Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsmasq: version 2.90 (CVE 2023-50387, CVE 2023-50868) #14669

Merged
merged 1 commit into from Mar 11, 2024
Merged

dnsmasq: version 2.90 (CVE 2023-50387, CVE 2023-50868) #14669

merged 1 commit into from Mar 11, 2024

Conversation

nwf
Copy link
Contributor

@nwf nwf commented Feb 18, 2024

@nbd168 Please review the changes to package/network/services/dnsmasq/patches/200-ubus_dns.patch . I believe they are correct, but upstream's 12ddb2a4b9204846db7c38eefe4080d89dbed708 ("To implement this needed the DNS-doctor code to be untangled from find_soa()") imposed a little bit of work.

@github-actions github-actions bot added the core packages pull request/issue for core (in-tree) packages label Feb 18, 2024
@nwf nwf force-pushed the 202402-dnsmasq290 branch 2 times, most recently from ef630a6 to 134e5cc Compare February 18, 2024 23:08
ynezz
ynezz reviewed Feb 19, 2024
View reviewed changes
Copy link
Member

@ynezz ynezz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking care, BTW this update fixes CVE 2023-50868 as well, so it should be mentioned in the commit description as well.

@ynezz ynezz changed the title dnsmasq: version 2.90 dnsmasq: version 2.90 (CVE 2023-50868, CVE 2023-50867) Feb 19, 2024
@ynezz ynezz added the security Topic related to security. label Feb 19, 2024
@ynezz ynezz changed the title dnsmasq: version 2.90 (CVE 2023-50868, CVE 2023-50867) dnsmasq: version 2.90 (CVE 2023-50387, CVE 2023-50868) Feb 19, 2024
@egc112
Copy link

egc112 commented Feb 19, 2024

I compiled with your patch for my DL-WRX36.
DNSMasq is running without a problem:

Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.91.100 -- 192.168.91.249, lease time 12h
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.9.128 -- 192.168.9.191, lease time 12h
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using nameserver 1.0.0.1#53
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using nameserver 2620:fe::10#53
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using nameserver 2606:4700:4700::1001#53
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 6 names
Mon Feb 19 17:10:56 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses

Do you want me to test anything else

egc112
egc112 approved these changes Feb 19, 2024
View reviewed changes
Copy link

@egc112 egc112 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working for me, Thanks

@nwf
Copy link
Contributor Author

nwf commented Feb 20, 2024

Commit message updated as per @ynezz feedback.

@orangepizza
Copy link
Contributor

how likely a client hit by this? or most upstream resolver will strip attack for us?

@ascendbeing
Copy link

Huh. interesting. #14631 would be a pseudo duplicate. I am mildly perplexed this PR exists, and appears to be still a work in progress, yet my bug was still marked "completed".

@nwf
Copy link
Contributor Author

nwf commented Mar 4, 2024

Can this be merged? Do I need to do anything?

@gUstrx
Copy link

gUstrx commented Mar 9, 2024

Can anyone post ipk package 2.90 for manual replacement?

joed74
joed74 approved these changes Mar 9, 2024
View reviewed changes
Copy link

@joed74 joed74 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its working without problems!

@nwf @robimarko
dnsmasq: version 2.90
838a27f 
Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387,
CVE-2023-50868) among many other goodies and fixes (notably, upstream
568fb024... fixes a UAF in cache_remove_uid that was routinely crashing
dnsmasq in my deployment).

Catch up our 200-ubus_dns.patch, too.

Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
@openwrt-bot openwrt-bot merged commit 838a27f into openwrt:main Mar 11, 2024
3 checks passed
@robimarko
Copy link
Contributor

Thanks! Rebased on top of main and merged!

@stangri
Copy link
Member

stangri commented Mar 11, 2024

Great work! Can anyone with permissions cherry-pick it for current release? @robimarko ?

@systemcrash
Copy link
Contributor

@stangri this is a relatively busy repo, so see if we can help out and prep the CP (of this commit) as a PR.

@stangri
Copy link
Member

stangri commented Mar 12, 2024

@systemcrash #14853

@nwf nwf deleted the 202402-dnsmasq290 branch April 9, 2024 04:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ynezz ynezz ynezz left review comments

@systemcrash systemcrash systemcrash approved these changes

@joed74 joed74 joed74 approved these changes

@egc112 egc112 egc112 approved these changes

Assignees
No one assigned
Labels
core packages pull request/issue for core (in-tree) packages security Topic related to security.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet