From nobody Sun Apr 03 11:26:43 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 786DC1A53627; Sun, 3 Apr 2022 11:26:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KWWnv2yZKz3Bmx; Sun, 3 Apr 2022 11:26:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648985203; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vPrg0LWV3fAxwqHCOfsbjgxEyww8YuQ4RVHNh8ERENg=; b=UMix3sbDlY4XZL7dftFJZoFtetjYqx3IAgg6CDakLzFG6kuFqgJqQzpJfavMmov3y3H+DE fTacU4r8lJBEpFMhDEcY79lNk2SKCbS7MLSfObEn/SUpeIc6o8eY87yIsM/o9ygI6a+lnQ tsioyweIoXNzdZ+fSFxKvYLWEJZt064ka3UC2bfrVe2wEMy2lajN1ZENSLQM8o211ZTmd+ Y1rw1shppacPEPg7Lym8QO5c/rYRl4MuBFU0WYfrgbCHY4kpBCPxVxQuEOrHVbMbItMbQN ITvPRF1KEYkXcFQ0PQ+TWvA/E5/2Iv6C4fB3H92YPhxZfDPXiQl/9qlRSfkFMg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 457A51C654; Sun, 3 Apr 2022 11:26:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 233BQh2V072797; Sun, 3 Apr 2022 11:26:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 233BQhXY072796; Sun, 3 Apr 2022 11:26:43 GMT (envelope-from git) Date: Sun, 3 Apr 2022 11:26:43 GMT Message-Id: <202204031126.233BQhXY072796@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Matthias Andree Subject: git: 9462781f9507 - 2022Q2 - dns/dnsmasq: fix CVE-2022-0934 DHCPv6 vuln List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/2022Q2 X-Git-Reftype: branch X-Git-Commit: 9462781f9507615ba775b63d3b012a66f8c3c5b9 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648985203; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vPrg0LWV3fAxwqHCOfsbjgxEyww8YuQ4RVHNh8ERENg=; b=gK1yBkE+xSMDoPQT1J8kDpw8TPjfuPGLjLO3lLVpiwQd+G/nq+tSI5gpTN1gJuXpenmG3c MlKm+/pwGrcVQxfaHoGtv3yzQdRX1UbqKzuBwq2o9uvVL7uYYM+oSzBkJLyNSJxrCKUSKn usfg9jDhMi9rx4FDYKL+Vb4M44WUuKPf83c7d+DOCWkJLRbPSiTWmmOiE9sO7SiTT8zOPW xFfu/M2nu96tq5rRJOHA4wITtf3QHplaHOVN0Bcqx5VjZtbzDTk2pV6gB/PWF21MyZpfce USjsZUMEImLXBZrm9/LbKB8Jom8XGikEjk43bjPTALN6XjILiwQ+uE5pUchzfQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648985203; a=rsa-sha256; cv=none; b=QoABjSu6LWk5O2EXT3NlIrc5Bk/6jTWO4mK+3f/YH6UR1crVmZlT5X4hFNoR7hGkZSC2VK /Xo0Q6LeGQuZ0iQ9btfQogGHYDr1kn3NwQmF+4wKYDFAAQiU2FxmBE+xJSytcw6oxaNs1R VbjJtBxQLEJNvOqDHp26YsbZ9DY2PaKbRpkoiGkXX+2nktSWoxUhtulRPTnhD7/CVkrMgd 9OaEwfqIFx4zTE6gQ4cqkIsZA/a2ULQ3QKlR9Fno01buvBG/9RqRxN7yHI82gtNxVHolVh aHmjQMxdS1tiL5y5pOSZ+GmCcy2JDeeUTmo7lv/8BkILc7VN6sGwaLVjD0nQbQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch 2022Q2 has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=9462781f9507615ba775b63d3b012a66f8c3c5b9 commit 9462781f9507615ba775b63d3b012a66f8c3c5b9 Author: Matthias Andree AuthorDate: 2022-04-03 11:07:52 +0000 Commit: Matthias Andree CommitDate: 2022-04-03 11:26:40 +0000 dns/dnsmasq: fix CVE-2022-0934 DHCPv6 vuln Security: 3f321a5a-b33b-11ec-80c2-1bb2c6a00592 Security: CVE-2022-0934 MFH: 2022Q2 (cherry picked from commit 03b5b25346d359e29c16da94772d41637320bdf2) --- dns/dnsmasq/Makefile | 2 +- dns/dnsmasq/files/patch-CVE-2022-0934 | 175 ++++++++++++++++++++++++++++++++++ 2 files changed, 176 insertions(+), 1 deletion(-) diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile index 19958b46de17..87fd6f3e2f5a 100644 --- a/dns/dnsmasq/Makefile +++ b/dns/dnsmasq/Makefile @@ -3,7 +3,7 @@ PORTNAME= dnsmasq DISTVERSION= 2.86 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 3 +PORTREVISION= 4 PORTEPOCH= 1 CATEGORIES= dns MASTER_SITES= https://www.thekelleys.org.uk/dnsmasq/ \ diff --git a/dns/dnsmasq/files/patch-CVE-2022-0934 b/dns/dnsmasq/files/patch-CVE-2022-0934 new file mode 100644 index 000000000000..c063e15b2e34 --- /dev/null +++ b/dns/dnsmasq/files/patch-CVE-2022-0934 @@ -0,0 +1,175 @@ +From dcc62a514092c8afeab4e502db9e65f03c2e1d47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 22 Feb 2022 00:45:01 +0100 +Subject: [PATCH] Change message type by dedicated function + +Long-term pointer to beginning of message does not work well. I case +outpacket is reallocated in any new_opt6() section, original outmsgtypep +pointer becomes invalid. Instead of using that pointer use dedicated +function, which will change just the first byte of the message. + +This makes sure correct beginning of packet is always used. +--- + src/dnsmasq.h | 1 + + src/outpacket.c | 11 +++++++++++ + src/rfc3315.c | 29 ++++++++++++++--------------- + 3 files changed, 26 insertions(+), 15 deletions(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 51a1aa6..c1c75c1 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1736,6 +1736,7 @@ void put_opt6_long(unsigned int val); + void put_opt6_short(unsigned int val); + void put_opt6_char(unsigned int val); + void put_opt6_string(char *s); ++void put_msgtype6(unsigned int val); + #endif + + /* radv.c */ +diff --git a/src/outpacket.c b/src/outpacket.c +index abb3a3a..f322811 100644 +--- a/src/outpacket.c ++++ b/src/outpacket.c +@@ -115,4 +115,15 @@ void put_opt6_string(char *s) + put_opt6(s, strlen(s)); + } + ++void put_msgtype6(unsigned int val) ++{ ++ if (outpacket_counter == 0) ++ put_opt6_char(val); ++ else ++ { ++ unsigned char *p = daemon->outpacket.iov_base; ++ *p = val; ++ } ++} ++ + #endif +diff --git a/src/rfc3315.c b/src/rfc3315.c +index cee8382..baeb51e 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -110,7 +110,6 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + void *end = inbuff + sz; + void *opts = inbuff + 34; + int msg_type = *((unsigned char *)inbuff); +- unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; + +@@ -192,9 +191,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 0; + + /* copy header stuff into reply message and set type to reply */ +- if (!(outmsgtypep = put_opt6(inbuff, 34))) ++ if (!put_opt6(inbuff, 34)) + return 0; +- *outmsgtypep = DHCP6RELAYREPL; ++ put_msgtype6(DHCP6RELAYREPL); + + /* look for relay options and set tags if found. */ + for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next) +@@ -267,7 +266,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char *xid; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -297,10 +296,10 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + state->tags = &v6_id; + + /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ if (!(xid = put_opt6(inbuff, 4))) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; ++ state->xid = xid[3] | xid[2] << 8 | xid[1] << 16; + + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ +@@ -347,7 +346,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +618,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ put_msgtype6(DHCP6ADVERTISE); + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +808,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -924,7 +923,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int address_assigned = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); + +@@ -1057,7 +1056,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1121,7 +1120,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + tagif = add_options(state, 1); + break; + } +@@ -1130,7 +1129,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1195,7 +1194,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +-- +2.34.1 +