bug#47674: dnsmasq is vulnerable to CVE-2021-3448

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Nicolò Balzarotti]

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

CVE-2021-3448

A flaw was found in dnsmasq in versions before 2.85. When configured to
use a specific server for a given network interface, dnsmasq uses a
fixed port while forwarding queries. An attacker on the network, able to
find the outgoing port used by dnsmasq, only needs to guess the random
transmission ID to forge a reply and get it accepted by dnsmasq. This
flaw makes a DNS Cache Poisoning attack much easier. The highest threat
from this vulnerability is to data integrity.

guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
and there are 43 dependent packages so this can go directly to master.

All dependent packages (refresh -l) build fine except for
python2-libvirt@7.2.0, which is failing also on master
(libvirt-python requires Python >= 3.5 to build).  Since it's a python2
package and no other packages depends on it, can we just drop it?

Thanks, Nicolò


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-dnsmasq-Update-to-2.85.patch --]
[-- Type: text/x-patch, Size: 1173 bytes --]

From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
From: nixo <nicolo@nixo.xyz>
Date: Fri, 9 Apr 2021 16:19:03 +0200
Subject: [PATCH] gnu: dnsmasq: Update to 2.85.

* gnu/packages/dns.scm (dnsmasq): Update to 2.85.
---
 gnu/packages/dns.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index c940657ce9..3cf88febae 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -278,7 +278,7 @@ prompt the user with the option to go with insecure DNS only.")
 (define-public dnsmasq
   (package
     (name "dnsmasq")
-    (version "2.84")
+    (version "2.85")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -286,7 +286,7 @@ prompt the user with the option to go with insecure DNS only.")
                     version ".tar.xz"))
               (sha256
                (base32
-                "0305a0c3snwqcv77sipyynr55xip1fp2843yn04pc4vk9g39acb0"))))
+                "1yhjwgz8g5qrqvxh6bbmg3443zi8qqjks3q872wyb1zn7n0d765d"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
-- 
2.31.1

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]

On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> CVE-2021-3448
> 
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
> 
> guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
> 
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
> package and no other packages depends on it, can we just drop it?

Yes, sounds good.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Leo Famulari]

On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
> From: nixo <nicolo@nixo.xyz>
> Date: Fri, 9 Apr 2021 16:19:03 +0200
> Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
> 
> * gnu/packages/dns.scm (dnsmasq): Update to 2.85.

Looks like this change was already done with commit
c8d809f9a49c2b4ec5500c2685e96168dcd9afa9

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Leo Famulari]

On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
> package and no other packages depends on it, can we just drop it?

I notice that python2-libvirt builds okay on staging:

https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Nicolò Balzarotti]

Leo Famulari <leo@famulari.name> writes:

> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
>> All dependent packages (refresh -l) build fine except for
>> python2-libvirt@7.2.0, which is failing also on master
>> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
>> package and no other packages depends on it, can we just drop it?
>
> I notice that python2-libvirt builds okay on staging:
>
> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835

Staging has an older version (5.8 vs 7.2, which has been released in
november 2019 [fn:1] though), and it got updated a few days ago
(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
fail on staging too.  Am I wrong?


[fn:1] https://pypi.org/project/libvirt-python/#history

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Leo Famulari]

On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> Staging has an older version (5.8 vs 7.2, which has been released in
> november 2019 [fn:1] though), and it got updated a few days ago
> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> fail on staging too.  Am I wrong?

Ah, could be. The new staging builds haven't been performed yet.

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Nicolò Balzarotti]

Leo Famulari <leo@famulari.name> writes:

> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
>> Staging has an older version (5.8 vs 7.2, which has been released in
>> november 2019 [fn:1] though), and it got updated a few days ago
>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
>> fail on staging too.  Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Leo Famulari]

On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> > Staging has an older version (5.8 vs 7.2, which has been released in
> > november 2019 [fn:1] though), and it got updated a few days ago
> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> > fail on staging too.  Am I wrong?
> 
> Ah, could be. The new staging builds haven't been performed yet.

Thanks for following up. Sure, I think it's fine to remove a package
if it does not build and has no dependents.

bug#47674: dnsmasq is vulnerable to CVE-2021-3448

[Tobias Geerinckx-Rice via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 378 bytes --]

Nicolò,

Nicolò Balzarotti writes:
> gnu/packages/dns.scm (dnsmasq): Update to 2.85.

I see you managed to aim this beautifully between me searching the 
issue tracker for ‘dnsmasq’ and me actually pushing an update, so 
well done I guess.

(Also: sorry for the duplicated effort, and thanks for keeping an 
eye on the securities. :-)

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]