dnsmasq: CVE-2015-3294: crash on receipt of certain malformed DNS requests

Debian Bug report logs - #783459
dnsmasq: CVE-2015-3294: crash on receipt of certain malformed DNS requests

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dnsmasq: CVE-2015-3294: crash on receipt of certain malformed DNS requests

Date: Mon, 27 Apr 2015 10:17:45 +0200

Source: dnsmasq
Version: 2.62-3
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for dnsmasq.

CVE-2015-3294[0]:
denial of service

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3294
[1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html
[2 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=ad4a8ff7d9097008d7623df8543df435bfddeac8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 783459@bugs.debian.org

Subject: dnsmasq: diff for NMU version 2.72-3.1

Date: Tue, 5 May 2015 16:15:16 +0200

[Message part 1 (text/plain, inline)]

Control: tags 783459 + pending

Hi Simon,

I've prepared an NMU for dnsmasq (versioned as 2.72-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[dnsmasq-2.72-3.1-nmu.diff (text/x-diff, attachment)]

Message #19 received at 783459-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 783459-close@bugs.debian.org

Subject: Bug#783459: fixed in dnsmasq 2.72-3+deb8u1

Date: Tue, 05 May 2015 19:47:05 +0000

Source: dnsmasq
Source-Version: 2.72-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
dnsmasq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783459@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated dnsmasq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2015 11:15:01 +0200
Source: dnsmasq
Binary: dnsmasq dnsmasq-base dnsmasq-utils
Architecture: source amd64 all
Version: 2.72-3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Simon Kelley <simon@thekelleys.org.uk>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 dnsmasq    - Small caching DNS proxy and DHCP/TFTP server
 dnsmasq-base - Small caching DNS proxy and DHCP/TFTP server
 dnsmasq-utils - Utilities for manipulating DHCP leases
Closes: 783459
Changes:
 dnsmasq (2.72-3+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2015-3294: denial of service and memory disclosure via malformed
     DNS requests (Closes: #783459)
Checksums-Sha1:
 82741461aebe48b0721e7ad1781093b16dd5c04c 1890 dnsmasq_2.72-3+deb8u1.dsc
 bfb12316ba1601db954a66bbc9c1aa917d9a7871 657779 dnsmasq_2.72.orig.tar.gz
 b981656a920eb3ba68b94449169afec9a0a1981d 22594 dnsmasq_2.72-3+deb8u1.diff.gz
 a1cb98e3f175f5a01fb33df1049b28f775839b92 15828 dnsmasq_2.72-3+deb8u1_all.deb
Checksums-Sha256:
 f5267bd2f073b486a9677a07d33aec2933e273527f1751d915edfdf8d3904923 1890 dnsmasq_2.72-3+deb8u1.dsc
 2a122c7eea57ed8fbd63af5de03d9b6f03eaf730dab5dd984adb98ecd8487b37 657779 dnsmasq_2.72.orig.tar.gz
 8e300defeffe8e7bc1d355db210544b242835ab4cb7f3a339d43dfd3a09c707d 22594 dnsmasq_2.72-3+deb8u1.diff.gz
 198fb357673219759ade204f34660c3a5ff52c2ed5d2afca4433d62a4b5fa3b5 15828 dnsmasq_2.72-3+deb8u1_all.deb
Files:
 d3f55b5cfd84e62dd75f7b6f2850150e 1890 net optional dnsmasq_2.72-3+deb8u1.dsc
 c84e6544bb2e749e00a017c306722ff0 657779 net optional dnsmasq_2.72.orig.tar.gz
 312bea4db5625c5786ac41cbda84f54e 22594 net optional dnsmasq_2.72-3+deb8u1.diff.gz
 1ad8996974ff0fe2e4fc05ab4e51133f 15828 net optional dnsmasq_2.72-3+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVSI8SAAoJEAVMuPMTQ89EQD8P/iHMpGdRQbt4ioP44pttQq3l
9FSaYY6MeLGTiujmTQNBSKZ+TS//IeDuXyCx6QY3Xfnm/00hFCiBspyZIeOQJMCB
pgw1pYjhCw+bFyAY2MC0v8CvlATtQRcWHZgqs/BKZADFl4nWbPCgrfUyAfkIycMK
lgVrk5Q6YXjvm0UB297xf3cPLQ9OJ1lEFju1a83eT/MCTD8zoy74IxwIgExW8Qi4
BYsxX/V/QyPzYnGeyyY3xKZGCotsBDbe2Od+9SWsjJtrAiXbsEVVDBp5UarBikge
dyKmtxrwvvnY/WTlB1fMIvM0a5BxgbM7uZfmN4bk+pTkrrD0EE2J/l4Zd0XxXXvg
3yaoi/QAMHjDp9YLk1Uqc/aEDhG2hasGM1ar76sBYx4UcTh4Xo5ZLR2vyWvkU6Ge
/+nqTyBrv3mb+RME0/Hll9KNCs2ZQIINe2QH3w+E+dzc2DIgLfR1sRRJC1/Whnq3
yHceIIX5zXH6D2mdDyE8Fz+OwRkbToP8qLGo2G0s6VOvwtsDFRpsI6ZFcn9zcm5k
o2s5crWtmqJRfdlrO42w6JxvdMGNcZNxjo7XoBz+8m/J16mtfrE18EU4ymYwqadM
KvXhGuq5Yz7Y3ZR0g12NvP0WSF3NrdOIquZO7Xbngp8l7wfu/+NAbRxNtCk7mBmu
WYTb8BWbbPHYadHiEeoz
=Rahx
-----END PGP SIGNATURE-----

