Browse code
Update dnsmasq and dmidecode
Change-Id: I0eddfa6a1709d11d7d2f762e62e258aa8e51952c
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5710
Reviewed-by: Sharath George
Tested-by: Sharath George
Ajay Kaher authored on 2018/09/18 04:55:18Showing 5 changed files
- SPECS/dmidecode/dmidecode.spec
- SPECS/dnsmasq/CVE-2017-13704.patch
- SPECS/dnsmasq/CVE-2017-15107.patch
- SPECS/dnsmasq/dnsmasq.patch
- SPECS/dnsmasq/dnsmasq.spec
| ... | ... |
@@ -1,12 +1,12 @@ |
| 1 | 1 |
Summary: Tool to analyze BIOS DMI data |
| 2 | 2 |
Name: dmidecode |
| 3 |
-Version: 3.0 |
|
| 4 |
-Release: 2%{?dist}
|
|
| 3 |
+Version: 3.1 |
|
| 4 |
+Release: 1%{?dist}
|
|
| 5 | 5 |
License: GPLv2+ |
| 6 | 6 |
URL: http://www.nongnu.org/dmidecode/ |
| 7 | 7 |
Group: System Environment/Base |
| 8 | 8 |
Source0: http://download.savannah.gnu.org/releases/dmidecode/%{name}-%{version}.tar.gz
|
| 9 |
-%define sha1 dmidecode=1bc5e9a400729f50aba5b441d14131aaa1ed42dd |
|
| 9 |
+%define sha1 dmidecode=3d61096a25fe55798faa882bff32f3bf6eb6366e |
|
| 10 | 10 |
Vendor: VMware, Inc. |
| 11 | 11 |
Distribution: Photon |
| 12 | 12 |
%description |
| ... | ... |
@@ -25,6 +25,8 @@ make DESTDIR=%{buildroot} prefix=%{_prefix} install
|
| 25 | 25 |
%{_mandir}/man8/*
|
| 26 | 26 |
|
| 27 | 27 |
%changelog |
| 28 |
+* Mon Sep 10 2018 Ajay Kaher <akaher@vmware.com> 3.1-1 |
|
| 29 |
+- Upgraded to version 3.1 |
|
| 28 | 30 |
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.0-2 |
| 29 | 31 |
- GA - Bump release of all rpms |
| 30 | 32 |
* Mon Nov 02 2015 Divya Thaluru <dthaluru@vmware.com> 3.0-1 |
| 31 | 33 |
deleted file mode 100644 |
| ... | ... |
@@ -1,43 +0,0 @@ |
| 1 |
-From 63437ffbb58837b214b4b92cb1c54bc5f3279928 Mon Sep 17 00:00:00 2001 |
|
| 2 |
-From: Simon Kelley <simon@thekelleys.org.uk> |
|
| 3 |
-Date: Wed, 6 Sep 2017 22:34:21 +0100 |
|
| 4 |
-Subject: [PATCH] Fix CVE-2017-13704, which resulted in a crash on a large DNS |
|
| 5 |
- query. |
|
| 6 |
- |
|
| 7 |
-A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size, |
|
| 8 |
-if different.) is enough to cause SIGSEGV. |
|
| 9 |
-Alexey Makhalov: apply only part of original commit |
|
| 10 |
- src/forward.c | 8 ++++++++ |
|
| 11 |
- 1 files changed, 8 insertions(+), 0 deletions(-) |
|
| 12 |
- |
|
| 13 |
-diff --git a/src/forward.c b/src/forward.c |
|
| 14 |
-index f22556a..e3fa94b 100644 |
|
| 15 |
-+++ b/src/forward.c |
|
| 16 |
-@@ -1188,6 +1188,10 @@ void receive_query(struct listener *listen, time_t now) |
|
| 17 |
- (msg.msg_flags & MSG_TRUNC) || |
|
| 18 |
- (header->hb3 & HB3_QR)) |
|
| 19 |
- return; |
|
| 20 |
-+ |
|
| 21 |
-+ /* Clear buffer beyond request to avoid risk of |
|
| 22 |
-+ information disclosure. */ |
|
| 23 |
-+ memset(daemon->packet + n, 0, daemon->edns_pktsz - n); |
|
| 24 |
- |
|
| 25 |
- source_addr.sa.sa_family = listen->family; |
|
| 26 |
- |
|
| 27 |
-@@ -1688,6 +1692,10 @@ unsigned char *tcp_request(int confd, time_t now, |
|
| 28 |
- |
|
| 29 |
- if (size < (int)sizeof(struct dns_header)) |
|
| 30 |
- continue; |
|
| 31 |
-+ |
|
| 32 |
-+ /* Clear buffer beyond request to avoid risk of |
|
| 33 |
-+ information disclosure. */ |
|
| 34 |
-+ memset(payload + size, 0, 65536 - size); |
|
| 35 |
- |
|
| 36 |
- query_count++; |
|
| 37 |
- |
|
| 38 |
-1.7.10.4 |
|
| 39 |
