From patchwork Mon Oct 2 14:28:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin 'ldir' Darbyshire-Bryant X-Patchwork-Id: 820534 X-Patchwork-Delegate: dedeckeh@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="DlyjQT4s"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=darbyshire-bryant.me.uk header.i=@darbyshire-bryant.me.uk header.b="iz7BATad"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3y5Pgq1jNqz9t6n for ; Tue, 3 Oct 2017 01:29:42 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-Id:Date:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=jln2Szc2e8Tt9dwtD84AD2+2kTS62NFPUe7zkNp1xMM=; b=DlyjQT4sLfKtiO hSTH+wtP2cue7tEZCctWMcpFzukvdSjSQY0Yxj8F8lrLh22AIeQJzbE4YOn66EAR3qTSfSajs3gzY W9Jx/m5TIp7XrUZcRhQcS7yf3bR6zkOdCSUQk/jMko9lQqQSmC1eeXAHlyJMobgJB2KpvO3qKdP4E A75m0vRPTgLesHAAUr+y1G9++5J0xffMjE1b+/FavDKaso61XcbFUyduZ76aIJZxWUAMoIYXRbloM gSWUGLAr00UU1+kUW0soB1cLyvgH+DB4EckYNgdo412EjTkrokALGOtuhWyH4ZWTBBzeAE+q7/Zkm TBlfpypb5rUnNeM9VG2A==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dz1iq-0005cj-52; Mon, 02 Oct 2017 14:29:28 +0000 Received: from mail-eopbgr30062.outbound.protection.outlook.com ([40.107.3.62] helo=EUR03-AM5-obe.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dz1iP-0005XI-SX for lede-dev@lists.infradead.org; Mon, 02 Oct 2017 14:29:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=darbyshire-bryant.me.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=qdf/6mK6aVV+gj4mc9jnvz+XG3w87eFg03YRAX4Tl2c=; b=iz7BATadMKYSzVAkV2gXe/DgFgt8P4kcUFAaW/E+q/jiiyjcxg6UhVtjlxpxNYuht4YQyhOR/a7fSsBLt7jHs1Kg5B/xFGfUXe0WtNkVyxM8uw8hTfxPpY2JvUO6uGIZ2Z+GYynURwJqc/kreLEaPb0twEOo+O+gCjqL5HHdAHc= Received: from Animal.darbyshire-bryant.me.uk (2a02:c7f:1232:220::fb0e) by VI1PR07MB1037.eurprd07.prod.outlook.com (2a01:111:e400:5096::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.5; Mon, 2 Oct 2017 14:28:37 +0000 From: Kevin Darbyshire-Bryant To: lede-dev@lists.infradead.org Date: Mon, 2 Oct 2017 15:28:32 +0100 Message-Id: <1506954512-3138-1-git-send-email-ldir@darbyshire-bryant.me.uk> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [2a02:c7f:1232:220::fb0e] X-ClientProxiedBy: DB6PR07CA0120.eurprd07.prod.outlook.com (2603:10a6:6:2c::34) To VI1PR07MB1037.eurprd07.prod.outlook.com (2a01:111:e400:5096::13) X-MS-Office365-Filtering-Correlation-Id: 96ed0527-9c99-437e-7a43-08d509a1deed X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(2017082002075)(2017052603199)(201703131423075)(201702281549075); SRVR:VI1PR07MB1037; X-Microsoft-Exchange-Diagnostics: 1; VI1PR07MB1037; 3:aXT3+136okgD38zw2FNdJ/dJxmyVYUAH8DorCRksA+6ivj9ft8vWxYjU9REat8fS7uyzEdgDzkqP9qYwnxpSGurqDsvEDU4+bSOJ4DJEG8ZrwSI9jIwGo58PCOUcXF3CUz0oM/AC/JxwvoNAdumTcronGwzJz5nD4vE/cCyoafNaMZhairB4w26JtDeNAOZjagxh5prcyQiJrwPRWTGfRPzv8OTdJSZWrYXqWulsK2lUc3IIemXRZK3HtMLq5cSj; 25:ZvmPiPRPSybzqwhGogqrN2N51OXqHNAFPFWD6ojVi7oiV7e8KtWk/m++GvF5DsL6vbGBRoiduC34se3TYAybE8epY4v3k2cH9EaOEHnUYyBE9xE/qPCUEvcXH+vzSwInk4rFA5C4iBpWR+DxOVgeKKhGU97TeqsK5hJtKPy8qU0b7Nxv7ZOA9LlXAsZ3IB3r87IA7GnS8vlZPe9Qf+OPUeySEVn/OZiI9UT3E/o5s4+xz0KoVIIB+ryeUTNYeP047Mwy7pYDDro4h/PDRPJzQoC8jItW84FdNfwC3FayQDv4J5MotrBRjQKnfhiH4eqHATieGqbQJq/II0lR3yShKg==; 