Message #24 received at 783459-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 783459-close@bugs.debian.org

Subject: Bug#783459: fixed in dnsmasq 2.62-3+deb7u2

Date: Tue, 05 May 2015 19:47:28 +0000

Source: dnsmasq
Source-Version: 2.62-3+deb7u2

We believe that the bug you reported is fixed in the latest version of
dnsmasq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783459@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated dnsmasq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2015 12:50:41 +0200
Source: dnsmasq
Binary: dnsmasq dnsmasq-base dnsmasq-utils
Architecture: source amd64 all
Version: 2.62-3+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Simon Kelley <simon@thekelleys.org.uk>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 dnsmasq    - Small caching DNS proxy and DHCP/TFTP server
 dnsmasq-base - Small caching DNS proxy and DHCP/TFTP server
 dnsmasq-utils - Utilities for manipulating DHCP leases
Closes: 783459
Changes: 
 dnsmasq (2.62-3+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2015-3294: denial of service and memory disclosure via malformed
     DNS requests (Closes: #783459)
Checksums-Sha1: 
 e26fc306c16e6dae1948f7f61478a598309051fd 1801 dnsmasq_2.62-3+deb7u2.dsc
 ed162c51580af7f505d29a23bafd0662ac79b711 532080 dnsmasq_2.62.orig.tar.gz
 7c0384015423a73d0fd859ecbb57f36992ed5674 21067 dnsmasq_2.62-3+deb7u2.diff.gz
 eec3a98d975514a66f1cc2d6afb94707cd1b6d99 370346 dnsmasq-base_2.62-3+deb7u2_amd64.deb
 dc2b7f1acbf03f4304ba4c0a3c416e0c9a71bdff 18762 dnsmasq-utils_2.62-3+deb7u2_amd64.deb
 6210479a11aba422eafe48eedffbcfa389201cad 16310 dnsmasq_2.62-3+deb7u2_all.deb
Checksums-Sha256: 
 40da7fd3a0d35513c8ac6688110684d476bc28e1bebd390f20dde7378b117f29 1801 dnsmasq_2.62-3+deb7u2.dsc
 beab9f91739d05799c838a02110fea613ff10bbf14bf794543854141dff01f97 532080 dnsmasq_2.62.orig.tar.gz
 7f5eafd8b4f081221cbd61f521c74198e50a1a490a6183e6f8490b172ffa37d2 21067 dnsmasq_2.62-3+deb7u2.diff.gz
 b6bdcd710b6a629b785ca8ac3f410acf7d4f187894a8c199d104d546bdb64cd6 370346 dnsmasq-base_2.62-3+deb7u2_amd64.deb
 afca28194c182e5d65bdb870c50886dc1bac5d0c73613de301a0276f360611d9 18762 dnsmasq-utils_2.62-3+deb7u2_amd64.deb
 6ae40ccb3f35b0ee27d597a756b9f2b352400ececa32476854e5fcd8d45ee7cd 16310 dnsmasq_2.62-3+deb7u2_all.deb
Files: 
 27cedacdf3799dcd797f745df866ef11 1801 net optional dnsmasq_2.62-3+deb7u2.dsc
 0c7210ab1059021e703c84086705ab56 532080 net optional dnsmasq_2.62.orig.tar.gz
 815c597f6552f4e590978fdeb616565e 21067 net optional dnsmasq_2.62-3+deb7u2.diff.gz
 0c5ef96558f2e3707dbb05c5b8c134c6 370346 net optional dnsmasq-base_2.62-3+deb7u2_amd64.deb
 2d9c58d70807d4be3880f8bb99e7ae18 18762 net optional dnsmasq-utils_2.62-3+deb7u2_amd64.deb
 c996f359b18d02df89c118c5d7e7fe42 16310 net optional dnsmasq_2.62-3+deb7u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVSKEUAAoJEAVMuPMTQ89EfcMP/3pG1bPqAZPS+olcivy61pRX
l28F08gUS47knEiT4MFIHX3vzQ+XNurtigoAATkSkqLn2D9YVVS114ueWGlh4P/d
0OdzJB77UZcWK7MFkA24aCfqbydMITtPw84YFQSVfiBfMqProQugYGor6PxAz4y1
oT4a5ay0CKWt/AcKmJ0LlK2fhvev+bsabmI3pDftuWyfQa6huzI9WiM4UKm5UXXZ
KMtFXNv+r0qAH7VauZcFFldckpSVFap0Nx6xanF/OUIdSSU8DZwyLnK/4MHARjKY
k6rZFgRSbPUenBnVsy2YFSJEeROVYCNTdLsJRSQKIcxf6ysTWaqRS42uDm0q86rI
+PfGmpwpD5B1qdqFar96vQNVC4mbxEVB7Ogbluq/lyt2YdeepX4s2PnjLmL6dgsW
DK//UUaqCZaMEdunZ1+0pb9ac2lzTlh/MBEes97bTeJZ+3olRQ/L1thB9aQdihiu
Pda4CB0wpJJaB/vZZCJ+yTmSroT1G1TIki1x/xnfG69mYGktA9UMxpXtTLK4G8yn
pSr5lKk3AeZN5FNQYfEyoXwHlBEPQf0Va6npOB7+UaGVC7xUqRfbas0LLX9UlLGZ
ITV9jZOhN1qk8vU01E9bRKDuvykcYJXwUM6H6edSImUivDJpvbVSzNbXWAvwHP25
w1radAqIc954Bv3jIH01
=ynhu
-----END PGP SIGNATURE-----