- |
| 40 | 1 |
deleted file mode 100644 |
| ... | ... |
@@ -1,210 +0,0 @@ |
| 1 |
-From 4fe6744a220eddd3f1749b40cac3dfc510787de6 Mon Sep 17 00:00:00 2001 |
|
| 2 |
-From: Simon Kelley <simon@thekelleys.org.uk> |
|
| 3 |
-Date: Fri, 19 Jan 2018 12:26:08 +0000 |
|
| 4 |
-Subject: [PATCH] DNSSEC fix for wildcard NSEC records. CVE-2017-15107 |
|
| 5 |
- applies. |
|
| 6 |
- |
|
| 7 |
-It's OK for NSEC records to be expanded from wildcards, |
|
| 8 |
-but in that case, the proof of non-existence is only valid |
|
| 9 |
-starting at the wildcard name, *.<domain> NOT the name expanded |
|
| 10 |
-from the wildcard. Without this check it's possible for an |
|
| 11 |
-attacker to craft an NSEC which wrongly proves non-existence |
|
| 12 |
-in a domain which includes a wildcard for NSEC. |
|
| 13 |
- CHANGELOG | 12 +++++- |
|
| 14 |
- src/dnssec.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++------- |
|
| 15 |
- 2 files changed, 114 insertions(+), 15 deletions(-) |
|
| 16 |
- |
|
| 17 |
- version 2.78 |
|
| 18 |
- Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris |
|
| 19 |
-diff --git a/src/dnssec.c b/src/dnssec.c |
|
| 20 |
-index eb6c11c..a54a0b4 100644 |
|
| 21 |
-+++ b/src/dnssec.c |
|
| 22 |
-@@ -103,15 +103,17 @@ static void from_wire(char *name) |
|
| 23 |
- static int count_labels(char *name) |
|
| 24 |
- {
|
|
| 25 |
- int i; |
|
| 26 |
-- |
|
| 27 |
-+ char *p; |
|
| 28 |
-+ |
|
| 29 |
- if (*name == 0) |
|
| 30 |
- return 0; |
|
| 31 |
- |
|
| 32 |
-- for (i = 0; *name; name++) |
|
| 33 |
-- if (*name == '.') |
|
| 34 |
-+ for (p = name, i = 0; *p; p++) |
|
| 35 |
-+ if (*p == '.') |
|
| 36 |
- i++; |
|
| 37 |
- |
|
| 38 |
-- return i+1; |
|
| 39 |
-+ /* Don't count empty first label. */ |
|
| 40 |
-+ return *name == '.' ? i : i+1; |
|
| 41 |
- } |
|
| 42 |
- |
|
| 43 |
- /* Implement RFC1982 wrapped compare for 32-bit numbers */ |
|
| 44 |
-@@ -1094,8 +1096,8 @@ static int hostname_cmp(const char *a, const char *b) |
|
| 45 |
- } |
|
| 46 |
- } |
|
| 47 |
- |
|
| 48 |
--static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, |
|
| 49 |
-- char *workspace1, char *workspace2, char *name, int type, int *nons) |
|
| 50 |
-+static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count, |
|
| 51 |
-+ char *workspace1_in, char *workspace2, char *name, int type, int *nons) |
|
| 52 |
- {
|
|
| 53 |
- int i, rc, rdlen; |
|
| 54 |
- unsigned char *p, *psave; |
|
| 55 |
-@@ -1108,6 +1110,9 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi |
|
| 56 |
- /* Find NSEC record that proves name doesn't exist */ |
|
| 57 |
- for (i = 0; i < nsec_count; i++) |
|
| 58 |
- {
|
|
| 59 |
-+ char *workspace1 = workspace1_in; |
|
| 60 |
-+ int sig_labels, name_labels; |
|
| 61 |
-+ |
|
| 62 |
- p = nsecs[i]; |
|
| 63 |
- if (!extract_name(header, plen, &p, workspace1, 1, 10)) |
|
| 64 |
- return 0; |
|
| 65 |
-@@ -1116,7 +1121,27 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi |
|
| 66 |
- psave = p; |
|
| 67 |
- if (!extract_name(header, plen, &p, workspace2, 1, 10)) |
|
| 68 |
- return 0; |
|
| 69 |
-- |
|
| 70 |
-+ |
|
| 71 |
-+ /* If NSEC comes from wildcard expansion, use original wildcard |
|
| 72 |
-+ as name for computation. */ |
|
| 73 |
-+ sig_labels = *labels[i]; |
|
| 74 |
-+ name_labels = count_labels(workspace1); |
