neutron: CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts

Debian Bug report logs - #993398
neutron: CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: neutron: CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts

Date: Tue, 31 Aug 2021 21:17:10 +0200

Source: neutron
Version: 2:18.1.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://launchpad.net/bugs/1939733
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2:17.1.1-6

Hi,

The following vulnerability was published for neutron.

CVE-2021-40085[0]:
| An issue was discovered in OpenStack Neutron before 16.4.1, 17.x
| before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can
| reconfigure dnsmasq via a crafted extra_dhcp_opts value.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-40085
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
[1] https://launchpad.net/bugs/1939733
[2] https://www.openwall.com/lists/oss-security/2021/08/31/2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 993398@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 993398@bugs.debian.org, security@debian.org

Subject: Re: Bug#993398: neutron: CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts

Date: Wed, 1 Sep 2021 10:06:08 +0200

[Message part 1 (text/plain, inline)]

On 8/31/21 9:17 PM, Salvatore Bonaccorso wrote:
> Source: neutron
> Version: 2:18.1.0-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://launchpad.net/bugs/1939733
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> Control: found -1 2:17.1.1-6
> 
> Hi,
> 
> The following vulnerability was published for neutron.
> 
> CVE-2021-40085[0]:
> | An issue was discovered in OpenStack Neutron before 16.4.1, 17.x
> | before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can
> | reconfigure dnsmasq via a crafted extra_dhcp_opts value.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-40085
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
> [1] https://launchpad.net/bugs/1939733
> [2] https://www.openwall.com/lists/oss-security/2021/08/31/2
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore

Dear Security team,

Please find attached the debdiff to close this bug in Bullseye. Let me
know if I can upload right away.

I'm preparing updates for Unstable and Buster (the patch applies kind of
cleanly in Buster as well, modulo a few tests).

Cheers,

Thomas Goirand (zigo)

[neutron_17.1.1-6+deb11u1.debdiff (text/plain, attachment)]

Message #15 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 993398-submitter@bugs.debian.org

Subject: Bug#993398 marked as pending in neutron

Date: Wed, 01 Sep 2021 12:14:16 +0000

Control: tag -1 pending

Hello,

Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/neutron/-/commit/b4ddfab9af3d87809eb17502d0c2bf9d3bf4dc33

------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
    authenticated user may add arbitrary configuration to the dnsmasq process
    in order to crash the service, change parameters for other tenants sharing
    the same interface, or otherwise alter that daemon's behavior. This
    vulnerability may also be used to trigger a configuration parsing buffer
    overflow in versions of dnsmasq prior to 2.81, which could lead to remote
    code execution. All Neutron deployments are affected. Added upstream
    patch: Remove dhcp_extra_opt value after first newline character.
    (Closes: #993398)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/993398

Message #20 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 993398-submitter@bugs.debian.org

Subject: Bug#993398 marked as pending in neutron

Date: Wed, 01 Sep 2021 12:14:24 +0000

Control: tag -1 pending

Hello,

Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/neutron/-/commit/8a70539dc9afdb80b2f0aac4f8e44e784729c6ab

------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
    authenticated user may add arbitrary configuration to the dnsmasq process
    in order to crash the service, change parameters for other tenants sharing
    the same interface, or otherwise alter that daemon's behavior. This
    vulnerability may also be used to trigger a configuration parsing buffer
    overflow in versions of dnsmasq prior to 2.81, which could lead to remote
    code execution. All Neutron deployments are affected. Added upstream
    patch: Remove dhcp_extra_opt value after first newline character.
    (Closes: #993398)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/993398

Message #23 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 993398-submitter@bugs.debian.org

Subject: Bug#993398 marked as pending in neutron

Date: Wed, 01 Sep 2021 14:50:01 +0000

Control: tag -1 pending

Hello,

Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/neutron/-/commit/efe0b21d0ebe8e36c8773076a3c347ca5478665e

------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
    authenticated user may add arbitrary configuration to the dnsmasq process
    in order to crash the service, change parameters for other tenants sharing
    the same interface, or otherwise alter that daemon's behavior. This
    vulnerability may also be used to trigger a configuration parsing buffer
    overflow in versions of dnsmasq prior to 2.81, which could lead to remote
    code execution. All Neutron deployments are affected. Added upstream
    patch: Remove dhcp_extra_opt value after first newline character.
    (Closes: #993398)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/993398

Message #26 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 993398-submitter@bugs.debian.org

Subject: Bug#993398 marked as pending in neutron

Date: Wed, 01 Sep 2021 14:55:44 +0000

Control: tag -1 pending

Hello,

Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/neutron/-/commit/d10f649abf34ab9b85080667b448eb27fb2d96c2

------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
    authenticated user may add arbitrary configuration to the dnsmasq process
    in order to crash the service, change parameters for other tenants sharing
    the same interface, or otherwise alter that daemon's behavior. This
    vulnerability may also be used to trigger a configuration parsing buffer
    overflow in versions of dnsmasq prior to 2.81, which could lead to remote
    code execution. All Neutron deployments are affected. Added upstream
    patch: Remove dhcp_extra_opt value after first newline character.
    (Closes: #993398).
  * Refresh patches.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/993398