Message #29 received at 783459@bugs.debian.org (full text, mbox, reply):

From: "Ian Campbell" <ijc@hellion.org.uk>

To: Debian Bug Tracking System <783459@bugs.debian.org>

Subject: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 06 May 2015 08:48:53 +0100

Package: dnsmasq
Followup-For: Bug #783459

Dear Maintainer,

After upgrading to 2.62-3+deb7u2 on Wheezy/armel dnsmasq now fails to start with:

    root@yog-sothoth:~# dpkg -i dnsmasq*2.62-3+deb7u2*.deb
    (Reading database ... 25941 files and directories currently installed.)
    Preparing to replace dnsmasq 2.62-3+deb7u1 (using dnsmasq_2.62-3+deb7u2_all.deb) ...
    Unpacking replacement dnsmasq ...
    Preparing to replace dnsmasq-base 2.62-3+deb7u1 (using dnsmasq-base_2.62-3+deb7u2_armel.deb) ...
    Unpacking replacement dnsmasq-base ...
    Setting up dnsmasq-base (2.62-3+deb7u2) ...
    Processing triggers for man-db ...
    Setting up dnsmasq (2.62-3+deb7u2) ...
    insserv: warning: current stop runlevel(s) (1) of script `dnsmasq' overrides LSB defaults (0 1 6).
    [....] Restarting DNS forwarder and DHCP server: dnsmasq
    dnsmasq: failed to set SO_REUSE{ADDR|PORT} on DHCP socket: Protocol not available
     failed!
    invoke-rc.d: initscript dnsmasq, action "restart" failed.
    root@yog-sothoth:~# 

Downgrading back to 2.62-3+deb7u1 makes things work again.

Searching around there are various (mostly a few year old) reports of this
which are related to the use of the bind-interfaces option which I had enabled
in /etc/dnsmasq.conf since dnsmasq runs on a router with multiple interfaces.

For now I've disabled bind-interfaces, although I'm not entirely happy with
that since it exposes dnsmasq to traffic from the outside Internet, even if it
is to be discarded.

Ian.