|
| 75 |
-+ |
|
| 76 |
-+ if (sig_labels < name_labels) |
|
| 77 |
-+ {
|
|
| 78 |
-+ int k; |
|
| 79 |
-+ for (k = name_labels - sig_labels; k != 0; k--) |
|
| 80 |
-+ {
|
|
| 81 |
-+ while (*workspace1 != '.' && *workspace1 != 0) |
|
| 82 |
-+ workspace1++; |
|
| 83 |
-+ if (k != 1 && *workspace1 == '.') |
|
| 84 |
-+ workspace1++; |
|
| 85 |
-+ } |
|
| 86 |
-+ |
|
| 87 |
-+ workspace1--; |
|
| 88 |
-+ *workspace1 = '*'; |
|
| 89 |
-+ } |
|
| 90 |
-+ |
|
| 91 |
- rc = hostname_cmp(workspace1, name); |
|
| 92 |
- |
|
| 93 |
- if (rc == 0) |
|
| 94 |
-@@ -1514,24 +1539,26 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns |
|
| 95 |
- |
|
| 96 |
- static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons) |
|
| 97 |
- {
|
|
| 98 |
-- static unsigned char **nsecset = NULL; |
|
| 99 |
-- static int nsecset_sz = 0; |
|
| 100 |
-+ static unsigned char **nsecset = NULL, **rrsig_labels = NULL; |
|
| 101 |
-+ static int nsecset_sz = 0, rrsig_labels_sz = 0; |
|
| 102 |
- |
|
| 103 |
- int type_found = 0; |
|
| 104 |
-- unsigned char *p = skip_questions(header, plen); |
|
| 105 |
-+ unsigned char *auth_start, *p = skip_questions(header, plen); |
|
| 106 |
- int type, class, rdlen, i, nsecs_found; |
|
| 107 |
- |
|
| 108 |
- /* Move to NS section */ |
|
| 109 |
- if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) |
|
| 110 |
- return 0; |
|
| 111 |
-+ |
|
| 112 |
-+ auth_start = p; |
|
| 113 |
- |
|
| 114 |
- for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) |
|
| 115 |
- {
|
|
| 116 |
- unsigned char *pstart = p; |
|
| 117 |
- |
|
| 118 |
-- if (!(p = skip_name(p, header, plen, 10))) |
|
| 119 |
-+ if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10)) |
|
| 120 |
- return 0; |
|
| 121 |
-- |
|
| 122 |
-+ |
|
| 123 |
- GETSHORT(type, p); |
|
| 124 |
- GETSHORT(class, p); |
|
| 125 |
- p += 4; /* TTL */ |
|
| 126 |
-@@ -1548,7 +1575,69 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key |
|
| 127 |
- if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) |
|
| 128 |
- return 0; |
|
| 129 |
- |
|
| 130 |
-- nsecset[nsecs_found++] = pstart; |
|
| 131 |
-+ if (type == T_NSEC) |
|
| 132 |
-+ {
|
|
| 133 |
-+ /* If we're looking for NSECs, find the corresponding SIGs, to |
|
| 134 |
-+ extract the labels value, which we need in case the NSECs |
|
| 135 |
-+ are the result of wildcard expansion. |
|
| 136 |
-+ Note that the NSEC may not have been validated yet |
|
| 137 |
-+ so if there are multiple SIGs, make sure the label value |
|
| 138 |
-+ is the same in all, to avoid be duped by a rogue one. |
|
| 139 |
-+ If there are no SIGs, that's an error */ |
|
| 140 |
-+ unsigned char *p1 = auth_start; |
|
| 141 |
-+ int res, j, rdlen1, type1, class1; |
|
| 142 |
-+ |
|
| 143 |
-+ if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found)) |
|
| 144 |
-+ return 0; |
|
| 145 |
-+ |
|
| 146 |
-+ rrsig_labels[nsecs_found] = NULL; |
|
| 147 |
-+ |
|
| 148 |
-+ for (j = ntohs(header->nscount); j != 0; j--) |
|
| 149 |
-+ {
|
|
| 150 |
-+ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10))) |
|
| 151 |
-+ return 0; |
|
| 152 |
-+ |
|
| 153 |
-+ GETSHORT(type1, p1); |
|
| 154 |
-+ GETSHORT(class1, p1); |
|
| 155 |
-+ p1 += 4; /* TTL */ |
|
| 156 |
-+ GETSHORT(rdlen1, p1); |
|
| 157 |
