dnsmasq: CVE-2017-14493

Stack Based overflow. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14493 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-10-04 12:34:27 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-10-04 15:28:01 +0200
commit: 0c3826bac4ae83e563b4d050ffaf01e70ae8ad9b (patch)
tree: 70089816df89301772ada8a1237eb8afd3b30076
parent: d5422e563facc33881763a587b37dd29012e160b (diff)
download: meta-el-common-0c3826bac4ae83e563b4d050ffaf01e70ae8ad9b.tar.gz
2 files changed, 56 insertions, 0 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch
new file mode 100644
index 0000000..fedb825
--- /dev/null
+++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch
@@ -0,0 +1,55 @@
+From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 18:52:50 +0100
+Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
+ overflow.
+Fix stack overflow in DHCPv6 code. An attacker who can send
+a DHCPv6 request to dnsmasq can overflow the stack frame and
+crash or control dnsmasq.
+CVE: CVE-2017-14493
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGELOG     |    8 ++++++++
+ src/rfc3315.c |    3 +++
+ 2 files changed, 11 insertions(+)
+diff --git a/CHANGELOG b/CHANGELOG
+index df6c157..c48378f 100644
+--- a/CHANGELOG
+++ b/CHANGELOG
+@@ -43,6 +43,14 @@ version 2.78
+         Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+        and Kevin Hamacher of the Google Security Team for
+        finding this.
+
+       Fix stack overflow in DHCPv6 code. An attacker who can send
+       a DHCPv6 request to dnsmasq can overflow the stack frame and
+       crash or control dnsmasq.
+       CVE-2017-14493 applies.
+       Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+       and Kevin Hamacher of the Google Security Team for
+       finding this.
+        
+        
+ version 2.77
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 1687931..920907c 100644
+--- a/src/rfc3315.c
+++ b/src/rfc3315.c
+@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+   /* RFC-6939 */
+   if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
+     {
+      if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
+        return 0;
+      }
+       state->mac_type = opt6_uint(opt, 0, 2);
+       state->mac_len = opt6_len(opt) - 2;
+       memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
+-- 
+1.7.10.4
diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
index 1fc8819..7db502a 100644
--- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend
+++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
@@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://0001-CVE-2017-14491.patch \
    file://0002-CVE-2017-14491.patch \
    file://CVE-2017-14492.patch \
+    file://CVE-2017-14493.patch \
 "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-10-04 12:34:27 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-10-04 15:28:01 +0200
commit	0c3826bac4ae83e563b4d050ffaf01e70ae8ad9b (patch)
tree	70089816df89301772ada8a1237eb8afd3b30076
parent	d5422e563facc33881763a587b37dd29012e160b (diff)
download	meta-el-common-0c3826bac4ae83e563b4d050ffaf01e70ae8ad9b.tar.gz

diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch new file mode 100644 index 0000000..fedb825 --- /dev/null +++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14493.patch
@@ -0,0 +1,55 @@
		1	From 3d4ff1ba8419546490b464418223132529514033 Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 18:52:50 +0100
		4	Subject: [PATCH] Security fix, CVE-2017-14493, DHCPv6 - Stack buffer
		5	overflow.
		6
		7	Fix stack overflow in DHCPv6 code. An attacker who can send
		8	a DHCPv6 request to dnsmasq can overflow the stack frame and
		9	crash or control dnsmasq.
		10
		11	CVE: CVE-2017-14493
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		15	---
		16	CHANGELOG \| 8 ++++++++
		17	src/rfc3315.c \| 3 +++
		18	2 files changed, 11 insertions(+)
		19
		20	diff --git a/CHANGELOG b/CHANGELOG
		21	index df6c157..c48378f 100644
		22	--- a/CHANGELOG
		23	+++ b/CHANGELOG
		24	@@ -43,6 +43,14 @@ version 2.78
		25	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
		26	and Kevin Hamacher of the Google Security Team for
		27	finding this.
		28	+
		29	+ Fix stack overflow in DHCPv6 code. An attacker who can send
		30	+ a DHCPv6 request to dnsmasq can overflow the stack frame and
		31	+ crash or control dnsmasq.
		32	+ CVE-2017-14493 applies.
		33	+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
		34	+ and Kevin Hamacher of the Google Security Team for
		35	+ finding this.
		36
		37
		38	version 2.77
		39	diff --git a/src/rfc3315.c b/src/rfc3315.c
		40	index 1687931..920907c 100644
		41	--- a/src/rfc3315.c
		42	+++ b/src/rfc3315.c
		43	@@ -206,6 +206,9 @@ static int dhcp6_maybe_relay(struct state state, void inbuff, size_t sz,
		44	/* RFC-6939 */
		45	if ((opt = opt6_find(opts, end, OPTION6_CLIENT_MAC, 3)))
		46	{
		47	+ if (opt6_len(opt) - 2 > DHCP_CHADDR_MAX) {
		48	+ return 0;
		49	+ }
		50	state->mac_type = opt6_uint(opt, 0, 2);
		51	state->mac_len = opt6_len(opt) - 2;
		52	memcpy(&state->mac[0], opt6_ptr(opt, 2), state->mac_len);
		53	--
		54	1.7.10.4
		55


diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend index 1fc8819..7db502a 100644 --- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend +++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
@@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
4	SRC_URI += "file://0001-CVE-2017-14491.patch \	4	SRC_URI += "file://0001-CVE-2017-14491.patch \
5	file://0002-CVE-2017-14491.patch \	5	file://0002-CVE-2017-14491.patch \
6	file://CVE-2017-14492.patch \	6	file://CVE-2017-14492.patch \
		7	file://CVE-2017-14493.patch \
7	"	8	"