-- System Information:
Debian Release: 7.8
  APT prefers oldstable
  APT policy: (990, 'oldstable'), (500, 'oldstable-updates')
Architecture: armel (armv5tel)

Kernel: Linux 3.2.0-4-kirkwood
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dnsmasq depends on:
ii  adduser       3.113+nmu3
ii  dnsmasq-base  2.62-3+deb7u1
ii  netbase       5.0

dnsmasq recommends no packages.

Versions of packages dnsmasq suggests:
pn  resolvconf  <none>

-- Configuration Files:
/etc/dnsmasq.conf changed:
interface=eth0
bind-interfaces
domain=hellion.org.uk
dhcp-range=192.168.1.128,192.168.1.255,12h


-- no debconf information

Message #34 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Ian Campbell <ijc@hellion.org.uk>, 783459@bugs.debian.org

Subject: Re: Bug#783459: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 6 May 2015 11:34:30 +0200

Hi Ian,

On Wed, May 06, 2015 at 08:48:53AM +0100, Ian Campbell wrote:
> Package: dnsmasq
> Followup-For: Bug #783459
>
> Dear Maintainer,
>
> After upgrading to 2.62-3+deb7u2 on Wheezy/armel dnsmasq now fails to start with:
>
>     root@yog-sothoth:~# dpkg -i dnsmasq*2.62-3+deb7u2*.deb
>     (Reading database ... 25941 files and directories currently installed.)
>     Preparing to replace dnsmasq 2.62-3+deb7u1 (using dnsmasq_2.62-3+deb7u2_all.deb) ...
>     Unpacking replacement dnsmasq ...
>     Preparing to replace dnsmasq-base 2.62-3+deb7u1 (using dnsmasq-base_2.62-3+deb7u2_armel.deb) ...
>     Unpacking replacement dnsmasq-base ...
>     Setting up dnsmasq-base (2.62-3+deb7u2) ...
>     Processing triggers for man-db ...
>     Setting up dnsmasq (2.62-3+deb7u2) ...
>     insserv: warning: current stop runlevel(s) (1) of script `dnsmasq' overrides LSB defaults (0 1 6).
>     [....] Restarting DNS forwarder and DHCP server: dnsmasq
>     dnsmasq: failed to set SO_REUSE{ADDR|PORT} on DHCP socket: Protocol not available
>      failed!
>     invoke-rc.d: initscript dnsmasq, action "restart" failed.
>     root@yog-sothoth:~#
>
> Downgrading back to 2.62-3+deb7u1 makes things work again.
>
> Searching around there are various (mostly a few year old) reports of this
> which are related to the use of the bind-interfaces option which I had enabled
> in /etc/dnsmasq.conf since dnsmasq runs on a router with multiple interfaces.
>
> For now I've disabled bind-interfaces, although I'm not entirely happy with
> that since it exposes dnsmasq to traffic from the outside Internet, even if it
> is to be discarded.

I just tried to replicate that configuration and set up a wheezy VM up with two
interfaces eth0, eth4, and set the following modifications:

interface=eth4
bind-interfaces
domain=example.com
dhcp-range=192.168.1.128,192.168.1.255,12h

But so far I was not able to reproduce the problem, but only from a quit
re-check (and in particular not the same arch as well).

----cut---------cut---------cut---------cut---------cut---------cut-----
root@dnsmasq-test:~# dpkg-query -f '${Package} ${Version}\n' -W dnsmasq dnsmasq-base
dnsmasq 2.62-3+deb7u1
dnsmasq-base 2.62-3+deb7u1
root@dnsmasq-test:~# cat /etc/dnsmasq.d/regression.conf
interface=eth4
bind-interfaces
domain=example.com
dhcp-range=192.168.1.128,192.168.1.255,12h
root@dnsmasq-test:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 52:54:00:95:ed:78 brd ff:ff:ff:ff:ff:ff
3: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 52:54:00:50:46:5a brd ff:ff:ff:ff:ff:ff
root@dnsmasq-test:~# apt-get install dnsmasq dnsmasq-base
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  resolvconf
The following packages will be upgraded:
  dnsmasq dnsmasq-base
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 387 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://security.debian.org/ wheezy/updates/main dnsmasq-base amd64 2.62-3+deb7u2 [370 kB]
Get:2 http://security.debian.org/ wheezy/updates/main dnsmasq all 2.62-3+deb7u2 [16.3 kB]
Fetched 387 kB in 0s (1,789 kB/s)
(Reading database ... 18634 files and directories currently installed.)
Preparing to replace dnsmasq-base 2.62-3+deb7u1 (using .../dnsmasq-base_2.62-3+deb7u2_amd64.deb) ...
Unpacking replacement dnsmasq-base ...
Preparing to replace dnsmasq 2.62-3+deb7u1 (using .../dnsmasq_2.62-3+deb7u2_all.deb) ...
Unpacking replacement dnsmasq ...
Processing triggers for man-db ...
Setting up dnsmasq-base (2.62-3+deb7u2) ...
Setting up dnsmasq (2.62-3+deb7u2) ...
Restarting DNS forwarder and DHCP server: dnsmasq.
root@dnsmasq-test:~#
----cut---------cut---------cut---------cut---------cut---------cut-----