31:nqm3CruNFl2VvbroXRJxkZKSDqioxcwvZ9hzfVaoCZfoy2c1YqtqKsKwTSxsPHUW4jzmAfwdabKBTuBHtM+82NgZx4U0Rzcooh/isLuEPmJKHlmTdpmM5JCcHu00IgKifBU97D7qdWgGXfKpI+MA2H7cLhyqCCy0Cht3rsKLpIDdA+Qxu78NSKp2jaFmzkGymgV/hab5WQ03b36nzy5j3hz67i2J6ylt4BaWjlW/hJk= X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: VI1PR07MB1037: Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=kevin@darbyshire-bryant.me.uk; X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(192374486261705); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(12181511122)(93006095)(93001095)(3002001)(10201501046)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123555025)(20161123558100)(20161123562025)(20161123560025)(2016111802025)(6072148)(6043046)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:VI1PR07MB1037; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:VI1PR07MB1037; X-Microsoft-Exchange-Diagnostics: 1; VI1PR07MB1037; 4:OxLbuX9c8MIlS+UtUc1U/8LzYE/tzt15/T5ay9ifbPVCXzBtDjT4AWzlqcXWOgwwVnYtTcFTuIee80omTRILABbstXCbRjMCpP77vfo2qxESwu4W+CPZkCS97ORlxX7DDssMuKxgqtXY2aPPs17fciKmtTiHNCpm9pWueBHoeWgy67c2iIQVOmEp1zNUX7eVbvYUCiiwVXdISOt1+nKqhEQFjwMDWFqDnATvQ4Em4WZBrmGmfAVMTWyY9lEo2G3/C/PN1LP5RCXo0H8sXtzlfmk4xRP/p1Gl6+yxNRCC/zMJPWs6ccmtTqKuK8SX49eBYkbYFcvDZ5dbNvzQ0gg/NQ== X-Forefront-PRVS: 0448A97BF2 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(39830400002)(346002)(376002)(189002)(54534003)(199003)(288314003)(8936002)(101416001)(575784001)(50986999)(68736007)(6486002)(50466002)(33646002)(105586002)(74482002)(48376002)(106356001)(4326008)(2351001)(53416004)(2361001)(189998001)(97736004)(107886003)(53936002)(42882006)(81156014)(8676002)(6306002)(478600001)(36756003)(16586007)(7736002)(25786009)(316002)(305945005)(47776003)(6916009)(81166006)(5660300001)(69596002)(50226002)(2906002)(5003940100001)(6116002)(6666003)(19627235001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB1037; H:Animal.darbyshire-bryant.me.uk; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: darbyshire-bryant.me.uk does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; VI1PR07MB1037; 23:CXqgEGCxTKKc/pPv/IYKsIb0nwC9cp3fEN8cwl3Ih?= 3JCfWQRTxHZjAkIsbyPlvEchYSFlmdxcz3VTslxWQ5Wal4Hxcx3waRHS1cfeOjGneABBub00RRV1f7QO6+WzZQ45oRjmIr0lUkWjKjU4KAv88OYOI9wLokrXr+koYbVyWGa+QfYhHpvcWO/7egBAGu3cFGSY8CryPSW+AJtdBkC+3Xgo5EekOVgteDLQb2OcbXS2iCAtLq0sffjUHylscs5n3yoYog0f56qU7iWJql/EWUKIq7KEjH9GMRAh/m8taA/IqfCeEE85HUv9EfygblhBVYQJapau/RIx3uJhEFCf6NO8WQ1hq93Vq8WRtleOPMGz6YCWMMyNSnxSG4KXdQe38YaA396vVWs8pPwo2EkkSv1CdPegPXG5B9Ny+cNdKcAlTOnKMW9PpC/z11sk2GTXHMJuq0oKhAOkdS/AOyBfFvpcYDm22oq1dTUHIlNvyG1JvtvELsz3WgZFeIKKMe/kE6KMbrXPVKZBKeKLkeLePSzg+qreUFrElitdGSx21lhCwVN6GG4PZoRGYC4Kd4s/TrRBhUrcTQp9yFqDsRUovIJAuuCr2cu5oofRX0zXhtG9/knvntrKp9f3pTq+OsaS66qB03HbvRuo09D4oG+5YRRvsRcoMEKGLyL7SMDHLW5G0Tirp4AQvAKnNDHAKb2x+ZMts16mNuCjLz9ipTulD4Z+alF85or1OBZ/43gOlNIip+KWd1Q9AuAVEproh/KX7Ig50oY6TOO4vZsEytFHwCC6icCdR+cGhsSGN3/19HNoTYtRVja4cRPbOMq92QOTBJD1mQndnWQZuE59YeAEAMKhNzq+KuxJBzK3Mzjjq6fSnqU/H/4JSAIvbhR+UdI3+SNWN5FD3kPnZqkkWf1jta9mEmdncYOuzIzxJnDcXmQeAsEEOcmli6rtqzlZ9KXr72EzC380rFHIOfP9+8L1L28bpL8zeYj08GMsM0CqJm24qLfR+oyJJYRH/58lo/jG+pPrNuNDQhyMdRa/KLLb9w//4Rl0cmQN9tyOAbQPLysngVX8ISmSkRZE9YnhgHFgJ0PNhUtn70ObKKQR8y1sRf0shWRwoGiOWEwqbNVpEaP5wVohECGYhQQuwA84L3k80wNtePaG/u6WVr+UFW6Y8bZflDGT/5/Q+N5iMsrKJU= X-Microsoft-Exchange-Diagnostics: 1; VI1PR07MB1037; 6:K+JifMkhS0qP+cxi7PHkv9vyhNlvlsiU+WyniNpH+AxkVNCshEYFaTOxRT8NxI7NUpj4uLlfYxRiu0nqMMN6W3vkUy0S8pRwecFLF6Yqf9tLeaYhtL/42j+hvt+QMnQM6iCfjavDT+pj4cminxy+VdpqIN7BIuHNzG9f/kzpeOzOCrd/KCxvvfaidap8AL6kCrIwf7pKi3K+bo0ZKvjCLb6VQMnIBiEDv+oOlQOu7GTXd7+SaRnFnJnh0TZepJtrTj14ZxCMNdcreVGA77WNHR42KnYm6YGrfXUgNYePWHFxoYIxcGYxqG6m74y/cs8/Td0UJa++j2YFOqOiLpISAw==; 5:zbakMBf2Tut5yr1t//mQfjLuLu7hRJ+QPs3ZTsvyAA0Z4w4mkjU8HFGWzrlsqhRyAApr848a7/FCnYTw72MNMKOURSJ0V+YEXK5nb83rYdjXPHDmJ1c+6ktG5+pGUayb3j9COLBKkCQvWzUkyoRueg==; 24:dYtm4tsGPjkBcmQ/ovxTTeK/GEV7uwlYlrEEjhGhrFxyUBRe9AyQJm+vKHBrNgIctteA+hbKXunWo6INUN2vKJRq3U9yAVVOFVT8yIZ4bsE=; 7:NWjT8guz54wSOxrABfEsKkUfDMrn6ubHuUxLYV+3SIGL5kx6autvLQ6eWsg0u908O8v0vkmVzUDexManCPGfuFrPDMbg64addRvjB4YG0ZZQk0+NckNag6IhUd6BsPj+BGlxz382ZqJNg1IT6rCUaSYy6UqKSq1HoCDii5BUgffmW9f1qDhdt7p/xnkWDKrFOWxMlVc3ccw74PPrBHxrDlcOHBwoeCdQIQVt1h/DwcI= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: darbyshire-bryant.me.uk X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Oct 2017 14:28:37.4783 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 9151708b-c553-406f-8e56-694f435154a4 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB1037 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20171002_072902_385619_914030EE X-CRM114-Status: GOOD ( 15.71 ) X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [40.107.3.62 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [40.107.3.62 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Subject: [LEDE-DEV] [PATCH] dnsmasq: bump to v2.78 X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Darbyshire-Bryant Sender: "Lede-dev" Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Fixes CVE-2017-14491, 14492, 14493, 14494, 14495, 14496 For lede-17.01 Signed-off-by: Kevin Darbyshire-Bryant --- package/network/services/dnsmasq/Makefile | 6 +- ...10-Tweak-ICMP-ping-check-logic-for-DHCPv4.patch | 25 ------ ...ove-ping-check-of-configured-DHCP-address.patch | 28 ------- ...ervers-if-first-returns-REFUSED-when-stri.patch | 31 ------- .../patches/025-backport-fix-CVE-2017-13704.patch | 94 ---------------------- .../patches/030-fix-arcount-edns0-behaviour.patch | 44 ---------- .../230-fix-poll-h-include-warning-on-musl.patch | 2 +- 7 files changed, 4 insertions(+), 226 deletions(-) delete mode 100644 package/network/services/dnsmasq/patches/010-Tweak-ICMP-ping-check-logic-for-DHCPv4.patch delete mode 100644 package/network/services/dnsmasq/patches/011-Remove-ping-check-of-configured-DHCP-address.patch delete mode 100644 package/network/services/dnsmasq/patches/020-Try-other-servers-if-first-returns-REFUSED-when-stri.patch delete mode 100644 package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch delete mode 100644 package/network/services/dnsmasq/patches/030-fix-arcount-edns0-behaviour.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index be7a2d1..94fd702 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_VERSION:=2.77 -PKG_RELEASE:=6 +PKG_VERSION:=2.78 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/ -PKG_HASH:=6eac3b1c50ae25170e3ff8c96ddb55236cf45007633fdb8a35b1f3e02f5f8b8a +PKG_HASH:=89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/patches/010-Tweak-ICMP-ping-check-logic-for-DHCPv4.patch b/package/network/services/dnsmasq/patches/010-Tweak-ICMP-ping-check-logic-for-DHCPv4.patch deleted file mode 100644 index 571ff36..0000000 --- a/package/network/services/dnsmasq/patches/010-Tweak-ICMP-ping-check-logic-for-DHCPv4.