dnsmasq: Backport some security updates v1.5.4-20210122
authorHauke Mehrtens <hauke@hauke-m.de>
Mon, 11 Jan 2021 00:03:03 +0000 (01:03 +0100)
committerRISCi_ATOM <bob@bobcall.me>
Fri, 22 Jan 2021 15:39:16 +0000 (10:39 -0500)
commitbd44222377bdb127e28b16855b399c7e4e5e8b48
treeba0a471be75a8f4ceca5ec730151960c11465386
parent015d9caed53aeeb6aee116b5222ffca16964cdd4
dnsmasq: Backport some security updates

This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
  Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
  overflow in sort_rrset() when DNSSEC is used. This can allow a remote
  attacker to write arbitrary data into target device's memory that can
  lead to memory corruption and other unexpected behaviors on the target
  device.
* CVE-2020-25682:
  Dnsmasq versions before 2.83 is susceptible to buffer overflow in
  extract_name() function due to missing length check, when DNSSEC is
  enabled. This can allow a remote attacker to cause memory corruption
  on the target device.
* CVE-2020-25683:
  Dnsmasq version before 2.83 is susceptible to a heap-based buffer
  overflow when DNSSEC is enabled. A remote attacker, who can create
  valid DNS replies, could use this flaw to cause an overflow in a heap-
  allocated memory. This flaw is caused by the lack of length checks in
  rtc1035.c:extract_name(), which could be abused to make the code
  execute memcpy() with a negative size in get_rdata() and cause a crash
  in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
  A lack of proper address/port check implemented in Dnsmasq version <
  2.83 reply_query function makes forging replies easier to an off-path
  attacker.
* CVE-2020-25685:
  A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
  versions before 2.83 reply_query function allows remote attackers to
  spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
  Multiple DNS query requests for the same resource name (RRNAME) by
  Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
  traffic, using a birthday attack (RFC 5452), that can lead to DNS
  cache poisoning.
* CVE-2020-25687:
  Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
  overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
  remote attacker, who can create valid DNS replies, could use this flaw
  to cause an overflow in a heap-allocated memory. This flaw is caused
  by the lack of length checks in rtc1035.c:extract_name(), which could
  be abused to make the code execute memcpy() with a negative size in
  sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
  Service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
14 files changed:
package/network/services/dnsmasq/Makefile
package/network/services/dnsmasq/patches/0102-Fix-remote-buffer-overflow-CERT-VU-434904.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0103-Check-destination-of-DNS-UDP-query-replies.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0104-Use-SHA-256-to-provide-security-against-DNS-cache-po.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0105-Optimse-RR-digest-calculation-in-DNSSEC.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0107-Add-missing-check-for-NULL-return-from-allocate_rfd.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0108-Handle-multiple-identical-near-simultaneous-DNS-quer.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0109-Handle-caching-with-EDNS-options-better.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0110-Support-hash-function-from-nettle-only.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0111-Small-cleanups-in-frec_src-datastucture-handling.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0112-Add-CVE-numbers-to-security-update-descriptions-in-C.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0113-Fix-warning-message-logic.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/0115-Update-to-new-struct-frec-fields-in-conntrack-code.patch [new file with mode: 0644]
package/network/services/dnsmasq/patches/050-crypto-use-nettle-ecc_curve-access-functions.patch