dnsmasq: CVE-2017-14495

Lack of free() here. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14495 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-10-04 12:34:30 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-10-04 15:28:01 +0200
commit: cff1dc0bf1d330b828a93083228c40dd1bda4f4c (patch)
tree: aa54fb8c1f42ee2b0c368b7178157d91c325c46c
parent: c65b24cdfd9edbc25796ba7db9a9ca68513324e9 (diff)
download: meta-el-common-cff1dc0bf1d330b828a93083228c40dd1bda4f4c.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch
new file mode 100644
index 0000000..ba176a8
--- /dev/null
+++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch
@@ -0,0 +1,69 @@
+From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 25 Sep 2017 20:16:50 +0100
+Subject: [PATCH] Security fix, CVE-2017-14495, OOM in DNS response creation.
+Fix out-of-memory Dos vulnerability. An attacker which can
+send malicious DNS queries to dnsmasq can trigger memory
+allocations in the add_pseudoheader function
+The allocated memory is never freed which leads to a DoS
+through memory exhaustion. dnsmasq is vulnerable only
+if one of the following option is specified:
+--add-mac, --add-cpe-id or --add-subnet.
+CVE: CVE-2017-14495
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGELOG   |   12 ++++++++++++
+ src/edns0.c |    8 +++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+diff --git a/CHANGELOG b/CHANGELOG
+index 8fe00ed..9523329 100644
+--- a/CHANGELOG
+++ b/CHANGELOG
+@@ -70,6 +70,18 @@ version 2.78
+        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+        and Kevin Hamacher of the Google Security Team for
+        finding this.
+
+       Fix out-of-memory Dos vulnerability. An attacker which can
+       send malicious DNS queries to dnsmasq can trigger memory
+       allocations in the add_pseudoheader function
+       The allocated memory is never freed which leads to a DoS
+       through memory exhaustion. dnsmasq is vulnerable only
+       if one of the following option is specified:
+       --add-mac, --add-cpe-id or --add-subnet.
+       CVE-2017-14495 applies.
+       Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+       and Kevin Hamacher of the Google Security Team for
+       finding this.
+        
+        
+ version 2.77
+diff --git a/src/edns0.c b/src/edns0.c
+index 95b74ee..89b2692 100644
+--- a/src/edns0.c
+++ b/src/edns0.c
+@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
+          !(p = skip_section(p, 
+                             ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
+                             header, plen)))
+      {
+       free(buff);
+        return plen;
+      }
+       if (p + 11 > limit)
+-       return plen; /* Too big */
+      {
+        free(buff);
+        return plen; /* Too big */
+      }
+       *p++ = 0; /* empty name */
+       PUTSHORT(T_OPT, p);
+       PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+-- 
+1.7.10.4
diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
index 07f8a6c..ee31536 100644
--- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend
+++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
@@ -7,4 +7,5 @@ SRC_URI += "file://0001-CVE-2017-14491.patch \
    file://CVE-2017-14493.patch \
    file://CVE-2017-14494.patch \
    file://CVE-2017-14496.patch \
+    file://CVE-2017-14495.patch \
 "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-10-04 12:34:30 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-10-04 15:28:01 +0200
commit	cff1dc0bf1d330b828a93083228c40dd1bda4f4c (patch)
tree	aa54fb8c1f42ee2b0c368b7178157d91c325c46c
parent	c65b24cdfd9edbc25796ba7db9a9ca68513324e9 (diff)
download	meta-el-common-cff1dc0bf1d330b828a93083228c40dd1bda4f4c.tar.gz

diff --git a/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch new file mode 100644 index 0000000..ba176a8 --- /dev/null +++ b/recipes-networking/dnsmasq/dnsmasq/CVE-2017-14495.patch
@@ -0,0 +1,69 @@
		1	From 51eadb692a5123b9838e5a68ecace3ac579a3a45 Mon Sep 17 00:00:00 2001
		2	From: Simon Kelley <simon@thekelleys.org.uk>
		3	Date: Mon, 25 Sep 2017 20:16:50 +0100
		4	Subject: [PATCH] Security fix, CVE-2017-14495, OOM in DNS response creation.
		5
		6	Fix out-of-memory Dos vulnerability. An attacker which can
		7	send malicious DNS queries to dnsmasq can trigger memory
		8	allocations in the add_pseudoheader function
		9	The allocated memory is never freed which leads to a DoS
		10	through memory exhaustion. dnsmasq is vulnerable only
		11	if one of the following option is specified:
		12	--add-mac, --add-cpe-id or --add-subnet.
		13
		14	CVE: CVE-2017-14495
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		18	---
		19	CHANGELOG \| 12 ++++++++++++
		20	src/edns0.c \| 8 +++++++-
		21	2 files changed, 19 insertions(+), 1 deletion(-)
		22
		23	diff --git a/CHANGELOG b/CHANGELOG
		24	index 8fe00ed..9523329 100644
		25	--- a/CHANGELOG
		26	+++ b/CHANGELOG
		27	@@ -70,6 +70,18 @@ version 2.78
		28	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
		29	and Kevin Hamacher of the Google Security Team for
		30	finding this.
		31	+
		32	+ Fix out-of-memory Dos vulnerability. An attacker which can
		33	+ send malicious DNS queries to dnsmasq can trigger memory
		34	+ allocations in the add_pseudoheader function
		35	+ The allocated memory is never freed which leads to a DoS
		36	+ through memory exhaustion. dnsmasq is vulnerable only
		37	+ if one of the following option is specified:
		38	+ --add-mac, --add-cpe-id or --add-subnet.
		39	+ CVE-2017-14495 applies.
		40	+ Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
		41	+ and Kevin Hamacher of the Google Security Team for
		42	+ finding this.
		43
		44
		45	version 2.77
		46	diff --git a/src/edns0.c b/src/edns0.c
		47	index 95b74ee..89b2692 100644
		48	--- a/src/edns0.c
		49	+++ b/src/edns0.c
		50	@@ -192,9 +192,15 @@ size_t add_pseudoheader(struct dns_header header, size_t plen, unsigned char l
		51	!(p = skip_section(p,
		52	ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
		53	header, plen)))
		54	+ {
		55	+ free(buff);
		56	return plen;
		57	+ }
		58	if (p + 11 > limit)
		59	- return plen; /* Too big */
		60	+ {
		61	+ free(buff);
		62	+ return plen; /* Too big */
		63	+ }
		64	p++ = 0; / empty name */
		65	PUTSHORT(T_OPT, p);
		66	PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
		67	--
		68	1.7.10.4
		69


diff --git a/recipes-networking/dnsmasq/dnsmasq_%.bbappend b/recipes-networking/dnsmasq/dnsmasq_%.bbappend index 07f8a6c..ee31536 100644 --- a/recipes-networking/dnsmasq/dnsmasq_%.bbappend +++ b/recipes-networking/dnsmasq/dnsmasq_%.bbappend
@@ -7,4 +7,5 @@ SRC_URI += "file://0001-CVE-2017-14491.patch \
7	file://CVE-2017-14493.patch \	7	file://CVE-2017-14493.patch \
8	file://CVE-2017-14494.patch \	8	file://CVE-2017-14494.patch \
9	file://CVE-2017-14496.patch \	9	file://CVE-2017-14496.patch \
		10	file://CVE-2017-14495.patch \
10	"	11	"