Regards,
Salvatore

Message #39 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Ian Campbell <ijc@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 783459@bugs.debian.org

Subject: Re: Bug#783459: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 06 May 2015 11:30:35 +0100

On Wed, 2015-05-06 at 11:34 +0200, Salvatore Bonaccorso wrote:
> I just tried to replicate that configuration and set up a wheezy VM up with two
> interfaces eth0, eth4, and set the following modifications:
> 
> interface=eth4
> bind-interfaces
> domain=example.com
> dhcp-range=192.168.1.128,192.168.1.255,12h
> 
> But so far I was not able to reproduce the problem, but only from a quit
> re-check (and in particular not the same arch as well).

Thanks for checking/trying.

I've just noticed that running kernel on the machine is 3.2.57-3+deb7u1
which is quite out of date wrt point releases etc. Looking at the
changelog there have been dozens of stable update fixes, one of which
might be relevant here.

I'll reboot when I get home and see if perhaps that fixes the issue.

Ian.

Message #44 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Luca Olivetti <luca@ventoso.org>

To: 783459@bugs.debian.org

Subject: Re: Bug#783459: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 06 May 2015 12:59:03 +0200

On Wed, 06 May 2015 11:30:35 +0100 Ian Campbell <ijc@debian.org> wrote:


> I've just noticed that running kernel on the machine is 3.2.57-3+deb7u1
> which is quite out of date wrt point releases etc. Looking at the
> changelog there have been dozens of stable update fixes, one of which
> might be relevant here.
> 
> I'll reboot when I get home and see if perhaps that fixes the issue.

I have the same problem, but my machine uses 3.2.68:


#uname -a
Linux lacie 3.2.0-4-kirkwood #1 Debian 3.2.68-1+deb7u1 armv5tel GNU/Linux


I had to comment the "bind-interfaces" line from /etc/dnsmasq.conf in
order to make it start.

Bye
-- 
Luca

Message #49 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Luca Olivetti <luca@ventoso.org>, 783459@bugs.debian.org

Cc: Ian Campbell <ijc@hellion.org.uk>

Subject: Re: Bug#783459: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 6 May 2015 16:16:46 +0200

Hi Ian and Luca,

On Wed, May 06, 2015 at 12:59:03PM +0200, Luca Olivetti wrote:
> On Wed, 06 May 2015 11:30:35 +0100 Ian Campbell <ijc@debian.org> wrote:
> 
> 
> > I've just noticed that running kernel on the machine is 3.2.57-3+deb7u1
> > which is quite out of date wrt point releases etc. Looking at the
> > changelog there have been dozens of stable update fixes, one of which
> > might be relevant here.
> > 
> > I'll reboot when I get home and see if perhaps that fixes the issue.
> 
> I have the same problem, but my machine uses 3.2.68:
> 
> 
> #uname -a
> Linux lacie 3.2.0-4-kirkwood #1 Debian 3.2.68-1+deb7u1 armv5tel GNU/Linux
> 
> 
> I had to comment the "bind-interfaces" line from /etc/dnsmasq.conf in
> order to make it start.

Thanks to both for feedback. Might it be a problem with the armel
build?  If you look at the build log (which I have uploaded to [1]) on
the armel chroot to build the package on the buildd there installed
linux-libc-dev which is not from stable but from backports, and indeed
for linux >= 3.9. Thus the armel build will have (dhcp.c):

[...]
      int rc = setsockopt(fd, 1, 15, &oneopt, sizeof(oneopt));

      if (rc == -1)
 die(dcgettext (((void *)0), "failed to set SO_REUSE{ADDR|PORT} on DHCP socket: %s", __LC_MESSAGES), ((void *)0), 2);
    }
[...]