Message #29 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 993398-submitter@bugs.debian.org

Subject: Bug#993398 marked as pending in neutron

Date: Wed, 01 Sep 2021 15:31:39 +0000

Control: tag -1 pending

Hello,

Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/neutron/-/commit/ffe208b6bd1e9840764b7568cf17200949de8959

------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
    authenticated user may add arbitrary configuration to the dnsmasq process
    in order to crash the service, change parameters for other tenants sharing
    the same interface, or otherwise alter that daemon's behavior. This
    vulnerability may also be used to trigger a configuration parsing buffer
    overflow in versions of dnsmasq prior to 2.81, which could lead to remote
    code execution. All Neutron deployments are affected. Added upstream
    patch: Remove dhcp_extra_opt value after first newline character.
    (Closes: #993398)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/993398

Message #34 received at 993398-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 993398-close@bugs.debian.org

Subject: Bug#993398: fixed in neutron 2:18.1.0-3

Date: Wed, 01 Sep 2021 15:49:18 +0000

Source: neutron
Source-Version: 2:18.1.0-3
Done: Thomas Goirand <zigo@debian.org>

We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 993398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated neutron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Sep 2021 17:00:21 +0200
Source: neutron
Architecture: source
Version: 2:18.1.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 993398
Changes:
 neutron (2:18.1.0-3) unstable; urgency=medium
 .
   * CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
     authenticated user may add arbitrary configuration to the dnsmasq process
     in order to crash the service, change parameters for other tenants sharing
     the same interface, or otherwise alter that daemon's behavior. This
     vulnerability may also be used to trigger a configuration parsing buffer
     overflow in versions of dnsmasq prior to 2.81, which could lead to remote
     code execution. All Neutron deployments are affected. Added upstream
     patch: Remove dhcp_extra_opt value after first newline character.
     (Closes: #993398)
Checksums-Sha1:
 b19878edadc3a48daf31df74495514294bba2439 4762 neutron_18.1.0-3.dsc
 3e61dc3b9342149ff79f6cdeea7e63b7dfe10700 39996 neutron_18.1.0-3.debian.tar.xz
 a6bec40e2413fcf5a170ae52f3973e019e60007b 19982 neutron_18.1.0-3_amd64.buildinfo
Checksums-Sha256:
 049c759e40112a08af1c3ac7ec0baf0882e56aec21d1ad555f4b524557ef94dc 4762 neutron_18.1.0-3.dsc
 42af8b7dc069d73c69ae470f6cffdb42e9883786932f8e6f0b88510ebed53bda 39996 neutron_18.1.0-3.debian.tar.xz
 bc95f76293a4f6d3d7203e6f2e31663bb050390d013cf1b937a0ebc0c1d3ec81 19982 neutron_18.1.0-3_amd64.buildinfo
Files:
 17c2ce9a03cc6e6b7fa197338a57a714 4762 net optional neutron_18.1.0-3.dsc
 6e03682981eea64fd1bbeb83eff21d21 39996 net optional neutron_18.1.0-3.debian.tar.xz
 02d8dc2f973f20a816af0909ac0d6480 19982 net optional neutron_18.1.0-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmEvnN4ACgkQ1BatFaxr
Q/5t9RAAlZpKWs0alsHWbPp+rfHajndkgd1pQM/4k6CPn0RnZNHEi9Jr/qziw37A
ZXHaZF2il6M6+TVIoMXv46BlILvkyD0KQS2iJul5IwYt6OAwyhTIemYmxTEpzL55
XNYmBNVi4ic9OUSpjgxEeiNrL/DxUOoIZdM3XSPfjmkRGIKRXJP76O5MzuEtA9I4
l8WwEMqnCD7bRdtaAHPGHWUH3vejILqHbKEYr7gTfAOOKuXVwn/Abp3hVXTBqSKi
YiQRdNi36Y1xQUhEzneZtXWJ8jIdyw2Y185ED3qcSuaPqTZ8tJEG/eYKJd36vdGY
QaA39zKS/+n9DHNBShBqzOw9X08kDDbciUkfm+CE6MSwN04p1QVsm57qBxlBba8Z
B8j+VzSLJVNWIsFvtjpFdgRWCJ4tvio8GD90m3wHsL9g59f+/qktYlcJKZeI96Aw
54Z6u3iuVACF9ngs5+UsEHt0GDuSCkY9krTBbvi8bXSUcEBWn62j102TRD2girPT
TCDNQe7D5glw+Q4XigBQOZTUuCI7o+PIbUQBcxk8vOwGeNRA0kB6sofnpdbjrF5B
+ZyQVPL0dZFI3EPg2TuBf6BdHFC8JaVOjoQ1waWlc+eADcC9DpDA6f7nwsLZPIsB
cW+SPqMeRJnF3uRDbtVOYCcbE/ZIits/vkdaPmt6eRIC8opGTP8=
=UArM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.