-+ |
|
| 158 |
-+ if (!CHECK_LEN(header, p1, plen, rdlen1)) |
|
| 159 |
-+ return 0; |
|
| 160 |
-+ |
|
| 161 |
-+ if (res == 1 && class1 == qclass && type1 == T_RRSIG) |
|
| 162 |
-+ {
|
|
| 163 |
-+ int type_covered; |
|
| 164 |
-+ unsigned char *psav = p1; |
|
| 165 |
-+ |
|
| 166 |
-+ if (rdlen < 18) |
|
| 167 |
-+ return 0; /* bad packet */ |
|
| 168 |
-+ |
|
| 169 |
-+ GETSHORT(type_covered, p1); |
|
| 170 |
-+ |
|
| 171 |
-+ if (type_covered == T_NSEC) |
|
| 172 |
-+ {
|
|
| 173 |
-+ p1++; /* algo */ |
|
| 174 |
-+ |
|
| 175 |
-+ /* labels field must be the same in every SIG we find. */ |
|
| 176 |
-+ if (!rrsig_labels[nsecs_found]) |
|
| 177 |
-+ rrsig_labels[nsecs_found] = p1; |
|
| 178 |
-+ else if (*rrsig_labels[nsecs_found] != *p1) /* algo */ |
|
| 179 |
-+ return 0; |
|
| 180 |
-+ } |
|
| 181 |
-+ p1 = psav; |
|
| 182 |
-+ } |
|
| 183 |
-+ |
|
| 184 |
-+ if (!ADD_RDLEN(header, p1, plen, rdlen1)) |
|
| 185 |
-+ return 0; |
|
| 186 |
-+ } |
|
| 187 |
-+ |
|
| 188 |
-+ /* Must have found at least one sig. */ |
|
| 189 |
-+ if (!rrsig_labels[nsecs_found]) |
|
| 190 |
-+ return 0; |
|
| 191 |
-+ } |
|
| 192 |
-+ |
|
| 193 |
-+ nsecset[nsecs_found++] = pstart; |
|
| 194 |
- } |
|
| 195 |
- |
|
| 196 |
- if (!ADD_RDLEN(header, p, plen, rdlen)) |
|
| 197 |
-@@ -1556,7 +1645,7 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key |
|
| 198 |
- } |
|
| 199 |
- |
|
| 200 |
- if (type_found == T_NSEC) |
|
| 201 |
-- return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); |
|
| 202 |
-+ return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); |
|
| 203 |
- else if (type_found == T_NSEC3) |
|
| 204 |
- return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); |
|
| 205 |
- else |
|
| 206 |
-1.7.10.4 |
|
| 207 |
- |
| 208 | 1 |
deleted file mode 100644 |
| ... | ... |
@@ -1,358 +0,0 @@ |
| 1 |
-diff -Naur dnsmasq-2.76.orig/src/dnsmasq.h dnsmasq-2.76/src/dnsmasq.h |
|
| 2 |
-+++ dnsmasq-2.76/src/dnsmasq.h 2017-09-26 11:46:52.543096582 -0700 |
|
| 3 |
-@@ -1161,7 +1161,7 @@ |
|
| 4 |
- u64 rand64(void); |
|
| 5 |
- int legal_hostname(char *c); |
|
| 6 |
- char *canonicalise(char *s, int *nomem); |
|
| 7 |
--unsigned char *do_rfc1035_name(unsigned char *p, char *sval); |
|
| 8 |
-+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit); |
|
| 9 |
- void *safe_malloc(size_t size); |
|
| 10 |
- void safe_pipe(int *fd, int read_noblock); |
|
| 11 |
- void *whine_malloc(size_t size); |
|
| 12 |
-diff -Naur dnsmasq-2.76.orig/src/dnssec.c dnsmasq-2.76/src/dnssec.c |
|
| 13 |
-+++ dnsmasq-2.76/src/dnssec.c 2017-09-26 11:46:12.100665576 -0700 |
|
| 14 |
-@@ -2227,7 +2227,7 @@ |
|
| 15 |
- |
|
| 16 |
- p = (unsigned char *)(header+1); |
|
| 17 |
- |
|
| 18 |
-- p = do_rfc1035_name(p, name); |
|
| 19 |
-+ p = do_rfc1035_name(p, name, NULL); |
|
| 20 |
- *p++ = 0; |
|
| 21 |
- PUTSHORT(type, p); |
|
| 22 |
- PUTSHORT(class, p); |
|
| 23 |
-diff -Naur dnsmasq-2.76.orig/src/edns0.c dnsmasq-2.76/src/edns0.c |
|
| 24 |
-+++ dnsmasq-2.76/src/edns0.c 2017-09-26 11:46:12.100665576 -0700 |
|
| 25 |
-@@ -144,7 +144,7 @@ |
|
| 26 |
- GETSHORT(len, p); |
|
| 27 |
- |
|
| 28 |
- /* malformed option, delete the whole OPT RR and start again. */ |
|
| 29 |
-- if (i + len > rdlen) |
|
| 30 |
-+ if (i + 4 + len > rdlen) |
|
| 31 |
