dnsmasq is vulnerable to CVE-2021-3448

DoneSubmitted by Nicolò Balzarotti.
Details
3 participants
  • Nicolò Balzarotti
  • Leo Famulari
  • Tobias Geerinckx-Rice
Owner
unassigned
Severity
normal
N
N
Nicolò Balzarotti wrote on 9 Apr 17:10 +0200
(address . bug-guix@gnu.org)
87pmz3mr2k.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
CVE-2021-3448
A flaw was found in dnsmasq in versions before 2.85. When configured touse a specific server for a given network interface, dnsmasq uses afixed port while forwarding queries. An attacker on the network, able tofind the outgoing port used by dnsmasq, only needs to guess the randomtransmission ID to forge a reply and get it accepted by dnsmasq. Thisflaw makes a DNS Cache Poisoning attack much easier. The highest threatfrom this vulnerability is to data integrity.
guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,and there are 43 dependent packages so this can go directly to master.
All dependent packages (refresh -l) build fine except forpython2-libvirt@7.2.0, which is failing also on master(libvirt-python requires Python >= 3.5 to build). Since it's a python2package and no other packages depends on it, can we just drop it?
Thanks, Nicolò
From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001From: nixo <nicolo@nixo.xyz>Date: Fri, 9 Apr 2021 16:19:03 +0200Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
* gnu/packages/dns.scm (dnsmasq): Update to 2.85.--- gnu/packages/dns.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Toggle diff (24 lines)diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scmindex c940657ce9..3cf88febae 100644--- a/gnu/packages/dns.scm+++ b/gnu/packages/dns.scm@@ -278,7 +278,7 @@ prompt the user with the option to go with insecure DNS only.") (define-public dnsmasq (package (name "dnsmasq")- (version "2.84")+ (version "2.85") (source (origin (method url-fetch) (uri (string-append@@ -286,7 +286,7 @@ prompt the user with the option to go with insecure DNS only.") version ".tar.xz")) (sha256 (base32- "0305a0c3snwqcv77sipyynr55xip1fp2843yn04pc4vk9g39acb0"))))+ "1yhjwgz8g5qrqvxh6bbmg3443zi8qqjks3q872wyb1zn7n0d765d")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config)))-- 2.31.1
N
N
Nicolò Balzarotti wrote on 9 Apr 17:12 +0200
(no subject)
(address . control@debbugs.gnu.org)
87mtu7mqzk.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
tags 47674 + securityquit
L
L
Leo Famulari wrote on 9 Apr 21:33 +0200
Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCsAioNoPoTh5EH@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
Toggle quote (18 lines)> CVE-2021-3448> > A flaw was found in dnsmasq in versions before 2.85. When configured to> use a specific server for a given network interface, dnsmasq uses a> fixed port while forwarding queries. An attacker on the network, able to> find the outgoing port used by dnsmasq, only needs to guess the random> transmission ID to forge a reply and get it accepted by dnsmasq. This> flaw makes a DNS Cache Poisoning attack much easier. The highest threat> from this vulnerability is to data integrity.> > guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,> and there are 43 dependent packages so this can go directly to master.> > All dependent packages (refresh -l) build fine except for> python2-libvirt@7.2.0, which is failing also on master> (libvirt-python requires Python >= 3.5 to build). Since it's a python2> package and no other packages depends on it, can we just drop it?
Yes, sounds good.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBwrAIACgkQJkb6MLrKfwhojxAAo4Fh1COO5Q0PhKkgXu3xELiU1524x6yweg5Rqseuob6V7HrpuljmcsfOXFMPq2wMVghq6w6FcQDWxPblMkj3hRBquLnB1QZS0A/60RusX2gXQtg/DF+fkpIHIVLndXxS3npMp3Lo/06xls8WYCSVYCTP6CH5gS11wqaLK18a7nV1nxAsreHODUzsnLrLaArKcTouxe4rOsZWvD12dlePS45qBgKvMuwU/5W+jmHv60i8ExKUREs3LGuxwAskCd0FZVtdIQpnD/e/NAboSgscqELnhehI0rMcGNrGIGQl+UIIGQ37iRL9e25fkDb2QC3x+R0oayQow0/x35dUNVSuKz9fIosrhrQvnWkeEHUVFteAZC1V7f7XJlooFnbC6rGb9Ch7+td1YHXdl7XX0xBNwo4SFdvbwAKQK4kjjxTiqNe5BS4BoaQGtxE+5X/LZMkI/ob56pyfVdmpRTd9G8VwjoccpESasmJx9xDWetfv1JSi9a5jZ9ulGu2lLBkVmhyVK4v3+Cu4AjWSTG0vDozH/4GgIZx5H9FH0QgEYqqktRx/d6WkFLyuk4IsCAbrnToJVek6q3y163XMivF9cSsxAGtBN+NnKshtvOoKL+qXWRe2JZ96LoayIGNdrdSTcrn7AiF0uUuTyTfz+JoWqFS+YWLdrkrpIX1Jz9lH8bzzbXA==Oiqy-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 9 Apr 21:34 +0200
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674-done@debbugs.gnu.org)
YHCsSh9+7Uqdq0VU@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicol� Balzarotti wrote:
Toggle quote (7 lines)> From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001> From: nixo <nicolo@nixo.xyz>> Date: Fri, 9 Apr 2021 16:19:03 +0200> Subject: [PATCH] gnu: dnsmasq: Update to 2.85.> > * gnu/packages/dns.scm (dnsmasq): Update to 2.85.
