diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-10-04 12:34:28 +0200 |
|---|---|---|
| committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-10-04 15:28:01 +0200 |
| commit | 91b02ae7ac707984cd5182bb39c2fe8086a1696f (patch) | |
| tree | cd1c879ec75abd3cd38a688ce19484c9c9341574 | |
| parent | 0c3826bac4ae83e563b4d050ffaf01e70ae8ad9b (diff) | |
| download | meta-el-common-91b02ae7ac707984cd5182bb39c2fe8086a1696f.tar.gz | |
dnsmasq: CVE-2017-14494
Can help bypass ASLR.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14494
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
| -rw-r--r-- | recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch | 55 | ||||
| -rw-r--r-- | recipes-networking/dnsmasq/dnsmasq_%.bbappend | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch new file mode 100644 index 0000000..d32f713 --- /dev/null +++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14494.patch | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | From 33e3f1029c9ec6c63e430ff51063a6301d4b2262 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
| 3 | Date: Mon, 25 Sep 2017 20:05:11 +0100 | ||
| 4 | Subject: [PATCH] Security fix, CVE-2017-14494, Infoleak handling DHCPv6 | ||
| 5 | forwarded requests. | ||
| 6 | |||
| 7 | Fix information leak in DHCPv6. A crafted DHCPv6 packet can | ||
| 8 | cause dnsmasq to forward memory from outside the packet | ||
| 9 | buffer to a DHCPv6 server when acting as a relay. | ||
| 10 | |||
| 11 | CVE: CVE-2017-14494 | ||
| 12 | Upstream-Status: Backport | ||
| 13 | |||
| 14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 15 | --- | ||
| 16 | CHANGELOG | 8 ++++++++ | ||
| 17 | src/rfc3315.c | 3 +++ | ||
| 18 | 2 files changed, 11 insertions(+) | ||
| 19 | |||
| 20 | diff --git a/CHANGELOG b/CHANGELOG | ||
| 21 | index c48378f..d1cc074 100644 | ||
| 22 | --- a/CHANGELOG | ||
| 23 | +++ b/CHANGELOG | ||
| 24 | @@ -51,6 +51,14 @@ version 2.78 | ||
| 25 | Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
| 26 | and Kevin Hamacher of the Google Security Team for | ||
| 27 | finding this. | ||
| 28 | + | ||
| 29 | + Fix information leak in DHCPv6. A crafted DHCPv6 packet can | ||
| 30 | + cause dnsmasq to forward memory from outside the packet | ||
| 31 | + buffer to a DHCPv6 server when acting as a relay. | ||
| 32 | + CVE-2017-14494 applies. | ||
| 33 | + Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana | ||
| 34 | + and Kevin Hamacher of the Google Security Team for | ||
| 35 | + finding this. | ||
| 36 | |||
| 37 | |||
| 38 | version 2.77 | ||
| 39 | diff --git a/src/rfc3315.c b/src/rfc3315.c | ||
| 40 | index 920907c..4ca43e0 100644 | ||
| 41 | --- a/src/rfc3315.c | ||
| 42 | +++ b/src/rfc3315.c | ||
| 43 | @@ -216,6 +216,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, | ||
| 44 | |||
| 45 | for (opt = opts; opt; opt = opt6_next(opt, end)) | ||
| 46 | { | ||
| 47 | + if (opt6_ptr(opt, 0) + opt6_len(opt) >= end) { | ||
| 48 | + return 0; | ||
| 49 | + } | ||
| 50 | int o = new_opt6(opt6_type(opt)); | ||
| 51 | if (opt6_type(opt) == OPTION6_RELAY_MSG) | ||
| 52 | { | ||
| 53 | -- | ||
| 54 | 1.7.10.4 | ||
| 55 | |||
diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend index 7db502a..c0c4633 100644 --- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend +++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend | |||
| @@ -5,4 +5,5 @@ SRC_URI += "file://0001-CVE-2017-14491.patch \ | |||
| 5 | file://0002-CVE-2017-14491.patch \ | 5 | file://0002-CVE-2017-14491.patch \ |
| 6 | file://CVE-2017-14492.patch \ | 6 | file://CVE-2017-14492.patch \ |
| 7 | file://CVE-2017-14493.patch \ | 7 | file://CVE-2017-14493.patch \ |
| 8 | file://CVE-2017-14494.patch \ | ||
| 8 | " | 9 | " |