all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
@ 2021-04-09 15:10 Nicolò Balzarotti
  2021-04-09 19:33 ` Leo Famulari
                   ` (3 more replies)
  0 siblings, 4 replies; 9+ messages in thread
From: Nicolò Balzarotti @ 2021-04-09 15:10 UTC (permalink / raw)
  To: 47674

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

CVE-2021-3448

A flaw was found in dnsmasq in versions before 2.85. When configured to
use a specific server for a given network interface, dnsmasq uses a
fixed port while forwarding queries. An attacker on the network, able to
find the outgoing port used by dnsmasq, only needs to guess the random
transmission ID to forge a reply and get it accepted by dnsmasq. This
flaw makes a DNS Cache Poisoning attack much easier. The highest threat
from this vulnerability is to data integrity.

guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
and there are 43 dependent packages so this can go directly to master.

All dependent packages (refresh -l) build fine except for
python2-libvirt@7.2.0, which is failing also on master
(libvirt-python requires Python >= 3.5 to build).  Since it's a python2
package and no other packages depends on it, can we just drop it?

Thanks, Nicolò


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-dnsmasq-Update-to-2.85.patch --]
[-- Type: text/x-patch, Size: 1173 bytes --]

From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
From: nixo <nicolo@nixo.xyz>
Date: Fri, 9 Apr 2021 16:19:03 +0200
Subject: [PATCH] gnu: dnsmasq: Update to 2.85.

* gnu/packages/dns.scm (dnsmasq): Update to 2.85.
---
 gnu/packages/dns.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index c940657ce9..3cf88febae 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -278,7 +278,7 @@ prompt the user with the option to go with insecure DNS only.")
 (define-public dnsmasq
   (package
     (name "dnsmasq")
-    (version "2.84")
+    (version "2.85")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -286,7 +286,7 @@ prompt the user with the option to go with insecure DNS only.")
                     version ".tar.xz"))
               (sha256
                (base32
-                "0305a0c3snwqcv77sipyynr55xip1fp2843yn04pc4vk9g39acb0"))))
+                "1yhjwgz8g5qrqvxh6bbmg3443zi8qqjks3q872wyb1zn7n0d765d"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
  2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
@ 2021-04-09 19:33 ` Leo Famulari
  2021-04-09 19:34 ` Leo Famulari
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2021-04-09 19:33 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 47674

[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]

On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> CVE-2021-3448
> 
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
> 
> guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
> 
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
> package and no other packages depends on it, can we just drop it?

Yes, sounds good.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
  2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
  2021-04-09 19:33 ` Leo Famulari
@ 2021-04-09 19:34 ` Leo Famulari
  2021-04-09 19:38 ` Leo Famulari
  2021-04-10 22:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  3 siblings, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2021-04-09 19:34 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 47674-done

On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
> From: nixo <nicolo@nixo.xyz>
> Date: Fri, 9 Apr 2021 16:19:03 +0200
> Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
> 
> * gnu/packages/dns.scm (dnsmasq): Update to 2.85.

Looks like this change was already done with commit
c8d809f9a49c2b4ec5500c2685e96168dcd9afa9




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
  2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
  2021-04-09 19:33 ` Leo Famulari
  2021-04-09 19:34 ` Leo Famulari
@ 2021-04-09 19:38 ` Leo Famulari
  2021-04-09 19:47   ` Nicolò Balzarotti
  2021-04-10 22:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  3 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2021-04-09 19:38 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 47674

On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
> package and no other packages depends on it, can we just drop it?

I notice that python2-libvirt builds okay on staging:

https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
  2021-04-09 19:38 ` Leo Famulari
@ 2021-04-09 19:47   ` Nicolò Balzarotti
  2021-04-09 20:07     ` Leo Famulari
  0 siblings, 1 reply; 9+ messages in thread
From: Nicolò Balzarotti @ 2021-04-09 19:47 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 47674

Leo Famulari <leo@famulari.name> writes:

> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
>> All dependent packages (refresh -l) build fine except for
>> python2-libvirt@7.2.0, which is failing also on master
>> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
>> package and no other packages depends on it, can we just drop it?
>
> I notice that python2-libvirt builds okay on staging:
>
> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835

Staging has an older version (5.8 vs 7.2, which has been released in
november 2019 [fn:1] though), and it got updated a few days ago
(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
fail on staging too.  Am I wrong?


[fn:1] https://pypi.org/project/libvirt-python/#history




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
  2021-04-09 19:47   ` Nicolò Balzarotti
@ 2021-04-09 20:07     ` Leo Famulari
  2021-04-10 21:39       ` Nicolò Balzarotti
  2021-04-10 22:05       ` Leo Famulari
  0 siblings, 2 replies; 9+ messages in thread
From: Leo Famulari @ 2021-04-09 20:07 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 47674

On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> Staging has an older version (5.8 vs 7.2, which has been released in
> november 2019 [fn:1] though), and it got updated a few days ago
> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> fail on staging too.  Am I wrong?

Ah, could be. The new staging builds haven't been performed yet.




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
  2021-04-09 20:07     ` Leo Famulari
@ 2021-04-10 21:39       ` Nicolò Balzarotti
  2021-04-10 22:05       ` Leo Famulari
  1 sibling, 0 replies; 9+ messages in thread
From: Nicolò Balzarotti @ 2021-04-10 21:39 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 47674

Leo Famulari <leo@famulari.name> writes:

> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
>> Staging has an older version (5.8 vs 7.2, which has been released in
>> november 2019 [fn:1] though), and it got updated a few days ago
>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
>> fail on staging too.  Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
  2021-04-09 20:07     ` Leo Famulari
  2021-04-10 21:39       ` Nicolò Balzarotti
@ 2021-04-10 22:05       ` Leo Famulari
  1 sibling, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2021-04-10 22:05 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 47674

On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> > Staging has an older version (5.8 vs 7.2, which has been released in
> > november 2019 [fn:1] though), and it got updated a few days ago
> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> > fail on staging too.  Am I wrong?
> 
> Ah, could be. The new staging builds haven't been performed yet.

Thanks for following up. Sure, I think it's fine to remove a package
if it does not build and has no dependents.




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
  2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
                   ` (2 preceding siblings ...)
  2021-04-09 19:38 ` Leo Famulari
@ 2021-04-10 22:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  3 siblings, 0 replies; 9+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2021-04-10 22:27 UTC (permalink / raw)
  To: Nicolò Balzarotti; +Cc: 47674

[-- Attachment #1: Type: text/plain, Size: 378 bytes --]

Nicolò,

Nicolò Balzarotti writes:
> gnu/packages/dns.scm (dnsmasq): Update to 2.85.

I see you managed to aim this beautifully between me searching the 
issue tracker for ‘dnsmasq’ and me actually pushing an update, so 
well done I guess.

(Also: sorry for the duplicated effort, and thanks for keeping an 
eye on the securities. :-)

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-04-10 22:28 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
2021-04-09 19:33 ` Leo Famulari
2021-04-09 19:34 ` Leo Famulari
2021-04-09 19:38 ` Leo Famulari
2021-04-09 19:47   ` Nicolò Balzarotti
2021-04-09 20:07     ` Leo Famulari
2021-04-10 21:39       ` Nicolò Balzarotti
2021-04-10 22:05       ` Leo Famulari
2021-04-10 22:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.