Looks like this change was already done with commitc8d809f9a49c2b4ec5500c2685e96168dcd9afa9
Closed
L
L
Leo Famulari wrote on 9 Apr 21:38 +0200
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCtHf4Pa4ER9N7j@jasmine.lan
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicol� Balzarotti wrote:
Toggle quote (5 lines)> All dependent packages (refresh -l) build fine except for> python2-libvirt@7.2.0, which is failing also on master> (libvirt-python requires Python >= 3.5 to build). Since it's a python2> package and no other packages depends on it, can we just drop it?
I notice that python2-libvirt builds okay on staging:
https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835
N
N
Nicolò Balzarotti wrote on 9 Apr 21:47 +0200
(name . Leo Famulari)(address . leo@famulari.name)(address . 47674@debbugs.gnu.org)
87h7kfme9q.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Leo Famulari <leo@famulari.name> writes:
Toggle quote (10 lines)> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:>> All dependent packages (refresh -l) build fine except for>> python2-libvirt@7.2.0, which is failing also on master>> (libvirt-python requires Python >= 3.5 to build). Since it's a python2>> package and no other packages depends on it, can we just drop it?>> I notice that python2-libvirt builds okay on staging:>> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835
Staging has an older version (5.8 vs 7.2, which has been released innovember 2019 [fn:1] though), and it got updated a few days ago(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it shouldfail on staging too. Am I wrong?

[fn:1] https://pypi.org/project/libvirt-python/#history
L
L
Leo Famulari wrote on 9 Apr 22:07 +0200
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHCz69IMc+4ESoa0@jasmine.lan
On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicol� Balzarotti wrote:
Toggle quote (5 lines)> Staging has an older version (5.8 vs 7.2, which has been released in> november 2019 [fn:1] though), and it got updated a few days ago> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should> fail on staging too. Am I wrong?
Ah, could be. The new staging builds haven't been performed yet.
N
N
Nicolò Balzarotti wrote on 10 Apr 23:39 +0200
(name . Leo Famulari)(address . leo@famulari.name)(address . 47674@debbugs.gnu.org)
87eefh3jl2.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me
Leo Famulari <leo@famulari.name> writes:
Toggle quote (7 lines)> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:>> Staging has an older version (5.8 vs 7.2, which has been released in>> november 2019 [fn:1] though), and it got updated a few days ago>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should>> fail on staging too. Am I wrong?>> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging
L
L
Leo Famulari wrote on 11 Apr 00:05 +0200
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)(address . 47674@debbugs.gnu.org)
YHIhEnD1mWwtlLn8@jasmine.lan
On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
Toggle quote (8 lines)> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicol� Balzarotti wrote:> > Staging has an older version (5.8 vs 7.2, which has been released in> > november 2019 [fn:1] though), and it got updated a few days ago> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should> > fail on staging too. Am I wrong?> > Ah, could be. The new staging builds haven't been performed yet.
Thanks for following up. Sure, I think it's fine to remove a packageif it does not build and has no dependents.
T
T
Tobias Geerinckx-Rice wrote on 11 Apr 00:27 +0200
(name . Nicolò Balzarotti)(address . anothersms@gmail.com)
878s5phj18.fsf@nckx
Nicolò,
Nicolò Balzarotti writes:
Toggle quote (2 lines)> gnu/packages/dns.scm (dnsmasq): Update to 2.85.
I see you managed to aim this beautifully between me searching the issue tracker for ‘dnsmasq’ and me actually pushing an update, so well done I guess.
(Also: sorry for the duplicated effort, and thanks for keeping an eye on the securities. :-)
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYHImZA0cbWVAdG9iaWFzLmdyAAoJEA2w/4hPVW15/lYBAIdy87NnZyCQC3xB6NzcYF8sOQ8H4O1SnVDzr53e0uhkAQDIYLIyHPJfMuKojir4w4uIJPK392rXg1fpPA4HQKmdBw===jkh7-----END PGP SIGNATURE-----
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47674@debbugs.gnu.org