From nobody Sun Apr 03 11:16:13 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EBDB81A50EF6; Sun, 3 Apr 2022 11:16:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KWWYn2Ys8z4tkT; Sun, 3 Apr 2022 11:16:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648984573; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ilURMmBrkGjqZ8Pw/wbf3FEX0utVHDmNFypea7LIRS4=; b=Htx2AP+JN50XqvUVzYg7/xLerX7wsGilfheLwfX3lnzixGgK89JU3e2ZLXI8bDQ736LHlq IeKKWN8i+KFsHjjrAZ1A14rfQeeU4X8rkHJx4BNcQ9LuPTDV8v02+cwnOv1TWfHDpf5rmN JnsTAPqer5SDFqwcSU+AGpIUYfhfNv0BkLsBIQ6zpduOBYxin8PE7EY3uCF3Ce8P+EdmGC y0RCVbgLK3rwCMjUocRNtsXS/l4jHGZi6Hn8SvbwzNcwT5wqUJxfXsUCK2vyqjVgyuoKQq rvpqO/ok8hC5M9MyKeNihwP6DWGldKaCzHmFwXbJFPACxdnyhASpcCpzLMUZjg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 222F81C7FE; Sun, 3 Apr 2022 11:16:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 233BGDL2059265; Sun, 3 Apr 2022 11:16:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 233BGDmZ059264; Sun, 3 Apr 2022 11:16:13 GMT (envelope-from git) Date: Sun, 3 Apr 2022 11:16:13 GMT Message-Id: <202204031116.233BGDmZ059264@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: 03b5b25346d3 - main - dns/dnsmasq: fix CVE-2022-0934 DHCPv6 vuln List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 03b5b25346d359e29c16da94772d41637320bdf2 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648984573; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ilURMmBrkGjqZ8Pw/wbf3FEX0utVHDmNFypea7LIRS4=; b=wzNeqeT5G+RvsNoHX38yFYX68NV6sXPUGdROd/y9JCwQpZ/o6kydiAeRW98M1PSuPm7J6I AQHZN9tNJhFiQTC4ZkbAzgGJnlDf1UhQxLc9+TmyGuXb0gmQIc9OyK7lwTDIqRQPJLZfMg BZnXZm/WZlaNUxqExv+kYTeDASdFwAnHfFChArGUozQ/RJ//mC+BuUQ1mnXkuXvuwczxMo TM4nMQEEc2Tg7Q8mviLxlSueXp5IsX9oUEf8qOIDqHap6mvqaPj9fh+CM7yVRgwu3npY4q ccaACHx9wBtkuIOM98lhp0HZ5AuQS/SuCvz8Lb6a/s54xL3cdPJBf8uZtJa0Qw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648984573; a=rsa-sha256; cv=none; b=s9g8RqrmIhub5oimBVmjhXbnSMe7t497G9TvDIVGZcP3io4kBsfVpmskSg/AKPTRh2eVt6 8C4nwV+LVgKhoRSMkO+/IA9/eQZJs/hz53sPZh+Ncq6lIhJWtv/06hUSJCSNQjODhLE4xW OIg9zKgMyjpUKmKAxoPVvIYcj4xa4y86Fe99n1tMQTMe4uvN4Zo7b4TfreJwuZJlZMkGOT 0PzQXY+erjWhjaKeym1pdv9IkKbPG4xkoGtK62hAz9GMgeUwavyCsj3f0sWBrHlksWaZD6 yu9Oxxo2WKbEzeHHhkdF7hLgmh8kNjnqX20puQVmoCN/KM5pE7aE2cSgxd6FNg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=03b5b25346d359e29c16da94772d41637320bdf2 commit 03b5b25346d359e29c16da94772d41637320bdf2 Author: Matthias Andree AuthorDate: 2022-04-03 11:07:52 +0000 Commit: Matthias Andree CommitDate: 2022-04-03 11:15:58 +0000 dns/dnsmasq: fix CVE-2022-0934 DHCPv6 vuln Security: 3f321a5a-b33b-11ec-80c2-1bb2c6a00592 Security: CVE-2022-0934 MFH: 2022Q2 --- dns/dnsmasq/Makefile | 2 +- dns/dnsmasq/files/patch-CVE-2022-0934 | 175 ++++++++++++++++++++++++++++++++++ 2 files changed, 176 insertions(+), 1 deletion(-) diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile index 19958b46de17..87fd6f3e2f5a 100644 --- a/dns/dnsmasq/Makefile +++ b/dns/dnsmasq/Makefile @@ -3,7 +3,7 @@ PORTNAME= dnsmasq DISTVERSION= 2.86 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 3 +PORTREVISION= 4 PORTEPOCH= 1 CATEGORIES= dns MASTER_SITES= https://www.thekelleys.org.uk/dnsmasq/ \ diff --git a/dns/dnsmasq/files/patch-CVE-2022-0934 b/dns/dnsmasq/files/patch-CVE-2022-0934 new file mode 100644 index 000000000000..c063e15b2e34 --- /dev/null +++ b/dns/dnsmasq/files/patch-CVE-2022-0934 @@ -0,0 +1,175 @@ +From