Re: squeeze update of dnsmasq?

To: Simon Kelley <simon@thekelleys.org.uk>
Cc: debian-lts@lists.debian.org
Subject: Re: squeeze update of dnsmasq?
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Fri, 15 May 2015 16:24:30 +0200
Message-id: <[🔎] 20150515142430.GA3071@novelo>
In-reply-to: <[🔎] 55550C34.9070007@thekelleys.org.uk>
References: <[🔎] 20150513130738.GA9461@home.ouaza.com> <[🔎] 55550C34.9070007@thekelleys.org.uk>

Hi Simon,

On Thu, May 14, 2015 at 09:57:24PM +0100, Simon Kelley wrote:
> Hi Raphael.
> 
> I'm over-committed trying to get the long-overdue 2.73 release of
> dnsmasq out at the moment, so if the LTS team could handle the Debian
> mechanics of this, that would really  help me.
> 

In that case, I can take care of it.

> I can confirm that the patch which fixes the issue is here
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blobdiff;f=src/rfc1035.c;h=a995ab50d74adde068c8839684f9b3a44f4976d0;hp=7a07b0cee90655e296f57fa79f4d4a3a409b7b89;hb=ad4a8ff7d9097008d7623df8543df435bfddeac8;hpb=04b0ac05377936d121a36873bb63d492cde292c9
> 
> 
> The are three hunks in that patch, and hunks 1 and 3 apply to 2.55. (the
> version in squeeze) Hunk 2 is rejected by patch: this can be ignored, it
> simply removes a check which is now done more completely at the start of
> the function.
> 

I'm attaching the clean patch to fix CVE-2015-3294.

Regards,

Santiago

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 3289bf3..2a376f3 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -939,7 +939,10 @@ unsigned short extract_request(HEADER *header, size_t qlen, char *name, unsigned
 size_t setup_reply(HEADER *header, size_t qlen,
 		struct all_addr *addrp, unsigned short flags, unsigned long ttl)
 {
-  unsigned char *p = skip_questions(header, qlen);
+  unsigned char *p;
+
+  if (!(p = skip_questions(header, qlen)))
+    return 0;
   
   header->qr = 1; /* response */
   header->aa = 0; /* authoritive */
@@ -954,7 +957,7 @@ size_t setup_reply(HEADER *header, size_t qlen,
     header->rcode = NOERROR; /* empty domain */
   else if (flags == F_NXDOMAIN)
     header->rcode = NXDOMAIN;
-  else if (p && flags == F_IPV4)
+  else if (flags == F_IPV4)
     { /* we know the address */
       header->rcode = NOERROR;
       header->ancount = htons(1);
@@ -962,7 +965,7 @@ size_t setup_reply(HEADER *header, size_t qlen,
       add_resource_record(header, NULL, NULL, sizeof(HEADER), &p, ttl, NULL, T_A, C_IN, "4", addrp);
     }
 #ifdef HAVE_IPV6
-  else if (p && flags == F_IPV6)
+  else if (flags == F_IPV6)
     {
       header->rcode = NOERROR;
       header->ancount = htons(1);

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: squeeze update of dnsmasq?
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

References:
- squeeze update of dnsmasq?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: squeeze update of dnsmasq?
  - From: Simon Kelley <simon@thekelleys.org.uk>

Prev by Date: tomcat6 squeeze-lts packages available for test, CVE-2014-0227 and CVE-2014-0230
Next by Date: Re: squeeze update of libmodule-signature-perl?
Previous by thread: Re: squeeze update of dnsmasq?
Next by thread: Re: squeeze update of dnsmasq?
Index(es):
- Date
- Thread