarotti wrote on 9 Apr 2021 21:47
(name . Leo Famulari)(address . leo@famulari.name)(address . 47674@debbugs.gnu.org)
87h7kfme9q.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Leo Famulari <leo@famulari.name> writes:

Toggle quote (10 lines)
> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
>> All dependent packages (refresh -l) build fine except for
>> python2-libvirt@7.2.0, which is failing also on master
>> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
>> package and no other packages depends on it, can we just drop it?
>
> I notice that python2-libvirt builds okay on staging:
>
> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835

Staging has an older version (5.8 vs 7.2, which has been released in
november 2019 [fn:1] though), and it got updated a few days ago
(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
fail on staging too. Am I wrong?


L
L
Leo Famulari wrote on 9 Apr 2021 22:07
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCz69IMc+4ESoa0@jasmine.lan
On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicol� Balzarotti wrote:
Toggle quote (5 lines)
> Staging has an older version (5.8 vs 7.2, which has been released in
> november 2019 [fn:1] though), and it got updated a few days ago
> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> fail on staging too. Am I wrong?

Ah, could be. The new staging builds haven't been performed yet.
N
N
Nicolò Balzarotti wrote on 10 Apr 2021 23:39
(name . Leo Famulari)(address . leo@famulari.name)(address . 47674@debbugs.gnu.org)
87eefh3jl2.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Leo Famulari <leo@famulari.name> writes:

Toggle quote (7 lines)
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
>> Staging has an older version (5.8 vs 7.2, which has been released in
>> november 2019 [fn:1] though), and it got updated a few days ago
>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
>> fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging
L
L
Leo Famulari wrote on 11 Apr 2021 00:05
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHIhEnD1mWwtlLn8@jasmine.lan
On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
Toggle quote (8 lines)
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicol� Balzarotti wrote:
> > Staging has an older version (5.8 vs 7.2, which has been released in
> > november 2019 [fn:1] though), and it got updated a few days ago
> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> > fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.

Thanks for following up. Sure, I think it's fine to remove a package
if it does not build and has no dependents.
T
T
Tobias Geerinckx-Rice wrote on 11 Apr 2021 00:27
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)
878s5phj18.fsf@nckx
Nicolò,

Nicolò Balzarotti writes:
Toggle quote (2 lines)
> gnu/packages/dns.scm (dnsmasq): Update to 2.85.

I see you managed to aim this beautifully between me searching the
issue tracker for ‘dnsmasq’ and me actually pushing an update, so
well done I guess.

(Also: sorry for the duplicated effort, and thanks for keeping an
eye on the securities. :-)

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYHImZA0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15/lYBAIdy87NnZyCQC3xB6NzcYF8sOQ8H4O1SnVDzr53e
0uhkAQDIYLIyHPJfMuKojir4w4uIJPK392rXg1fpPA4HQKmdBw==
=jkh7
-----END PGP SIGNATURE-----

?