dcc62a514092c8afeab4e502db9e65f03c2e1d47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 22 Feb 2022 00:45:01 +0100 +Subject: [PATCH] Change message type by dedicated function + +Long-term pointer to beginning of message does not work well. I case +outpacket is reallocated in any new_opt6() section, original outmsgtypep +pointer becomes invalid. Instead of using that pointer use dedicated +function, which will change just the first byte of the message. + +This makes sure correct beginning of packet is always used. +--- + src/dnsmasq.h | 1 + + src/outpacket.c | 11 +++++++++++ + src/rfc3315.c | 29 ++++++++++++++--------------- + 3 files changed, 26 insertions(+), 15 deletions(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 51a1aa6..c1c75c1 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1736,6 +1736,7 @@ void put_opt6_long(unsigned int val); + void put_opt6_short(unsigned int val); + void put_opt6_char(unsigned int val); + void put_opt6_string(char *s); ++void put_msgtype6(unsigned int val); + #endif + + /* radv.c */ +diff --git a/src/outpacket.c b/src/outpacket.c +index abb3a3a..f322811 100644 +--- a/src/outpacket.c ++++ b/src/outpacket.c +@@ -115,4 +115,15 @@ void put_opt6_string(char *s) + put_opt6(s, strlen(s)); + } + ++void put_msgtype6(unsigned int val) ++{ ++ if (outpacket_counter == 0) ++ put_opt6_char(val); ++ else ++ { ++ unsigned char *p = daemon->outpacket.iov_base; ++ *p = val; ++ } ++} ++ + #endif +diff --git a/src/rfc3315.c b/src/rfc3315.c +index cee8382..baeb51e 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -110,7 +110,6 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + void *end = inbuff + sz; + void *opts = inbuff + 34; + int msg_type = *((unsigned char *)inbuff); +- unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; + +@@ -192,9 +191,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 0; + + /* copy header stuff into reply message and set type to reply */ +- if (!(outmsgtypep = put_opt6(inbuff, 34))) ++ if (!put_opt6(inbuff, 34)) + return 0; +- *outmsgtypep = DHCP6RELAYREPL; ++ put_msgtype6(DHCP6RELAYREPL); + + /* look for relay options and set tags if found. */ + for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next) +@@ -267,7 +266,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char *xid; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -297,10 +296,10 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + state->tags = &v6_id; + + /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ if (!(xid = put_opt6(inbuff, 4))) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; ++ state->xid = xid[3] | xid[2] << 8 | xid[1] << 16; + + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ +@@ -347,7 +346,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +618,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ put_msgtype6(DHCP6ADVERTISE); + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +808,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -924,7 +923,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int address_assigned = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); + +@@ -1057,7 +1056,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1121,7 +1120,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + tagif = add_options(state, 1); + break; + } +@@ -1130,7 +1129,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1195,7 +1194,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +-- +2.34.1 +