Could either of you try to rebuild dnsmasq in a clean chroot and see
if the problem resolves? That the buildd have 3.14.13-2~bpo70+1
installed is odd and should not be.

 [1] https://people.debian.org/~carnil/tmp/dnsmasq/dnsmasq_2.62-3+deb7u2_armel-20150505-1143.gz
 [2] https://lwn.net/Articles/542629/

Regards,
Salvatore

Message #54 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Simon Kelley <simon@thekelleys.org.uk>

To: Salvatore Bonaccorso <carnil@debian.org>, 783459@bugs.debian.org

Subject: Re: Bug#783459: dnsmasq: diff for NMU version 2.72-3.1

Date: Wed, 06 May 2015 15:35:07 +0100

On 05/05/15 15:15, Salvatore Bonaccorso wrote:
> Control: tags 783459 + pending
> 
> Hi Simon,
> 
> I've prepared an NMU for dnsmasq (versioned as 2.72-3.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.
> 
> Regards,
> Salvatore
> 

That looks fine, thanks for doing this. I replied separately to the
REUSEPORT bug in oldstable, with a solution.


Cheers,

Simon.

Message #59 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Simon Kelley <simon@thekelleys.org.uk>

To: Salvatore Bonaccorso <carnil@debian.org>, 783459@bugs.debian.org

Subject: Re: Bug#783459: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 06 May 2015 15:32:25 +0100

Salvatore.

The problem occurs if the dnsmasq binary is compiled against libc
headers which #define SO_REUSEPORT and then run on a kernel which
doesn't support that option. I guess the security builds have picked up
SO_REUSEPORT from a libc backport.

The fix applied at the time was:

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=56a1142f033234e3ee3b6361e9a1bcdbe606f816


Cheers,

Simon.



On 06/05/15 15:16, Salvatore Bonaccorso wrote:
> Hi Ian and Luca,
> 
> On Wed, May 06, 2015 at 12:59:03PM +0200, Luca Olivetti wrote:
>> On Wed, 06 May 2015 11:30:35 +0100 Ian Campbell <ijc@debian.org> wrote:
>>
>>
>>> I've just noticed that running kernel on the machine is 3.2.57-3+deb7u1
>>> which is quite out of date wrt point releases etc. Looking at the
>>> changelog there have been dozens of stable update fixes, one of which
>>> might be relevant here.
>>>
>>> I'll reboot when I get home and see if perhaps that fixes the issue.
>>
>> I have the same problem, but my machine uses 3.2.68:
>>
>>
>> #uname -ahttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=56a1142f033234e3ee3b6361e9a1bcdbe606f816
>> Linux lacie 3.2.0-4-kirkwood #1 Debian 3.2.68-1+deb7u1 armv5tel GNU/Linux
>>
>>
>> I had to comment the "bind-interfaces" line from /etc/dnsmasq.conf in
>> order to make it start.
> 
> Thanks to both for feedback. Might it be a problem with the armel
> build?  If you look at the build log (which I have uploaded to [1]) on
> the armel chroot to build the package on the buildd there installed
> linux-libc-dev which is not from stable but from backports, and indeed
> for linux >= 3.9. Thus the armel build will have (dhcp.c):
> 
> [...]
>       int rc = setsockopt(fd, 1, 15, &oneopt, sizeof(oneopt));
> 
>       if (rc == -1)
>  die(dcgettext (((void *)0), "failed to set SO_REUSE{ADDR|PORT} on DHCP socket: %s", __LC_MESSAGES), ((void *)0), 2);
>     }
> [...]
> 
> Could either of you try to rebuild dnsmasq in a clean chroot and see
> if the problem resolves? That the buildd have 3.14.13-2~bpo70+1
> installed is odd and should not be.
> 
>  [1] https://people.debian.org/~carnil/tmp/dnsmasq/dnsmasq_2.62-3+deb7u2_armel-20150505-1143.gz
>  [2] https://lwn.net/Articles/542629/
> 
> Regards,
> Salvatore
> 

Message #64 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Ian Campbell <ijc@hellion.org.uk>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Luca Olivetti <luca@ventoso.org>, 783459@bugs.debian.org

Subject: Re: Bug#783459: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 06 May 2015 16:37:22 +0100

On Wed, 2015-05-06 at 16:16 +0200, Salvatore Bonaccorso wrote:
> Could either of you try to rebuild dnsmasq in a clean chroot and see
> if the problem resolves?