- {
|
|
| 32 |
- rdlen = 0; |
|
| 33 |
- is_last = 0; |
|
| 34 |
-@@ -159,7 +159,7 @@ |
|
| 35 |
- /* delete option if we're to replace it. */ |
|
| 36 |
- p -= 4; |
|
| 37 |
- rdlen -= len + 4; |
|
| 38 |
-- memcpy(p, p+len+4, rdlen - i); |
|
| 39 |
-+ memmove(p, p+len+4, rdlen - i); |
|
| 40 |
- PUTSHORT(rdlen, lenp); |
|
| 41 |
- lenp -= 2; |
|
| 42 |
- } |
|
| 43 |
-@@ -192,7 +192,15 @@ |
|
| 44 |
- !(p = skip_section(p, |
|
| 45 |
- ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), |
|
| 46 |
- header, plen))) |
|
| 47 |
-+ {
|
|
| 48 |
-+ free(buff); |
|
| 49 |
- return plen; |
|
| 50 |
-+ } |
|
| 51 |
-+ if (p + 11 > limit) |
|
| 52 |
-+ {
|
|
| 53 |
-+ free(buff); |
|
| 54 |
-+ return plen; /* Too big */ |
|
| 55 |
-+ } |
|
| 56 |
- *p++ = 0; /* empty name */ |
|
| 57 |
- PUTSHORT(T_OPT, p); |
|
| 58 |
- PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */ |
|
| 59 |
-@@ -204,6 +212,11 @@ |
|
| 60 |
- /* Copy back any options */ |
|
| 61 |
- if (buff) |
|
| 62 |
- {
|
|
| 63 |
-+ if (p + rdlen > limit) |
|
| 64 |
-+ {
|
|
| 65 |
-+ free(buff); |
|
| 66 |
-+ return plen; /* Too big */ |
|
| 67 |
-+ } |
|
| 68 |
- memcpy(p, buff, rdlen); |
|
| 69 |
- free(buff); |
|
| 70 |
- p += rdlen; |
|
| 71 |
-@@ -217,8 +230,12 @@ |
|
| 72 |
- /* Add new option */ |
|
| 73 |
- if (optno != 0 && replace != 2) |
|
| 74 |
- {
|
|
| 75 |
-+ if (p + 4 > limit) |
|
| 76 |
-+ return plen; /* Too big */ |
|
| 77 |
- PUTSHORT(optno, p); |
|
| 78 |
- PUTSHORT(optlen, p); |
|
| 79 |
-+ if (p + optlen > limit) |
|
| 80 |
-+ return plen; /* Too big */ |
|
| 81 |
- memcpy(p, opt, optlen); |
|
| 82 |
- p += optlen; |
|
| 83 |
- PUTSHORT(p - datap, lenp); |
|
| 84 |
-diff -Naur dnsmasq-2.76.orig/src/forward.c dnsmasq-2.76/src/forward.c |
|
| 85 |
-+++ dnsmasq-2.76/src/forward.c 2017-09-26 11:46:12.100665576 -0700 |
|
| 86 |
-@@ -1410,6 +1410,10 @@ |
|
| 87 |
- udp_size = daemon->edns_pktsz; |
|
| 88 |
- } |
|
| 89 |
- |
|
| 90 |
-+ // Make sure the udp size is not smaller than the incoming message so that we |
|
| 91 |
-+ // do not underflow |
|
| 92 |
-+ if (udp_size < n) udp_size = n; |
|
| 93 |
-+ |
|
| 94 |
- #ifdef HAVE_AUTH |
|
| 95 |
- if (auth_dns) |
|
| 96 |
- {
|
|
| 97 |
-diff -Naur dnsmasq-2.76.orig/src/option.c dnsmasq-2.76/src/option.c |
|
| 98 |
-+++ dnsmasq-2.76/src/option.c 2017-09-26 11:46:12.100665576 -0700 |
|
| 99 |
-@@ -1378,7 +1378,7 @@ |
|
| 100 |
- } |
|
| 101 |
- |
|
| 102 |
- p = newp; |
|
| 103 |
-- end = do_rfc1035_name(p + len, dom); |
|
| 104 |
-+ end = do_rfc1035_name(p + len, dom, NULL); |
|
| 105 |
- *end++ = 0; |
|
| 106 |
- len = end - p; |
|
| 107 |
- free(dom); |
|
| 108 |
-diff -Naur dnsmasq-2.76.orig/src/radv.c dnsmasq-2.76/src/radv.c |
|
| 109 |
-+++ dnsmasq-2.76/src/radv.c 2017-09-26 11:46:12.104665422 -0700 |
|
| 110 |
-@@ -198,6 +198,9 @@ |
|
| 111 |
- /* look for link-layer address option for logging */ |
|
| 112 |
- if (sz >= 16 && packet[8] == ICMP6_OPT_SOURCE_MAC && (packet[9] * 8) + 8 <= sz) |
|
| 113 |
- {
|
|
| 114 |
-+ if ((packet[9] * 8 - 2) * 3 - 1 >= MAXDNAME) {
|
|
| 115 |
-+ return; |
|
| 116 |
-+ } |
|
| 117 |
- print_mac(daemon->namebuff, &packet[10], (packet[9] * 8) - 2); |
|
| 118 |
- mac = daemon->namebuff; |
|
| 119 |
- } |
|
| 120 |
-diff -Naur dnsmasq-2.76.orig/src/rfc1035.c dnsmasq-2.76/src/rfc1035.c |
