Bug#690075: unblock: dnsmasq/2.63-4

[Simon Kelley <simon@thekelleys.org.uk>]

On 10/11/12 15:10, intrigeri wrote:
> tags 690075 + moreinfo
> thanks
>
> Hi Moritz,
>
> Moritz Muehlenhoff wrote (09 Oct 2012 17:51:26 GMT) :
> > Please unblock package dnsmasq
> > It fixes CVE-2012-3411
> > unblock dnsmasq/2.63-4
>
> The new upstream version includes quite a few changes that are
> unrelated to the security fix, which probably partly explains why
> nobody reviewed the proposed changes yet.
>
> However, determining which exact set of patches should be backported
> from upstream to fix this issue is not trivial, and I guess that's why
> Moritz asks for the whole think to be unblocked:
>
> 54dd393 (Add --bind-dynamic) is obvious, but a few follow-up commits
> come to fix the problems brought by the initial implementation; at
> least these two ones seem needed:
>
>   * 2b5bae9 -- Fall back from --bind-dynamic to --bind-interfaces in
>     BSD, rather than quitting
>   * 5f11b3e -- Cope with --listen-address for not yet existent addr in
>     bind-dynamic mode
>
> ... and I would not bet that's enough.
>
> Simon, are you interested in listing the commits that are needed,
> on top of 2.62-3, to fix CVE-2012-3411 without breaking anything?


I'd strongly suggest moving to 2.63-4, rather than backporting. The 
changes for the security fix are not trivial, and probablity of 
introducing a bug backporting is much larger that the probablity that 
there's an un-found bug in 2.63 which is not in 2.62. There are no 
intended backwards incompatibilities between 2.63 and 2.62, and no 
un-intended ones have been found in the three months since 2.63 was 
released.


Cheers,

Simon.