Just kicked off "sbuild --dist wheezy --arch armel --binNMU=1
dnsmasq_2.62-3+deb7u2.dsc" on a local machine whose chroot _should_ be
clean (I'll check the logs after though)

>  That the buildd have 3.14.13-2~bpo70+1
> installed is odd and should not be.

Yes indeed. Perhaps it might be necessary to run a backported kernel on
that host, but that doesn't explain linux-libc-dev in a chroot!

Ian.

Message #69 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 783459@bugs.debian.org

Subject: Re: Bug#783459: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 6 May 2015 20:26:19 +0200

Control: clone -1 -2
Control: retitle -2 dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces
Control: found -2 2.62-3+deb7u2

Cloning this as new bugreport to handle the regression introduced.

On Wed, May 06, 2015 at 03:32:25PM +0100, Simon Kelley wrote:
> Salvatore.
> 
> The problem occurs if the dnsmasq binary is compiled against libc
> headers which #define SO_REUSEPORT and then run on a kernel which
> doesn't support that option. I guess the security builds have picked up
> SO_REUSEPORT from a libc backport.
> 
> The fix applied at the time was:
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=56a1142f033234e3ee3b6361e9a1bcdbe606f816
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> On 06/05/15 15:16, Salvatore Bonaccorso wrote:
> > Hi Ian and Luca,
> > 
> > On Wed, May 06, 2015 at 12:59:03PM +0200, Luca Olivetti wrote:
> >> On Wed, 06 May 2015 11:30:35 +0100 Ian Campbell <ijc@debian.org> wrote:
> >>
> >>
> >>> I've just noticed that running kernel on the machine is 3.2.57-3+deb7u1
> >>> which is quite out of date wrt point releases etc. Looking at the
> >>> changelog there have been dozens of stable update fixes, one of which
> >>> might be relevant here.
> >>>
> >>> I'll reboot when I get home and see if perhaps that fixes the issue.
> >>
> >> I have the same problem, but my machine uses 3.2.68:
> >>
> >>
> >> #uname -ahttp://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=56a1142f033234e3ee3b6361e9a1bcdbe606f816
> >> Linux lacie 3.2.0-4-kirkwood #1 Debian 3.2.68-1+deb7u1 armv5tel GNU/Linux
> >>
> >>
> >> I had to comment the "bind-interfaces" line from /etc/dnsmasq.conf in
> >> order to make it start.
> > 
> > Thanks to both for feedback. Might it be a problem with the armel
> > build?  If you look at the build log (which I have uploaded to [1]) on
> > the armel chroot to build the package on the buildd there installed
> > linux-libc-dev which is not from stable but from backports, and indeed
> > for linux >= 3.9. Thus the armel build will have (dhcp.c):
> > 
> > [...]
> >       int rc = setsockopt(fd, 1, 15, &oneopt, sizeof(oneopt));
> > 
> >       if (rc == -1)
> >  die(dcgettext (((void *)0), "failed to set SO_REUSE{ADDR|PORT} on DHCP socket: %s", __LC_MESSAGES), ((void *)0), 2);
> >     }
> > [...]
> > 
> > Could either of you try to rebuild dnsmasq in a clean chroot and see
> > if the problem resolves? That the buildd have 3.14.13-2~bpo70+1
> > installed is odd and should not be.
> > 
> >  [1] https://people.debian.org/~carnil/tmp/dnsmasq/dnsmasq_2.62-3+deb7u2_armel-20150505-1143.gz
> >  [2] https://lwn.net/Articles/542629/
> > 
> > Regards,
> > Salvatore
> > 

Message #76 received at 783459@bugs.debian.org (full text, mbox, reply):

From: Ian Campbell <ijc@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Luca Olivetti <luca@ventoso.org>, 783459@bugs.debian.org

Subject: Re: Bug#783459: dnsmasq: Wheezy regression caused by CVE-2015-3294/2.62-3+deb7u2 w/ bind-interfaces

Date: Wed, 06 May 2015 20:30:21 +0100

[Message part 1 (text/plain, inline)]

On Wed, 2015-05-06 at 16:16 +0200, Salvatore Bonaccorso wrote:
> Could either of you try to rebuild dnsmasq in a clean chroot and see
> if the problem resolves?

Yes, rebuilding in a clean chroot has fixed the issue, thanks.

No sign of backports in the build log (attached).

Ian.