|
| 121 |
-+++ dnsmasq-2.76/src/rfc1035.c 2017-09-26 12:22:20.445298619 -0700 |
|
| 122 |
-@@ -37,7 +37,7 @@ |
|
| 123 |
- /* end marker */ |
|
| 124 |
- {
|
|
| 125 |
- /* check that there are the correct no of bytes after the name */ |
|
| 126 |
-- if (!CHECK_LEN(header, p, plen, extrabytes)) |
|
| 127 |
-+ if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes)) |
|
| 128 |
- return 0; |
|
| 129 |
- |
|
| 130 |
- if (isExtract) |
|
| 131 |
-@@ -485,6 +485,8 @@ |
|
| 132 |
- {
|
|
| 133 |
- unsigned int i, len = *p1; |
|
| 134 |
- unsigned char *p2 = p1; |
|
| 135 |
-+ if ((p1 + len - p) >= rdlen) |
|
| 136 |
-+ return 0; /* bad packet */ |
|
| 137 |
- /* make counted string zero-term and sanitise */ |
|
| 138 |
- for (i = 0; i < len; i++) |
|
| 139 |
- {
|
|
| 140 |
-@@ -1058,12 +1060,21 @@ |
|
| 141 |
- unsigned short usval; |
|
| 142 |
- long lval; |
|
| 143 |
- char *sval; |
|
| 144 |
-+#define CHECK_LIMIT(size) \ |
|
| 145 |
-+ if (limit && p + (size) > (unsigned char*)limit) \ |
|
| 146 |
-+ { \
|
|
| 147 |
-+ va_end(ap); \ |
|
| 148 |
-+ goto truncated; \ |
|
| 149 |
-+ } |
|
| 150 |
- |
|
| 151 |
- if (truncp && *truncp) |
|
| 152 |
- return 0; |
|
| 153 |
-- |
|
| 154 |
-+ |
|
| 155 |
- va_start(ap, format); /* make ap point to 1st unamed argument */ |
|
| 156 |
-- |
|
| 157 |
-+ |
|
| 158 |
-+ /* nameoffset (1 or 2) + type (2) + class (2) + ttl (4) + 0 (2) */ |
|
| 159 |
-+ CHECK_LIMIT(12); |
|
| 160 |
-+ |
|
| 161 |
- if (nameoffset > 0) |
|
| 162 |
- {
|
|
| 163 |
- PUTSHORT(nameoffset | 0xc000, p); |
|
| 164 |
-@@ -1072,7 +1083,13 @@ |
|
| 165 |
- {
|
|
| 166 |
- char *name = va_arg(ap, char *); |
|
| 167 |
- if (name) |
|
| 168 |
-- p = do_rfc1035_name(p, name); |
|
| 169 |
-+ p = do_rfc1035_name(p, name, limit); |
|
| 170 |
-+ if (!p) |
|
| 171 |
-+ {
|
|
| 172 |
-+ va_end(ap); |
|
| 173 |
-+ goto truncated; |
|
| 174 |
-+ } |
|
| 175 |
-+ |
|
| 176 |
- if (nameoffset < 0) |
|
| 177 |
- {
|
|
| 178 |
- PUTSHORT(-nameoffset | 0xc000, p); |
|
| 179 |
-@@ -1093,6 +1110,7 @@ |
|
| 180 |
- {
|
|
| 181 |
- #ifdef HAVE_IPV6 |
|
| 182 |
- case '6': |
|
| 183 |
-+ CHECK_LIMIT(IN6ADDRSZ); |
|
| 184 |
- sval = va_arg(ap, char *); |
|
| 185 |
- memcpy(p, sval, IN6ADDRSZ); |
|
| 186 |
- p += IN6ADDRSZ; |
|
| 187 |
-@@ -1100,36 +1118,47 @@ |
|
| 188 |
- #endif |
|
| 189 |
- |
|
| 190 |
- case '4': |
|
| 191 |
-+ CHECK_LIMIT(INADDRSZ); |
|
| 192 |
- sval = va_arg(ap, char *); |
|
| 193 |
- memcpy(p, sval, INADDRSZ); |
|
| 194 |
- p += INADDRSZ; |
|
| 195 |
- break; |
|
| 196 |
- |
|
| 197 |
- case 'b': |
|
| 198 |
-+ CHECK_LIMIT(1); |
|
| 199 |
- usval = va_arg(ap, int); |
|
| 200 |
- *p++ = usval; |
|
| 201 |
- break; |
|
| 202 |
- |
|
| 203 |
- case 's': |
|
| 204 |
-+ CHECK_LIMIT(2); |
|
| 205 |
- usval = va_arg(ap, int); |
|
| 206 |
- PUTSHORT(usval, p); |
|
| 207 |
- break; |
|
| 208 |
- |
|
| 209 |
- case 'l': |
|
| 210 |
-+ CHECK_LIMIT(4); |
|
| 211 |
- lval = va_arg(ap, long); |
|
| 212 |
- PUTLONG(lval, p); |
|
| 213 |
- break; |
|
| 214 |
- |
|
| 215 |
- case 'd': |
|
| 216 |
-- /* get domain-name answer arg and store it in RDATA field */ |
|
| 217 |
-- if (offset) |
|
| 218 |
-- *offset = p - (unsigned char *)header; |
|
| 219 |
-- p = do_rfc1035_name(p, va_arg(ap, char *)); |