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 4bb68866a8aeb31db8100492bceae051e33be5d0 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Thu, 15 Jun 2017 23:18:44 +0100 -Subject: [PATCH] Tweak ICMP ping check logic for DHCPv4. - ---- - src/rfc2131.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rfc2131.c b/src/rfc2131.c -index 1c850e5..75792da 100644 ---- a/src/rfc2131.c -+++ b/src/rfc2131.c -@@ -1040,7 +1040,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, - else if (have_config(config, CONFIG_DECLINED) && - difftime(now, config->decline_time) < (float)DECLINE_BACKOFF) - my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it was previously declined"), addrs); -- else if (!do_icmp_ping(now, config->addr, 0, loopback)) -+ else if ((!lease || lease->addr.s_addr != config->addr.s_addr) && !do_icmp_ping(now, config->addr, 0, loopback)) - my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it is in use by another host"), addrs); - else - conf = config->addr; --- -1.9.1 - diff --git a/package/network/services/dnsmasq/patches/011-Remove-ping-check-of-configured-DHCP-address.patch b/package/network/services/dnsmasq/patches/011-Remove-ping-check-of-configured-DHCP-address.patch deleted file mode 100644 index 67f90e1..0000000 --- a/package/network/services/dnsmasq/patches/011-Remove-ping-check-of-configured-DHCP-address.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1d224949cced9e82440d00b3dbaf32c262bac2ff Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Sat, 8 Jul 2017 20:52:55 +0100 -Subject: [PATCH 1/2] Remove ping-check of configured DHCP address. - -This was added in 5ce3e76fbf89e942e8c54ef3e3389facf0d9067a but -it trips over too many buggy clients that leave an interface configured -even in DHCPDISCOVER case. ---- - src/rfc2131.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/src/rfc2131.c b/src/rfc2131.c -index 86230b4..785e15c 100644 ---- a/src/rfc2131.c -+++ b/src/rfc2131.c -@@ -1040,8 +1040,6 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, - else if (have_config(config, CONFIG_DECLINED) && - difftime(now, config->decline_time) < (float)DECLINE_BACKOFF) - my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it was previously declined"), addrs); -- else if ((!lease || lease->addr.s_addr != config->addr.s_addr) && !do_icmp_ping(now, config->addr, 0, loopback)) -- my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it is in use by another host"), addrs); - else - conf = config->addr; - } --- -2.13.2 - diff --git a/package/network/services/dnsmasq/patches/020-Try-other-servers-if-first-returns-REFUSED-when-stri.patch b/package/network/services/dnsmasq/patches/020-Try-other-servers-if-first-returns-REFUSED-when-stri.patch deleted file mode 100644 index cdab607..0000000 --- a/package/network/services/dnsmasq/patches/020-Try-other-servers-if-first-returns-REFUSED-when-stri.