>  That the buildd have 3.14.13-2~bpo70+1
> installed is odd and should not be.
> 
>  [1] https://people.debian.org/~carnil/tmp/dnsmasq/dnsmasq_2.62-3+deb7u2_armel-20150505-1143.gz
>  [2] https://lwn.net/Articles/542629/
> 
> Regards,
> Salvatore
> 

[dnsmasq_2.62-3+deb7u2+b1_armel.build (text/plain, attachment)]

Message #81 received at 783459-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 783459-close@bugs.debian.org

Subject: Bug#783459: fixed in dnsmasq 2.72-3.1

Date: Sun, 10 May 2015 15:34:35 +0000

Source: dnsmasq
Source-Version: 2.72-3.1

We believe that the bug you reported is fixed in the latest version of
dnsmasq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783459@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated dnsmasq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2015 16:09:06 +0200
Source: dnsmasq
Binary: dnsmasq dnsmasq-base dnsmasq-utils
Architecture: source amd64 all
Version: 2.72-3.1
Distribution: unstable
Urgency: medium
Maintainer: Simon Kelley <simon@thekelleys.org.uk>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 dnsmasq    - Small caching DNS proxy and DHCP/TFTP server
 dnsmasq-base - Small caching DNS proxy and DHCP/TFTP server
 dnsmasq-utils - Utilities for manipulating DHCP leases
Closes: 783459
Changes:
 dnsmasq (2.72-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2015-3294: denial of service and memory disclosure via malformed
     DNS requests (Closes: #783459)
Checksums-Sha1:
 8045ad6e1e7a5ed62d49e1cdd6d672fac3510f91 1870 dnsmasq_2.72-3.1.dsc
 9d91746819db9cc5be6d38cfaac019ad71282eb3 22564 dnsmasq_2.72-3.1.diff.gz
 442e05be419f6db0eff427d6d148e71e67d13dec 15826 dnsmasq_2.72-3.1_all.deb
Checksums-Sha256:
 fb7c4908f74b3b562bd0f8f32dfffb1442bb8b153045d3d097adda00d1b93a85 1870 dnsmasq_2.72-3.1.dsc
 a496547fbee634bbaabc5603085d162c4d1806a4100de17015654320bf0faf29 22564 dnsmasq_2.72-3.1.diff.gz
 23aef43e12dac76aef496b23d8b7adfc601986f5e3e35b9b9f27fe14eec39db0 15826 dnsmasq_2.72-3.1_all.deb
Files:
 6ea739f5671e088b3496716c6b544e21 1870 net optional dnsmasq_2.72-3.1.dsc
 b24cdd4682f8bf674f83df528b86f7b0 22564 net optional dnsmasq_2.72-3.1.diff.gz
 0904344ab96e82e4566ceb79f63096dd 15826 net optional dnsmasq_2.72-3.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVSM/QAAoJEAVMuPMTQ89EyzUP/3/CT+w0Xz9p6WUovzvPT4Yf
2NmfrPMZ4KyKbvyhqx2L5a+zPwHK7vD93ddWW5+1YTAHYaoybKGIv7hYIplXJ3YF
l6wcspDKoRMDT3nXP6SNeonbn1YUhedde67in0+F71kTNoKddz1bFtJaCcmr3eAu
NxwKGD5IEOmFendyuELVZudKPnlCcTi86aTfBAz7ne4V11Q8jJs4IoQV3LvriSXc
9e7ZmmYuQ+XdXgHy+yOkdEmTAQa1b0UT6aNy4suTjqUdYxNWkYCvfn7Lr9ubiSTD
0EMs+OH7nJ7EKPlFLH1uOy+7Ocwh6PnxaxCpIwma1nNj1yP4eLwcult8JzfY17jM
qncUqA/lDuwzELoCvXpRAF2bTPqPh4wwI9iLAmiroStlMJWdgMjCuuMvGgLkGN4J
OWYm5mCe6Rb0b8i472QFaI0OglATrxAmGByE7prxyQyQ1qOys5lM6rGi70vaVPsq
ZV985aykCFIq/7GUaOMuX4eziMFhroZ1D+LS/HNSH2MG5dWlvg+lF7gQxV8OfupP
UXfoAptrQgyw8wdLTpdF1w2SBzAUjgr6Ktb6eq1PkB22iR2yfuQK/77tjjEunbzY
B8txkG+0EwmaIz9TB1k3UIBXcv6FAZNsKslBXxXS3AzCvTEptQK1KpsBNmRSnx5k
I7tucQ32UjIoyv+UZhwP
=UGDo
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.