|
| 220 |
-- *p++ = 0; |
|
| 221 |
-+ /* get domain-name answer arg and store it in RDATA field */ |
|
| 222 |
-+ if (offset) |
|
| 223 |
-+ *offset = p - (unsigned char *)header; |
|
| 224 |
-+ p = do_rfc1035_name(p, va_arg(ap, char *), limit); |
|
| 225 |
-+ if (!p) |
|
| 226 |
-+ {
|
|
| 227 |
-+ va_end(ap); |
|
| 228 |
-+ goto truncated; |
|
| 229 |
-+ } |
|
| 230 |
-+ CHECK_LIMIT(1); |
|
| 231 |
-+ *p++ = 0; |
|
| 232 |
- break; |
|
| 233 |
- |
|
| 234 |
- case 't': |
|
| 235 |
- usval = va_arg(ap, int); |
|
| 236 |
-+ CHECK_LIMIT(usval); |
|
| 237 |
- sval = va_arg(ap, char *); |
|
| 238 |
- if (usval != 0) |
|
| 239 |
- memcpy(p, sval, usval); |
|
| 240 |
-@@ -1141,20 +1170,24 @@ |
|
| 241 |
- usval = sval ? strlen(sval) : 0; |
|
| 242 |
- if (usval > 255) |
|
| 243 |
- usval = 255; |
|
| 244 |
-+ CHECK_LIMIT(usval + 1); |
|
| 245 |
- *p++ = (unsigned char)usval; |
|
| 246 |
- memcpy(p, sval, usval); |
|
| 247 |
- p += usval; |
|
| 248 |
- break; |
|
| 249 |
- } |
|
| 250 |
- |
|
| 251 |
-+#undef CHECK_LIMIT |
|
| 252 |
- va_end(ap); /* clean up variable argument pointer */ |
|
| 253 |
- |
|
| 254 |
- j = p - sav - 2; |
|
| 255 |
-- PUTSHORT(j, sav); /* Now, store real RDLength */ |
|
| 256 |
-+ /* this has already been checked against limit before */ |
|
| 257 |
-+ PUTSHORT(j, sav); /* Now, store real RDLength */ |
|
| 258 |
- |
|
| 259 |
- /* check for overflow of buffer */ |
|
| 260 |
- if (limit && ((unsigned char *)limit - p) < 0) |
|
| 261 |
- {
|
|
| 262 |
-+truncated: |
|
| 263 |
- if (truncp) |
|
| 264 |
- *truncp = 1; |
|
| 265 |
- return 0; |
|
| 266 |
-diff -Naur dnsmasq-2.76.orig/src/rfc2131.c dnsmasq-2.76/src/rfc2131.c |
|
| 267 |
-+++ dnsmasq-2.76/src/rfc2131.c 2017-09-26 11:46:12.112665112 -0700 |
|
| 268 |
-@@ -155,7 +155,7 @@ |
|
| 269 |
- for (offset = 0; offset < (len - 5); offset += elen + 5) |
|
| 270 |
- {
|
|
| 271 |
- elen = option_uint(opt, offset + 4 , 1); |
|
| 272 |
-- if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA) |
|
| 273 |
-+ if (option_uint(opt, offset, 4) == BRDBAND_FORUM_IANA && offset + elen + 5 <= len) |
|
| 274 |
- {
|
|
| 275 |
- unsigned char *x = option_ptr(opt, offset + 5); |
|
| 276 |
- unsigned char *y = option_ptr(opt, offset + elen + 5); |
|
| 277 |
-@@ -2419,10 +2419,10 @@ |
|
| 278 |
- |
|
| 279 |
- if (fqdn_flags & 0x04) |
|
| 280 |
- {
|
|
| 281 |
-- p = do_rfc1035_name(p, hostname); |
|
| 282 |
-+ p = do_rfc1035_name(p, hostname, NULL); |
|
| 283 |
- if (domain) |
|
| 284 |
- {
|
|
| 285 |
-- p = do_rfc1035_name(p, domain); |
|
| 286 |
-+ p = do_rfc1035_name(p, domain, NULL); |
|
| 287 |
- *p++ = 0; |
|
| 288 |
- } |
|
| 289 |
- } |
|
| 290 |
-diff -Naur dnsmasq-2.76.orig/src/rfc3315.c dnsmasq-2.76/src/rfc3315.c |
|
| 291 |
-+++ dnsmasq-2.76/src/rfc3315.c 2017-09-26 11:46:12.112665112 -0700 |
|
| 292 |
-@@ -206,6 +206,9 @@ |
|
| 293 |
- /* RFC-6939 */ |
|
| 294 |
- if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3))) |
|
| 295 |
- {
|
|
| 296 |
-+ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
|
|
| 297 |
-+ return 0; |
|
| 298 |
-+ } |
|
| 299 |
- state->mac_type = opt6_uint(opt, 0, 2); |
|
| 300 |
- state->mac_len = opt6_len(opt) - 2; |
|
| 301 |
- memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len); |
|
| 302 |
