Re: squeeze update of dnsmasq?

[Simon Kelley <simon@thekelleys.org.uk>]

Hi Raphael.

I'm over-committed trying to get the long-overdue 2.73 release of
dnsmasq out at the moment, so if the LTS team could handle the Debian
mechanics of this, that would really  help me.

I can confirm that the patch which fixes the issue is here

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blobdiff;f=src/rfc1035.c;h=a995ab50d74adde068c8839684f9b3a44f4976d0;hp=7a07b0cee90655e296f57fa79f4d4a3a409b7b89;hb=ad4a8ff7d9097008d7623df8543df435bfddeac8;hpb=04b0ac05377936d121a36873bb63d492cde292c9


The are three hunks in that patch, and hunks 1 and 3 apply to 2.55. (the
version in squeeze) Hunk 2 is rejected by patch: this can be ignored, it
simply removes a check which is now done more completely at the start of
the function.

I hope that helps.


Cheers,

Simon.




On 13/05/15 14:07, Raphael Hertzog wrote:
> Hello Simon,
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of dnsmasq:
> https://security-tracker.debian.org/tracker/CVE-2015-3294
> (but there are other lower severities issues also open see
> https://security-tracker.debian.org/tracker/source-package/dnsmasq)
> 
> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated.
> 
> If yes, please follow the workflow we have defined here:
> http://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1198,7 +1198,10 @@ unsigned int extract_request(struct dns_header
*header, size_t qlen, char *name,
 size_t setup_reply(struct dns_header *header, size_t qlen,
                struct all_addr *addrp, unsigned int flags, unsigned
long ttl)
 {
-  unsigned char *p = skip_questions(header, qlen);
+  unsigned char *p;
+
+  if (!(p = skip_questions(header, qlen)))
+    return 0;

   /* clear authoritative and truncated flags, set QR flag */
   header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
@@ -1214,7 +1217,7 @@ size_t setup_reply(struct dns_header *header,
size_t qlen,
     SET_RCODE(header, NOERROR); /* empty domain */
   else if (flags == F_NXDOMAIN)
     SET_RCODE(header, NXDOMAIN);
-  else if (p && flags == F_IPV4)
+  else if (flags == F_IPV4)
     { /* we know the address */
       SET_RCODE(header, NOERROR);
       header->ancount = htons(1);
@@ -1222,7 +1225,7 @@ size_t setup_reply(struct dns_header *header,
size_t qlen,
       add_resource_record(header, NULL, NULL, sizeof(struct
dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
     }
 #ifdef HAVE_IPV6
-  else if (p && flags == F_IPV6)
+  else if (flags == F_IPV6)
     {
       SET_RCODE(header, NOERROR);
       header->ancount = htons(1);
> (via a debdiff, or with an URL pointing to the the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> Thank you very much.
> 
> Raphaël Hertzog,
>   on behalf of the Debian LTS team.
> 
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>