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9396752c115b3ab733fa476b30da73237e12e7ba Mon Sep 17 00:00:00 2001 -From: Hans Dedecker -Date: Tue, 27 Jun 2017 22:08:47 +0100 -Subject: [PATCH] Try other servers if first returns REFUSED when - --strict-order active. - -If a DNS server replies REFUSED for a given DNS query in strict order mode -no failover to the next DNS server is triggered as the failover logic only -covers non strict mode. -As a result the client will be returned the REFUSED reply without first -falling back to the secondary DNS server(s). - -Make failover support work as well for strict mode config in case REFUSED is -replied by deleting the strict order check and rely only on forwardall being -equal to 0 which is the case in non strict mode when a single server has been -contacted or when strict order mode has been configured. ---- - CHANGELOG | 4 ++++ - src/forward.c | 1 - - 2 files changed, 4 insertions(+), 1 deletion(-) - ---- a/src/forward.c -+++ b/src/forward.c -@@ -790,7 +790,6 @@ void reply_query(int fd, int family, tim - /* Note: if we send extra options in the EDNS0 header, we can't recreate - the query from the reply. */ - if (RCODE(header) == REFUSED && -- !option_bool(OPT_ORDER) && - forward->forwardall == 0 && - !(forward->flags & FREC_HAS_EXTRADATA)) - /* for broken servers, attempt to send to another one. */ diff --git a/package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch b/package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch deleted file mode 100644 index bba9a08..0000000 --- a/package/network/services/dnsmasq/patches/025-backport-fix-CVE-2017-13704.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 63437ffbb58837b214b4b92cb1c54bc5f3279928 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Wed, 6 Sep 2017 22:34:21 +0100 -Subject: [PATCH] Fix CVE-2017-13704, which resulted in a crash on a large DNS - query. - -A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size, -if different.) is enough to cause SIGSEGV. ---- - CHANGELOG | 7 +++++++ - src/auth.c | 5 ----- - src/forward.c | 8 ++++++++ - src/rfc1035.c | 5 ----- - 4 files changed, 15 insertions(+), 10 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 3a640f3..7e65912 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -17,6 +17,13 @@ version 2.78 - --strict-order active. Thanks to Hans Dedecker - for the patch - -+ Fix regression in 2.77, ironically added as a security -+ improvement, which resulted in a crash when a DNS -+ query exceeded 512 bytes (or the EDNS0 packet size, -+ if different.) Thanks to Christian Kujau, Arne Woerner -+ Juan Manuel Fernandez and Kevin Darbyshire-Bryant for -+ chasing this one down. CVE-2017-13704 applies. -+ - - version 2.77 - Generate an error when configured with a CNAME loop, -diff --git a/src/auth.c b/src/auth.c -index 2c24e16..7f95f98 100644 ---- a/src/auth.c -+++ b/src/auth.c -@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n - struct cname *a, *candidate; - unsigned int wclen; - -- /* Clear buffer beyond request to avoid risk of -- information disclosure. */ -- memset(((char *)header) + qlen, 0, -- (limit - ((char *)header)) - qlen); -- - if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) - return 0; - -diff --git a/src/forward.c b/src/forward.c -index f22556a..e3fa94b 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -1188,6 +1188,10 @@ void receive_query(struct listener *listen, time_t now) - (msg.msg_flags & MSG_TRUNC) || - (header->hb3 & HB3_QR)) - return; -+ -+ /* Clear buffer beyond request to avoid risk of -+ information disclosure. */ -+ memset(daemon->packet + n, 0, daemon->edns_pktsz - n); - - source_addr.sa.sa_family = listen->family; - -@@ -1688,6 +1692,10 @@ unsigned char *tcp_request(int confd, time_t now, - - if (size < (int)sizeof(struct dns_header)) - continue; -+ -+ /* Clear buffer beyond request to avoid risk of -+ information disclosure. */ -+ memset(payload + size, 0, 65536 - size); - - query_count++; - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 26f5301..af2fe46 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - struct mx_srv_record *rec; - size_t len; - -- /* Clear buffer beyond request to avoid risk of -- information disclosure. */ -- memset(((char *)header) + qlen, 0, -- (limit - ((char *)header)) - qlen); -- - if (ntohs(header->ancount) != 0 || - ntohs(header->nscount) != 0 || - ntohs(header->qdcount) == 0 || --- -1.7.10.4 - diff --git a/package/network/services/dnsmasq/patches/030-fix-arcount-edns0-behaviour.patch b/package/network/services/dnsmasq/patches/030-fix-arcount-edns0-behaviour.patch deleted file mode 100644 index fffc8de..0000000 --- a/package/network/services/dnsmasq/patches/030-fix-arcount-edns0-behaviour.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a3303e196e5d304ec955c4d63afb923ade66c6e8 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Thu, 7 Sep 2017 20:45:00 +0100 -Subject: [PATCH] Don't return arcount=1 if EDNS0 RR won't fit in the packet. - -Omitting the EDNS0 RR but setting arcount gives a malformed packet. -Also, don't accept UDP packet size less than 512 in recieved EDNS0. ---- - src/edns0.c | 5 ++++- - src/forward.c | 2 ++ - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/edns0.c b/src/edns0.c -index 3fde17f..f5b798c 100644 ---- a/src/edns0.c -+++ b/src/edns0.c -@@ -208,7 +208,10 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l - free(buff); - p += rdlen; - } -- header->arcount = htons(ntohs(header->arcount) + 1); -+ -+ /* Only bump arcount if RR is going to fit */ -+ if (((ssize_t)optlen) <= (limit - (p + 4))) -+ header->arcount = htons(ntohs(header->arcount) + 1); - } - - if (((ssize_t)optlen) > (limit - (p + 4))) -diff --git a/src/forward.c b/src/forward.c -index e3fa94b..942b02d 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -1412,6 +1412,8 @@ void receive_query(struct listener *listen, time_t now) - defaults to 512 */ - if (udp_size > daemon->edns_pktsz) - udp_size = daemon->edns_pktsz; -+ else if (udp_size < PACKETSZ) -+ udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ - } - - #ifdef HAVE_AUTH --- -1.7.10.4 - diff --git a/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch b/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch index 19300f7..37b11ab 100644 --- a/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch +++ b/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch @@ -7,7 +7,7 @@ Signed-off-by: Kevin Darbyshire-Bryant --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -82,7 +82,7 @@ typedef unsigned long long u64; +@@ -88,7 +88,7 @@ typedef unsigned long long u64; #if defined(HAVE_SOLARIS_NETWORK) # include #endif