-@@ -213,6 +216,9 @@ |
|
| 303 |
- |
|
| 304 |
- for (opt = opts; opt; opt = opt6_next(opt, end)) |
|
| 305 |
- {
|
|
| 306 |
-+ if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) {
|
|
| 307 |
-+ return 0; |
|
| 308 |
-+ } |
|
| 309 |
- int o = new_opt6(opt6_type(opt)); |
|
| 310 |
- if (opt6_type(opt) == OPTION6_RELAY_MSG) |
|
| 311 |
- {
|
|
| 312 |
-@@ -1472,10 +1478,10 @@ |
|
| 313 |
- if ((p = expand(len + 2))) |
|
| 314 |
- {
|
|
| 315 |
- *(p++) = state->fqdn_flags; |
|
| 316 |
-- p = do_rfc1035_name(p, state->hostname); |
|
| 317 |
-+ p = do_rfc1035_name(p, state->hostname, NULL); |
|
| 318 |
- if (state->send_domain) |
|
| 319 |
- {
|
|
| 320 |
-- p = do_rfc1035_name(p, state->send_domain); |
|
| 321 |
-+ p = do_rfc1035_name(p, state->send_domain, NULL); |
|
| 322 |
- *p = 0; |
|
| 323 |
- } |
|
| 324 |
- } |
|
| 325 |
-diff -Naur dnsmasq-2.76.orig/src/util.c dnsmasq-2.76/src/util.c |
|
| 326 |
-+++ dnsmasq-2.76/src/util.c 2017-09-26 11:46:12.112665112 -0700 |
|
| 327 |
-@@ -218,15 +218,20 @@ |
|
| 328 |
- return ret; |
|
| 329 |
- } |
|
| 330 |
- |
|
| 331 |
--unsigned char *do_rfc1035_name(unsigned char *p, char *sval) |
|
| 332 |
-+unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit) |
|
| 333 |
- {
|
|
| 334 |
- int j; |
|
| 335 |
- |
|
| 336 |
- while (sval && *sval) |
|
| 337 |
- {
|
|
| 338 |
-+ if (limit && p + 1 > (unsigned char*)limit) |
|
| 339 |
-+ return p; |
|
| 340 |
-+ |
|
| 341 |
- unsigned char *cp = p++; |
|
| 342 |
- for (j = 0; *sval && (*sval != '.'); sval++, j++) |
|
| 343 |
- {
|
|
| 344 |
-+ if (limit && p + 1 > (unsigned char*)limit) |
|
| 345 |
-+ return p; |
|
| 346 |
- #ifdef HAVE_DNSSEC |
|
| 347 |
- if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE) |
|
| 348 |
- *p++ = (*(++sval))-1; |
| ... | ... |
@@ -1,26 +1,20 @@ |
| 1 | 1 |
Summary: DNS proxy with integrated DHCP server |
| 2 | 2 |
Name: dnsmasq |
| 3 |
-Version: 2.76 |
|
| 4 |
-Release: 5%{?dist}
|
|
| 3 |
+Version: 2.79 |
|
| 4 |
+Release: 1%{?dist}
|
|
| 5 | 5 |
License: GPLv2 or GPLv3 |
| 6 | 6 |
Group: System Environment/Daemons |
| 7 | 7 |
URL: http://www.thekelleys.org.uk/dnsmasq/ |
| 8 | 8 |
Source: %{name}-%{version}.tar.xz
|
| 9 |
-%define sha1 dnsmasq=db42d7297dc0a05d51588baa2f298ebb42fcef99 |
|
| 9 |
+%define sha1 dnsmasq=d4a1af08b02b27736954ce8b2db2da7799d75812 |
|
| 10 | 10 |
Vendor: VMware, Inc. |
| 11 | 11 |
Distribution: Photon |
| 12 |
-Patch0: dnsmasq.patch |
|
| 13 |
-Patch1: CVE-2017-13704.patch |
|
| 14 |
-Patch2: CVE-2017-15107.patch |
|
| 15 | 12 |
|
| 16 | 13 |
%description |
| 17 | 14 |
Dnsmasq a lightweight, caching DNS proxy with integrated DHCP server. |
| 18 | 15 |
|
| 19 | 16 |
%prep |
| 20 | 17 |
%setup -q |
| 21 |
-%patch0 -p1 |
|
| 22 |
-%patch1 -p1 |
|
| 23 |
-%patch2 -p1 |
|
| 24 | 18 |
|
| 25 | 19 |
%build |
| 26 | 20 |
make %{?_smp_mflags}
|
| ... | ... |
@@ -72,6 +66,8 @@ rm -rf %{buildroot}
|
| 72 | 72 |
%config /usr/share/dnsmasq/trust-anchors.conf |
| 73 | 73 |
|
| 74 | 74 |
%changelog |
| 75 |
+* Mon Sep 10 2018 Ajay Kaher <akaher@vmware.com> 2.79-1 |
|
| 76 |
+- Upgrading to version 2.79 |
|
| 75 | 77 |
* Tue Feb 13 2018 Xiaolin Li <xiaolinl@vmware.com> 2.76-5 |
| 76 | 78 |
- Fix CVE-2017-15107 |
| 77 | 79 |
* Mon Nov 13 2017 Vinay Kulkarni <kulkarniv@vmware.com> 2.76-4 |